php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77359 spl_autoload causes segfault
Submitted: 2018-12-27 13:55 UTC Modified: 2018-12-27 14:22 UTC
From: lauri dot kentta at gmail dot com Assigned: nikic (profile)
Status: Closed Package: SPL related
PHP Version: 7.3.0 OS: Linux
Private report: No CVE-ID: None
 [2018-12-27 13:55 UTC] lauri dot kentta at gmail dot com
Description:
------------
The function spl_autoload converts class name to lower case and later tries to free this string. However, if it's already in lower case, it's not copied, but the reference count is incremented instead. Then zend_string_free is called, but this function can only be used if the reference count is 1 (or 0) and otherwise leads to use-after-free (or failed assertion).

Looks like blame goes to commit 084c17fe0b68d391467fd48a14433443d4fcba81 (Dmitry Stogov <dmitry@zend.com>). Cases of zend_str_tolower_copy were converted to zend_string_tolower to avoid reallocations, but at least in this case, freeing was not fixed accordingly.

Test script:
---------------
<?php
$a = md5(""); # Create a non-interned string.
spl_autoload($a); # Invalid free.
spl_autoload($a); # Use after free.
echo "{$a} + foo\n"; # Use after free.
# Notice how "foo" is not printed even if the code does not crash.
# Run it a few times to get a crash.
?>

Expected result:
----------------
No crash, full output.

Actual result:
--------------
Crash or truncated output.

Patches

0001-Fix-77359-spl_autoload-causes-segfault.txt (last revision 2018-12-27 14:03 UTC by lauri dot kentta at gmail dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-12-27 14:22 UTC] nikic@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: nikic
 [2018-12-27 14:30 UTC] nikic@php.net
Automatic comment on behalf of lauri.kentta@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=89bf3df67d0f0ba3090b273d1b1b9fba9514a62d
Log: Fix #77359: spl_autoload causes segfault
 [2018-12-27 14:30 UTC] nikic@php.net
-Status: Assigned +Status: Closed
 [2019-01-07 12:05 UTC] cmb@php.net
Automatic comment on behalf of lauri.kentta@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7d638d0880b6f759706ca46da8e6f7a5d8728959
Log: Fix #77359: spl_autoload causes segfault
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 16:01:28 2024 UTC