php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #35229 call_user_func() crashes when arguement_stack is nearly full
Submitted: 2005-11-15 17:48 UTC Modified: 2005-11-16 10:45 UTC
From: segv74 at gmail dot com Assigned: dmitry (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5CVS-2005-11-15 (snap) OS: linux
Private report: No CVE-ID: None
 [2005-11-15 17:48 UTC] segv74 at gmail dot com
Description:
------------
call_user_func() can be creahed when argument_stack in executor_globals is nearly full and callback function is autoloaded after call_user_func() is called.

in PHP_FUNCTION(call_user_func),
it saves params from argument_stack, and calls zend_is_callable().
so, if zend_is_callable() calls __autoload() and __autoload() uses function calls heavily, argument_stack in executor_globals is realloced(zend_stack.c:173).

in this case, saved params should be rewritten by newly alloced one.


Reproduce code:
---------------
=== test.php ===
<?
function __autoload($class)
{
  include 'test1.php';

  call_user_func(array('test1', 'use_stack'),
    1,2,3,4,5,6,7,8,9,10,
    11,12,13,14,15,16,17,18,19,20,
    21,22,23,24,25,26,27,28,29,30,
    31,32,33,34,35,36,37,38,39,40
  );
}

call_user_func(array('test1', 'use_stack'),
  1,2,3,4,5,6,7,8,9,10,
  11,12,13,14,15,16,17,18,19,20,
  21,22,23,24,25,26,27,28,29,30,
  31,32,33,34,35,36,37,38,39,40
);

== test1.php ==
<?
class test1
{
  function use_stack($a1,$a2,$a3,$a4,$a5,$a6,$a7,$a8,$a9,$a10,
    $a11,$a12,$a13,$a14,$a15,$a16,$a17,$a18,$a19,$a20,
    $a21,$a22,$a23,$a24,$a25,$a26,$a27,$a28,$a29,$a30,
    $a31,$a32,$a33,$a34,$a35,$a36,$a37,$a38,$a39,$a40)
  {
    echo "OK\n";
  }
}


Expected result:
----------------
OK

Actual result:
--------------
OK
Segmentation fault (core dumped)


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-11-15 18:09 UTC] sniper@php.net
So increase your stack?

 [2005-11-15 21:33 UTC] segv74 at gmail dot com
I changed PHP_FUNCTION(call_user_func) to call  zend_get_parameters_array_ex() again after calling zend_is_callable() to fix this problem.
 [2005-11-15 22:59 UTC] sniper@php.net
Dmitry, please check this out.
 [2005-11-16 10:45 UTC] dmitry@php.net
The reason of the crash is reallocation of argument_stack.

This crash is fixed in CVS HEAD, PHP_5_1 and PHP_5_0, but we need find general solution (simular crashes can occurs in other functions) for HEAD that will prevent argument_stack reallocation.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 12:01:31 2024 UTC