|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2021-09-13 12:15 UTC] bwoebi@php.net
-Status: Open
+Status: Assigned
-Assigned To:
+Assigned To: bwoebi
[2021-09-13 14:17 UTC] git@php.net
[2021-09-13 14:17 UTC] git@php.net
-Status: Assigned
+Status: Closed
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sat Feb 22 17:01:28 2025 UTC |
Description: ------------ Observer current_observed_frame is unconditionally updated to prev_execute_data. However prev_execute_data may point to an unobserved function, causing current_observed_frame not to be updated until another observed function ends. Thus current_observed_frame may point to some already left unobserved function, which may already have been overwritten. Test script: --------------- Installing observers on a and d, <?php ini_set("memory_limit", "20M"); function d() {} // observed function c() { // gets prev_execute_data after end of d() d(); } function b() { c(); } function bailout(...$args) { array_map("str_repeat", ["\xFF"], [100000000]); } function a() { // observed (first_observed_frame) b(); bailout(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15); // overwrite the vm_stack containing prev_execute_data } a(); Expected result: ---------------- No crash. Actual result: -------------- Crash, with current_observed_frame pointing to something not being a valid frame on the vm_stack: (gdb) bt #0 0x0000000012cd24c9 in zend_observer_fcall_end_all () at /usr/src/debug/php-8.0.10/Zend/zend_observer.c:235 #1 0x0000000012be059b in php_request_shutdown (dummy=dummy@entry=0x0) at /usr/src/debug/php-8.0.10/main/main.c:1777