php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #63173 Crash when invoking invalid array callback
Submitted: 2012-09-27 16:11 UTC Modified: 2012-09-27 16:57 UTC
From: bugs dot php dot net at majkl578 dot cz Assigned: nikic (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.4.7 OS: Linux & Windows
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2012-09-27 16:11 UTC] bugs dot php dot net at majkl578 dot cz 
Description:
------------
PHP crashes when the callback (defined as an array) is invalid.

Test script:
---------------
$foo = [
	1 => 0,
	2 => 0,
];

$foo();

Expected result:
----------------
PHP Fatal error

Actual result:
--------------
Segmentation fault; backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000a53ddf in ZEND_INIT_FCALL_BY_NAME_SPEC_CV_HANDLER (execute_data=0x7ffff7f740e8) at /storage/build/php/5.4/php-5.4.7/Zend/zend_vm_execute.h:1922
1922				if (Z_TYPE_PP(obj) != IS_STRING && Z_TYPE_PP(obj) != IS_OBJECT) {
(gdb) bt
#0  0x0000000000a53ddf in ZEND_INIT_FCALL_BY_NAME_SPEC_CV_HANDLER (execute_data=0x7ffff7f740e8) at /storage/build/php/5.4/php-5.4.7/Zend/zend_vm_execute.h:1922
#1  0x0000000000a4cb52 in execute (op_array=0x7ffff7fab698) at /storage/build/php/5.4/php-5.4.7/Zend/zend_vm_execute.h:410
#2  0x0000000000a1064a in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /storage/build/php/5.4/php-5.4.7/Zend/zend.c:1286
#3  0x0000000000987c90 in php_execute_script (primary_file=0x7fffffffdfc0) at /storage/build/php/5.4/php-5.4.7/main/main.c:2473
#4  0x0000000000b569ea in do_cli (argc=2, argv=0x7fffffffe368) at /storage/build/php/5.4/php-5.4.7/sapi/cli/php_cli.c:988
#5  0x0000000000b579a5 in main (argc=2, argv=0x7fffffffe368) at /storage/build/php/5.4/php-5.4.7/sapi/cli/php_cli.c:1364

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-09-27 16:48 UTC] nikic@php.net
-Status: Open +Status: Closed
 [2012-09-27 16:48 UTC] nikic@php.net 
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=592b232e834ed2698fa97ad4dd58e5ab21f257be
Log: Fix bug #63173: Crash when invoking invalid array callback
 [2012-09-27 16:57 UTC] nikic@php.net 
Thanks for the report, this is now fixed in the repo.

Two more notes:
 * For call_user_func the call with go through zend_is_callable_ex where the check is properly done (see http://lxr.php.net/xref/PHP_5_3/Zend/zend_API.c#2771), so this bug doesn't apply to it (or an other function with f zpp)
 * Calling array callbacks using $callback() is only supported since 5.4, so this does not apply to PHP 5.3.
 [2012-09-27 16:57 UTC] nikic@php.net
-Summary: Crash when invoking invalid callback +Summary: Crash when invoking invalid array callback -Assigned To: +Assigned To: nikic
 [2014-10-07 23:22 UTC] stas@php.net 
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=592b232e834ed2698fa97ad4dd58e5ab21f257be
Log: Fix bug #63173: Crash when invoking invalid array callback
 [2014-10-07 23:33 UTC] stas@php.net 
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=592b232e834ed2698fa97ad4dd58e5ab21f257be
Log: Fix bug #63173: Crash when invoking invalid array callback
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri May 10 23:01:30 2024 UTC