php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #47948 call_user_func_array() with autoload causes crash
Submitted: 2009-04-11 02:49 UTC Modified: 2013-02-18 00:33 UTC
Votes:21
Avg. Score:4.3 ± 0.9
Reproduced:16 of 17 (94.1%)
Same Version:1 (6.2%)
Same OS:5 (31.2%)
From: ehassler at synapsestudios dot com Assigned:
Status: No Feedback Package: Reproducible crash
PHP Version: 5.2.9 OS: *
Private report: No CVE-ID: None
 [2009-04-11 02:49 UTC] ehassler at synapsestudios dot com
Description:
------------
In Vista with PHP 5.2.6 and 5.2.9 and in CentOS with PHP 5.2.6 we encountered an error where, a call_user_func_array without class_exists called before it causes the following error message:

Fatal error: Possible integer overflow in memory allocation (4 * 3080682076 + 0) 

In the windows environment, it just crashes our local instances of Apache, but in Linux we get this error message.

Prefacing the call_user_func_array with a class_exists causes the crash/error to not occur.  If we do not preface it, or if we add the extra argument to not autoload, then the crash/error occurs again.

We tried to reproduce the error by having two files, one with the class, the other with an autoload function and the call to call_user_func_array, and this did NOT cause a crash.  In our environment where the error actually occurred, the autoloaded file would have causes several other classes to autoload, so perhaps this is more relevant to the bug than simple autoloading.

Actual result:
--------------
Fatal error: Possible integer overflow in memory allocation (4 * 3080682076 + 0) in /var/www/phxphp.com/svn/trunk/application/models/upload_type.php on line 49

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-04-12 23:03 UTC] jani@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.


 [2009-04-16 19:38 UTC] ehassler at synapsestudios dot com
I tried throwing together a chain of call_user_func_array and autoloads to cause the problem (3 deep), but it didn't.  Thusfar the only way I can reproduce the error is through the whole codebase we're working on...  Perhaps I can revisit this at project completion to try and pare down to a usable example script.
 [2009-04-20 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2009-12-15 00:47 UTC] felipe@php.net
Please try using this snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/


 [2009-12-15 04:26 UTC] muqker at muqker dot com
Hi.
Here is an example script that reproduces the problem.

http://dell.nba.ro/clienti/muqker/muqker.tar.gz 

Sorry, the code is a bit messy cos it is stripped down from a larger 
project, plus, it seems that the size of the callstack is somehow a 
factor to reproduce, so I could not cut more.
Anyway, it's 3 files, 120 lines total, so should be manageable.
 [2009-12-22 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2010-01-03 17:09 UTC] muqker at muqker dot com
I see the status has changed to "No Feedback". Is the script I provided 
to reproduce not ok? I am sorry but I do not have a test environment 
where I can try your snapshot.
 [2010-01-03 20:54 UTC] johannes@php.net
When editing you have to use the "Edit Submission" tab to re-open it.

Are you sure the script you provided is correct - it works for me, as far as I can tell, on 5.2 and 5.3 while there is a warning for a missing parameter:

