PHP :: Bug #34277 :: array_filter() crashes with references and objects

Bug #34277	array_filter() crashes with references and objects
Submitted:	2005-08-27 03:44 UTC	Modified:	2005-09-12 12:01 UTC
From:	andreas dot ettner at freenet dot de	Assigned:	dmitry (profile)
Status:	Closed	Package:	Arrays related
PHP Version:	4CVS-2005-09-07	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

[2005-08-27 03:44 UTC] andreas dot ettner at freenet dot de

Description:
------------
PHP crashes with a segmentation fault when executing the provided code.  This problem has been observed with various setups.  The provided backtrace of a crash was generated with PHP version 4.4.0 CGI, configured with

'./configure' '--prefix=/home/eta/data/php-4.4.0' '--enable-debug' ,

compiled and run on a Debian GNU/Linux system with GCC version 3.3.5 and GNU C Library version 2.3.2.  In this setup PHP crashed on every invocation.


In order to facilitate the task of fixing this defect I have tried to find out its reason, and I think I have succeeded:

In the implementation of zif_array_filter (resp. array_filter) in ext/standard/array.c the local variables input and callback are set to point to locations in the elements array of the executor's argument_stack (l. 3312).  Calling the callback later on in zif_array_filter (l. 3340) might cause the elements array of the stack to be moved in memory (through reallocation when growing the stack).  When this happens, the local variables input and callback become invalid (dangling pointers), but are possibly used later on (in l. 3354 in our situation).

I hope this helps.


Reproduce code:
---------------
The code is unfortunately a bit long.  It can be found at http://people.freenet.de/aettner/crash.txt

Expected result:
----------------
No output (CGI version invoked with -q flag)

Actual result:
--------------
Segmentation fault (core dumped)

Backtrace generated with gdb:

Using host libthread_db library "/lib/libthread_db.so.1".
Core was generated by `php -q crash.txt'.
Program terminated with signal 11, Segmentation fault.
#0  0x081715a9 in _zend_is_inconsistent (ht=0xfb8277dc, 
    file=0x81bd880 "/home/eta/data/src-php-4.4.0/Zend/zend_hash.c", line=1064)
    at /home/eta/data/src-php-4.4.0/Zend/zend_hash.c:94
94		if (ht->inconsistent==HT_OK) {
#0  0x081715a9 in _zend_is_inconsistent (ht=0xfb8277dc, 
    file=0x81bd880 "/home/eta/data/src-php-4.4.0/Zend/zend_hash.c", line=1064)
    at /home/eta/data/src-php-4.4.0/Zend/zend_hash.c:94
#1  0x08174262 in zend_hash_get_current_key_ex (ht=0xfb8277dc, 
    str_index=0xbfffca6c, str_length=0xbfffca68, num_index=0xbfffca64, 
    duplicate=0 '\0', pos=0xbfffca60)
    at /home/eta/data/src-php-4.4.0/Zend/zend_hash.c:1064
#2  0x080add21 in zif_array_filter (ht=2, return_value=0x821b7d4, 
    this_ptr=0x0, return_value_used=1)
    at /home/eta/data/src-php-4.4.0/ext/standard/array.c:3354
#3  0x0818134a in execute (op_array=0x8220490)
    at /home/eta/data/src-php-4.4.0/Zend/zend_execute.c:1672
#4  0x08181576 in execute (op_array=0x8220890)
    at /home/eta/data/src-php-4.4.0/Zend/zend_execute.c:1716
#5  0x08181576 in execute (op_array=0x82209e0)
    at /home/eta/data/src-php-4.4.0/Zend/zend_execute.c:1716
#6  0x08181576 in execute (op_array=0x8220b30)
    at /home/eta/data/src-php-4.4.0/Zend/zend_execute.c:1716
#7  0x08181576 in execute (op_array=0x8220c80)
    at /home/eta/data/src-php-4.4.0/Zend/zend_execute.c:1716
#8  0x08181576 in execute (op_array=0x8217234)
    at /home/eta/data/src-php-4.4.0/Zend/zend_execute.c:1716
#9  0x0816d298 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/eta/data/src-php-4.4.0/Zend/zend.c:938
#10 0x0813707b in php_execute_script (primary_file=0xbffffa10)
    at /home/eta/data/src-php-4.4.0/main/main.c:1751
#11 0x0818820c in main (argc=3, argv=0xbffffac4)
    at /home/eta/data/src-php-4.4.0/sapi/cgi/cgi_main.c:1606

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-08-31 10:44 UTC] sniper@php.net

Dmitry, check this out please.

[2005-09-01 14:02 UTC] dmitry@php.net

Fixed in CVS HEAD, PHP_5_1, PHP_5_0 and PHP_4_4.

[2005-09-07 12:46 UTC] sniper@php.net

Dmitry, the fix wasn't enough.
This change causes another crash with PHP_4_4 branch (only):

-  $ret = array_filter(array(0), 'f');
+  $ret = array_filter(array(0, 1), 'f');

Backtrace:
0x082355c7 in call_user_function_ex (function_table=0x9b594b0, object_pp=0x0,
    function_name=0x80000020, retval_ptr_ptr=0xbf8f9120, param_count=1,
    params=0xbf8f9124, no_separation=0, symbol_table=0x0)
    at /usr/src/php/php_4_4/Zend/zend_execute_API.c:443
443             if (function_name->type==IS_ARRAY) { /* assume array($obj, $name) couple */
(gdb) bt
#0  0x082355c7 in call_user_function_ex (function_table=0x9b594b0, object_pp=0x0,
    function_name=0x80000020, retval_ptr_ptr=0xbf8f9120, param_count=1,
    params=0xbf8f9124, no_separation=0, symbol_table=0x0)
    at /usr/src/php/php_4_4/Zend/zend_execute_API.c:443
#1  0x0819be7a in zif_array_filter (ht=2, return_value=0x9c33214, this_ptr=0x0,
    return_value_used=1) at /usr/src/php/php_4_4/ext/standard/array.c:3360
#2  0x08251313 in execute (op_array=0x9c37e78)
    at /usr/src/php/php_4_4/Zend/zend_execute.c:1675
.
.

[2005-09-12 12:01 UTC] dmitry@php.net

Fixed in CVS HEAD, PHP_5_1, PHP_5_0 and PHP_4_4.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Feb 22 17:01:28 2025 UTC