|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2011-03-19 23:49 UTC] cataphract@php.net
-Status: Open
+Status: Assigned
-Assigned To:
+Assigned To: cataphract
[2011-03-20 00:15 UTC] cataphract@php.net
[2011-03-20 00:15 UTC] cataphract@php.net
-Status: Assigned
+Status: Closed
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sat Dec 21 16:01:28 2024 UTC |
Description: ------------ The attached code crashes on PHP5.3 SVN. Since this is pretty sure only a null-pointer deref, reporting this as public (non-security related). Test script: --------------- <?php $targetDir = chr(0).DIRECTORY_SEPARATOR.md5('directoryIterator::getbasename'); $dir = new DirectoryIterator($targetDir.DIRECTORY_SEPARATOR); while(!$dir->isFile()) { } ?> Actual result: -------------- ==2043== Invalid read of size 8 ==2043== at 0x6586DB: spl_filesystem_object_get_path (spl_directory.c:168) ==2043== by 0x6587B0: spl_filesystem_object_get_file_name (spl_directory.c:190) ==2043== by 0x65BF85: zim_spl_SplFileInfo_isFile (spl_directory.c:1163) ==2043== by 0x7ED61F: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:638) ==2043== by 0x7EE50E: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:748) ==2043== by 0x7EC0F3: execute (zend_vm_execute.h:410) ==2043== by 0x7B0314: zend_execute_scripts (zend.c:1212) ==2043== by 0x726A37: php_execute_script (main.c:2344) ==2043== by 0x8EC455: main (php_cli.c:1136) ==2043== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==2043== ==2043== ==2043== Process terminating with default action of signal 11 (SIGSEGV)