$ php -n index.php 
<pre>array(7) {
  [0]=>
  array(7) {
    ["file"]=>
    string(47) "/tmp/test47948/muqker/index.php"
    ["line"]=>
    int(41)
    ["function"]=>
    string(1) "f"
    ["class"]=>
    string(1) "A"
    ["object"]=>
    object(A)#2 (0) {
    }
    ["type"]=>
    string(2) "->"
    ["args"]=>
    array(0) {
    }
  }
  [1]=>
  array(7) {
    ["file"]=>
    string(47) "/tmp/test47948/muqker/index.php"
    ["line"]=>
    int(45)
    ["function"]=>
    string(1) "g"
    ["class"]=>
    string(1) "A"
    ["object"]=>
    object(A)#2 (0) {
    }
    ["type"]=>
    string(2) "->"
    ["args"]=>
    array(0) {
    }
  }
  [2]=>
  array(7) {
    ["file"]=>
    string(47) "/tmp/test47948/muqker/index.php"
    ["line"]=>
    int(15)
    ["function"]=>
    string(1) "h"
    ["class"]=>
    string(1) "A"
    ["object"]=>
    object(A)#2 (0) {
    }
    ["type"]=>
    string(2) "->"
    ["args"]=>
    array(0) {
    }
  }
  [3]=>
  array(7) {
    ["file"]=>
    string(47) "/tmp/test47948/muqker/index.php"
    ["line"]=>
    int(19)
    ["function"]=>
    string(2) "zz"
    ["class"]=>
    string(10) "Controller"
    ["object"]=>
    object(Controller)#1 (0) {
    }
    ["type"]=>
    string(2) "->"
    ["args"]=>
    array(0) {
    }
  }
  [4]=>
  array(7) {
    ["file"]=>
    string(47) "/tmp/test47948/muqker/index.php"
    ["line"]=>
    int(23)
    ["function"]=>
    string(10) "executeNew"
    ["class"]=>
    string(10) "Controller"
    ["object"]=>
    object(Controller)#1 (0) {
    }
    ["type"]=>
    string(2) "->"
    ["args"]=>
    array(1) {
      [0]=>
      &NULL
    }
  }
  [5]=>
  array(7) {
    ["file"]=>
    string(47) "/tmp/test47948/muqker/index.php"
    ["line"]=>
    int(59)
    ["function"]=>
    string(13) "executeClient"
    ["class"]=>
    string(10) "Controller"
    ["object"]=>
    object(Controller)#1 (0) {
    }
    ["type"]=>
    string(2) "->"
    ["args"]=>
    array(1) {
      [0]=>
      &NULL
    }
  }
  [6]=>
  array(4) {
    ["file"]=>
    string(47) "/tmp/test47948/muqker/index.php"
    ["line"]=>
    int(62)
    ["function"]=>
    string(4) "main"
    ["args"]=>
    array(0) {
    }
  }
}

Warning: Missing argument 2 for CheckedFacilityPeer::getCheckedFacilities() in /tmp/test47948/muqker/CheckedFacilityPeer.php on line 42
ff

 [2010-01-08 16:27 UTC] muqker at muqker dot com
I didn't know about Edit Submission. However, I did not open this bug, 
I just had the same problem and tried to provide a script to 
reproduce. Should I use that anyway?

Yes, the crash is there. I am getting:

[Fri Jan 08 17:55:49 2010] [notice] child pid 3534 exit signal 
Segmentation fault (11)

in apache2's error log and the browser reports that it receives "Error 
324 (net::ERR_EMPTY_RESPONSE): Unknown error."

php -n index.php ends with "Segmentation Fault".

If I include explicitly the class that otherwise autoload tries to 
load, or if I do not use call_user_func_array, but a normal call, then 
the crash is gone.

Some system info:
PHP Version 5.2.6-3ubuntu4.2
Apache Version	Apache/2.2.11 (Ubuntu) DAV/2 SVN/1.5.4 PHP/5.2.6-
3ubuntu4.2 with Suhosin-Patch
Apache API Version	20051115
Loaded Modules	core mod_log_config mod_logio prefork http_core mod_so 
mod_alias mod_auth_basic mod_authn_file mod_authz_default 
mod_authz_groupfile mod_authz_host mod_authz_user mod_autoindex 
mod_cgi mod_dav mod_dav_fs mod_dav_svn mod_authz_svn mod_deflate 
mod_dir mod_env mod_mime mod_negotiation mod_php5 mod_rewrite 
mod_setenvif mod_status
Linux dufus 2.6.28-16-generic #55-Ubuntu SMP Tue Oct 20 19:48:24 UTC 
2009 i686
GNU C Library stable release version 2.9, by Roland McGrath et al.

Let me know if I can provide any other info.
 [2010-01-11 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2010-02-12 15:31 UTC] janssens dot cyril at gmail dot com
Same problem on Debian 5 32bit + php 5.2.6 when using recursive call_user_func_array function.

The workaround is to use eval statement:

$object = 'foo';
$method = 'bar';
$args = array();//some arguments
$i=0;
$strArg='';
foreach ($args as $arg){
	$varname = 'arg'.$i;
	$$varname = $arg;
	$strArg .= '$'.$varname.',';
	$i++;
}
$strArg = substr($strArg,0,-1);
$cmd = '$_return = '.$object.'::'.$method.'('.$strArg.');';
eval($cmd);

//Enjoy :-)
return $_return;




Regards,

Cyril
 [2010-06-22 00:39 UTC] felipe@php.net
-Status: No Feedback +Status: Feedback
 [2010-06-22 00:39 UTC] felipe@php.net
Please try using this snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/


 [2013-02-18 00:33 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Nov 24 16:01:31 2024 UTC