php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #50005 Throwing through Reflection modified Exception object makes segmentation fault
Submitted: 2009-10-26 21:23 UTC Modified: 2009-11-12 00:12 UTC
From: arturas dot moskvinas at gmail dot com Assigned: felipe (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.2, 5.3.0, 6 OS: Centos 5.3 Final 64bit
Private report: No CVE-ID: None
 [2009-10-26 21:23 UTC] arturas dot moskvinas at gmail dot com
Description:
------------
Throwing through Reflection modified Exception (or any other Exception type) object makes php segment fault when file property is set to null.



Reproduce code:
---------------
<?php
$e = new Exception();
$reflection = new ReflectionObject($e);
$property = $reflection->getProperty("file");
$property->setAccessible(true);
$property->setValue($e, null);
throw $e;
?>

Expected result:
----------------
PHP Fatal error:  Uncaught exception 'Exception' in null:xx

Actual result:
--------------
Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-10-26 22:22 UTC] johannes@php.net
(dbx) where 
current thread: t@1
  [1] strlen(0x0, 0x0, 0x44, 0xfefefefefefefeff, 0x0, 0x4000), at 0xfffffd7fff18d520 
  [2] strdup(0x0, 0x0, 0x0, 0x0, 0x0, 0x0), at 0xfffffd7fff1ccf78 
  [3] php_error_cb(0x0, 0x0, 0x0, 0x0, 0x0, 0x0), at 0x894252 
=>[4] zend_error_va(type = 1, file = (nil), lineno = 2U, format = 0xcf5f12 "Uncaught %s\n  thrown", ...), line 749 in "zend_exceptions.c"
  [5] zend_exception_error(exception = 0xd6a890, severity = 1), line 789 in "zend_exceptions.c"
  [6] zend_execute_scripts(type = 8, retval = (nil), file_count = 3, ...), line 1212 in "zend.c"
  [7] php_execute_script(primary_file = 0xfffffd7fffdff780), line 2226 in "main.c"
  [8] main(argc = 1, argv = 0xfffffd7fffdff858), line 1190 in "php_cli.c"

 [2009-11-05 14:50 UTC] kalle@php.net
I cannot reproduce this using VC9 TS builds on Windows, using 5.3.0 and 5.3.2-dev:

C:\php>php -v
PHP 5.3.2-dev (cli) (built: Nov  5 2009 15:19:54)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2009 Zend Technologies

C:\php>php bug50005.php

Fatal error: Uncaught exception 'Exception' in :2
Stack trace:
#0 {main}
  thrown in (null) on line 2

 [2009-11-05 19:41 UTC] arturas dot moskvinas at gmail dot com
Probable strdup or strlen implementation on windows differs from linux.
Here is one of possible fix patches (on 5.3.0 release)
--- php-5.3.0.orig/main/main.c	2009-06-04 10:41:01.000000000 +0300
+++ php-5.3.0/main/main.c	2009-10-30 17:49:40.000000000 +0200
@@ -865,7 +865,10 @@
 		}
 		PG(last_error_type) = type;
 		PG(last_error_message) = strdup(buffer);
-		PG(last_error_file) = strdup(error_filename);
+		if (error_filename)
+		{
+		    PG(last_error_file) = strdup(error_filename);
+		}
 		PG(last_error_lineno) = error_lineno;
 	}
 [2009-11-12 00:10 UTC] svn@php.net
Automatic comment from SVN on behalf of felipe
Revision: http://svn.php.net/viewvc/?view=revision&revision=290567
Log: - Fixed bug #50005 (Throwing through Reflection modified Exception object makes segmentation fault)
 [2009-11-12 00:12 UTC] felipe@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Thanks for the patch, but I've committed a bit different fix avoiding this '(null)' in the message.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 11:01:30 2024 UTC