PHP :: Bug #66127 :: Segmentation fault with ArrayObject unset

Bug #66127

Segmentation fault with ArrayObject unset

Submitted:

2013-11-20 18:06 UTC

Modified:

2014-06-08 22:41 UTC

Votes:	4
Avg. Score:	4.0 ± 0.7
Reproduced:	3 of 3 (100.0%)
Same Version:	3 (100.0%)
Same OS:	2 (66.7%)

From:

webm4st0r at gmail dot com

Assigned:

stas (profile)

Status:

Closed

Package:

Reproducible crash

PHP Version:

5.5.6

OS:

CentOS confirmed

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	webm4st0r at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2013-11-20 18:06 UTC] webm4st0r at gmail dot com

Description:
------------
This appears to have been introduced as the result of the patch to https://bugs.php.net/bug.php?id=52861.

I ran into this issue while regression testing our application on PHP 5.5.5, and was able to create a short script to reproduce the segfault.

Building PHP 5.4.13 with the patch for #52861 removed results in a successful execution and proper execution of the error handler. Build was on a clean version of the 5.4.13 distribution, with no configure options provided.

gdb backtrace for PHP 5.4.13:

#0  _zend_mm_alloc_int (heap=0xd2b290, size=32) at /root/build/php-5.4.13/Zend/zend_alloc.c:1906
#1  0x00000000006765ad in zend_error (type=1024, format=0xa7dee1 "%s") at /root/build/php-5.4.13/Zend/zend.c:1123
#2  0x0000000000687419 in zif_trigger_error (ht=<value optimized out>, return_value=0x7ffff7fe2290, return_value_ptr=<value optimized out>, this_ptr=<value optimized out>, return_value_used=<value optimized out>)
    at /root/build/php-5.4.13/Zend/zend_builtin_functions.c:1504
#3  0x00000000006ee76a in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /root/build/php-5.4.13/Zend/zend_vm_execute.h:642
#4  0x00000000006dbe60 in execute (op_array=0xe9ff50) at /root/build/php-5.4.13/Zend/zend_vm_execute.h:410
#5  0x000000000067616e in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/build/php-5.4.13/Zend/zend.c:1315
#6  0x000000000061c17e in php_execute_script (primary_file=0x7fffffffe2b0) at /root/build/php-5.4.13/main/main.c:2492
#7  0x000000000071bbb3 in do_cli (argc=2, argv=0x7fffffffe6b8) at /root/build/php-5.4.13/sapi/cli/php_cli.c:988
#8  0x000000000071c2b4 in main (argc=2, argv=0x7fffffffe6b8) at /root/build/php-5.4.13/sapi/cli/php_cli.c:1364

gdb backtrace for PHP 5.5.6:

#0  _zend_mm_alloc_int (heap=0xd9ed00, size=32) at /root/build/php-5.5.6/Zend/zend_alloc.c:1910
#1  0x0000000000691b9a in zend_error (type=1024, format=0xa6f4ec "%s") at /root/build/php-5.5.6/Zend/zend.c:1126
#2  0x00000000006a3c5b in zif_trigger_error (ht=<value optimized out>, return_value=0x7ffff7fe22d0, return_value_ptr=<value optimized out>, this_ptr=<value optimized out>, return_value_used=<value optimized out>)
    at /root/build/php-5.5.6/Zend/zend_builtin_functions.c:1521
#3  0x0000000000713da3 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /root/build/php-5.5.6/Zend/zend_vm_execute.h:550
#4  0x0000000000705350 in execute_ex (execute_data=0x7ffff7fad310) at /root/build/php-5.5.6/Zend/zend_vm_execute.h:363
#5  0x0000000000691749 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/build/php-5.5.6/Zend/zend.c:1320
#6  0x00000000006335b9 in php_execute_script (primary_file=0x7fffffffe2b0) at /root/build/php-5.5.6/main/main.c:2489
#7  0x0000000000741ccc in do_cli (argc=2, argv=0xd9ea20) at /root/build/php-5.5.6/sapi/cli/php_cli.c:994
#8  0x0000000000742468 in main (argc=2, argv=0xd9ea20) at /root/build/php-5.5.6/sapi/cli/php_cli.c:1378


Test script:
---------------
<?php

function crash()
{
    set_error_handler(function () {});
    $var = 1;
    trigger_error('error');
    $var2 = $var;
    $var3 = $var;
    trigger_error('error');
}

$items = new ArrayObject();

unset($items[0]);
unset($items[0][0]);
crash();
echo "Worked!\n";


Expected result:
----------------
Worked!

