php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #50006 Segfault caused by uksort() (PHP_5_2 only!)
Submitted: 2009-10-26 22:20 UTC Modified: 2009-11-29 08:37 UTC
From: remus at gmx dot net Assigned: felipe (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.2-SVN-2009-10-26 OS: *
Private report: No CVE-ID: None
 [2009-10-26 22:20 UTC] remus at gmx dot net
Description:
------------
Seems to be the same problem as in #40039. In (very) specific circumstances, uksort() will lead to a segmentation fault.
The Reproduce code worked on two entirely different computers for me, I couldn't test on more.

php compiled with:

$ ./configure --disable-libxml --disable-dom --disable-simplexml --disable-xmlwriter --disable-xml --disable-xmlreader --without-pear --enable-debug

But bug obviously exists in other versions/configurations, too (with same trigger).

Reproduce code:
---------------
<?php
$data = array(
    'bar-bazbazbaz.' => 0,
    'bar-bazbazbaz-' => 0,
    'foo' => 0,
);
uksort($data, 'magic_sort_cmp');
print_r($data);

function magic_sort_cmp($a, $b) {
  $a = substr($a, 1);
  $b = substr($b, 1);
  if (!$a) return $b ? -1 : 0;
  if (!$b) return 1;
  return magic_sort_cmp($a, $b);
}

?>

Expected result:
----------------
The array is output in the same order as defined.

Actual result:
--------------
Segmentation fault

Backtrace:

#0  0x0824a33b in zend_call_function (fci=0xbf9e6f74, fci_cache=0x0)
    at ~/tmp/php/php-5.2.11/Zend/zend_execute_API.c:696
#1  0x0824b7b0 in call_user_function_ex (function_table=0x8488460, 
    object_pp=0x0, function_name=0x0, retval_ptr_ptr=0xbf9e6fd8, 
    param_count=2, params=0x851dbbc, no_separation=1, symbol_table=0x0)
    at ~/tmp/php/php-5.2.11/Zend/zend_execute_API.c:640
#2  0x0824b818 in call_user_function (function_table=0x8488460, object_pp=0x0, 
    function_name=0x0, retval_ptr=0xbf9e700c, param_count=2, params=0xbf9e701c)
    at ~/tmp/php/php-5.2.11/Zend/zend_execute_API.c:613
#3  0x081a2b3b in array_user_key_compare (a=0x851d520, b=0x851d518)
    at ~/tmp/php/php-5.2.11/ext/standard/array.c:797
#4  0x082684f8 in zend_qsort (base=0x851d518, nmemb=3, siz=4, 
    compare=0x81a2a60 <array_user_key_compare>)
    at ~/tmp/php/php-5.2.11/Zend/zend_qsort.c:86
#5  0x08261434 in zend_hash_sort (ht=0x851d434, 
    sort_func=0x8268390 <zend_qsort>, 
    compar=0x81a2a60 <array_user_key_compare>, renumber=0)
    at ~/tmp/php/php-5.2.11/Zend/zend_hash.c:1282
#6  0x081a5c31 in zif_uksort (ht=2, return_value=0x851d500, 
    return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
    at ~/tmp/php/php-5.2.11/ext/standard/array.c:837
#7  0x08289a6a in zend_do_fcall_common_helper_SPEC (execute_data=0xbf9e732c)
    at ~/tmp/php/php-5.2.11/Zend/zend_vm_execute.h:200
#8  0x08276870 in execute (op_array=0x851b598)
    at ~/tmp/php/php-5.2.11/Zend/zend_vm_execute.h:92
#9  0x08255442 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at ~/tmp/php/php-5.2.11/Zend/zend.c:1134
#10 0x08212b19 in php_execute_script (primary_file=0xbf9e96d8)
    at ~/tmp/php/php-5.2.11/main/main.c:2020
#11 0x082c1fe1 in main (argc=2, argv=0xbf9e97f4)
    at ~/tmp/php/php-5.2.11/sapi/cli/php_cli.c:1162

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-10-26 22:41 UTC] jani@php.net
See also bug #40039

Note the word 'bug', it will trigger the url to be added automatically. :)
 [2009-10-26 22:45 UTC] jani@php.net
Crashes only with PHP_5_2 branch. PHP_5_3 and HEAD are ok.
 [2009-11-01 17:30 UTC] svn@php.net
Automatic comment from SVN on behalf of felipe
Revision: http://svn.php.net/viewvc/?view=revision&revision=290128
Log: - Fixed bug #50006 (Segfault caused by uksort()) [5_2 only]
 [2009-11-01 17:31 UTC] felipe@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2009-11-29 07:58 UTC] stas@php.net
The fix doesn't actually fix the bug, just hides it. Valgrind still shows this:

==17856== Invalid read of size 4
==17856==    at 0x81BEA4B: array_user_key_compare (array.c:799)
==17856==    by 0x82C33E4: zend_qsort (zend_qsort.c:86)
==17856==    by 0x82BA4DD: zend_hash_sort (zend_hash.c:1282)
==17856==    by 0x81BEE0B: zif_uksort (array.c:851)
==17856==    by 0x82D2501: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200)
==17856==    by 0x82D7D7A: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1740)
==17856==    by 0x82D207E: execute (zend_vm_execute.h:92)
==17856==    by 0x82ACFB5: zend_execute_scripts (zend.c:1134)
==17856==    by 0x825B833: php_execute_script (main.c:2035)
==17856==    by 0x83293F6: main (php_cli.c:1162)
==17856==  Address 0x4614410 is 8 bytes inside a block of size 256 free'd
==17856==    at 0x4006C0C: realloc (vg_replace_malloc.c:429)
==17856==    by 0x828F9FF: _erealloc (zend_alloc.c:2319)
==17856==    by 0x82D2B9F: zend_ptr_stack_2_push (zend_ptr_stack.h:73)
==17856==    by 0x82D225A: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:148)
==17856==    by 0x82D7D7A: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1740)
==17856==    by 0x82D207E: execute (zend_vm_execute.h:92)
==17856==    by 0x82D2670: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==17856==    by 0x82D3157: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322)
==17856==    by 0x82D207E: execute (zend_vm_execute.h:92)
==17856==    by 0x82D2670: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==17856==    by 0x82D3157: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322)
==17856==    by 0x82D207E: execute (zend_vm_execute.h:92)

 [2009-11-29 08:35 UTC] svn@php.net
Automatic comment from SVN on behalf of stas
Revision: http://svn.php.net/viewvc/?view=revision&revision=291415
Log: proper fix for bug #50006
add modify protection to all user array sorts
 [2009-11-29 08:37 UTC] stas@php.net
Should be fully fixed now (passes tests and valgrind).
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 10:01:29 2024 UTC