Actual result:
--------------
Segmentation fault (core dumped)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-11-22 04:54 UTC] laruence@php.net

-Assigned To: +Assigned To: stas

[2013-11-22 04:54 UTC] laruence@php.net

@Stas, could you please look into this?

[2014-06-05 11:15 UTC] arjen at react dot com

Still crashes: 5.4.13 - 5.6.0beta3

http://3v4l.org/j4GdO

[2014-06-08 00:16 UTC] rasmus@php.net

Here is the Valgrind memcheck output for this:

https://gist.github.com/anonymous/3d813b987629d0eb6022

This is from a PHP-5.6-dev checkout from today.

Basically we are accessing memory that has already been free'ed here.

[2014-06-08 22:41 UTC] stas@php.net

Proposed fix:

diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 34f3a38..758947a 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -402,7 +402,7 @@ static zval *spl_array_read_dimension_ex(int check_inherited, zval *object, zval
        /* When in a write context,
         * ZE has to be fooled into thinking this is in a reference set
         * by separating (if necessary) and returning as an is_ref=1 zval (even if refcount == 1) */
-       if ((type == BP_VAR_W || type == BP_VAR_RW || type == BP_VAR_UNSET) && !Z_ISREF_PP(ret)) {
+       if ((type == BP_VAR_W || type == BP_VAR_RW || type == BP_VAR_UNSET) && !Z_ISREF_PP(ret) && ret != &EG(uninitialized_zval_ptr)) {
                if (Z_REFCOUNT_PP(ret) > 1) {
                        zval *newval;
 

Please check if it works for you.

[2014-06-10 19:29 UTC] arjen at react dot com

Your patch fixes the reported issue, however it introduces a regression in ext/spl/tests/iterator_035.phpt

--TEST--
SPL: ArrayIterator and values assigned by reference
--FILE--
<?php

$tmp = 1;

$a = new ArrayIterator();
$a[] = $tmp;
$a[] = &$tmp;

echo "Done\n";
?>
--EXPECTF--
Fatal error: Cannot assign by reference to overloaded object in %s on line %d


The expected fatal error isn't triggered.

[2014-06-11 06:21 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=317bcb96d01a1dade28f2875bdd9bbbf73a40160
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)

[2014-06-11 06:21 UTC] stas@php.net

-Status: Assigned +Status: Closed

[2014-06-11 06:24 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2b04d689724bdfd5db9351c017566e2f51d61568
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)

[2014-06-12 01:08 UTC] dmitry@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=317bcb96d01a1dade28f2875bdd9bbbf73a40160
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)

[2014-06-19 00:53 UTC] tyrael@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=317bcb96d01a1dade28f2875bdd9bbbf73a40160
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)

[2014-06-24 17:27 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2b04d689724bdfd5db9351c017566e2f51d61568
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)

[2014-06-24 17:34 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2b04d689724bdfd5db9351c017566e2f51d61568
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)

[2014-06-30 20:23 UTC] dmitry@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2b04d689724bdfd5db9351c017566e2f51d61568
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)

[2014-07-02 01:41 UTC] tyrael@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2b04d689724bdfd5db9351c017566e2f51d61568
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)

[2014-07-02 08:26 UTC] ab@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2b04d689724bdfd5db9351c017566e2f51d61568
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)

[2014-07-02 08:26 UTC] ab@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=317bcb96d01a1dade28f2875bdd9bbbf73a40160
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)

[2014-07-02 08:34 UTC] ab@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2b04d689724bdfd5db9351c017566e2f51d61568
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)

[2014-07-02 08:34 UTC] ab@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=317bcb96d01a1dade28f2875bdd9bbbf73a40160
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)

[2014-07-29 21:56 UTC] johannes@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e2ba5c7987141fc11706207b0ce24ea2eb6dea87
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)

[2014-08-14 15:34 UTC] johannes@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e2ba5c7987141fc11706207b0ce24ea2eb6dea87
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)

[2014-08-14 19:32 UTC] dmitry@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e2ba5c7987141fc11706207b0ce24ea2eb6dea87
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)

[2014-10-07 23:13 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=e2ba5c7987141fc11706207b0ce24ea2eb6dea87
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)

[2014-10-07 23:14 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=2b04d689724bdfd5db9351c017566e2f51d61568
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)

[2014-10-07 23:14 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=317bcb96d01a1dade28f2875bdd9bbbf73a40160
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)

[2014-10-07 23:25 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=e2ba5c7987141fc11706207b0ce24ea2eb6dea87
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)

[2014-10-07 23:25 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=2b04d689724bdfd5db9351c017566e2f51d61568
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)

[2014-10-07 23:25 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=317bcb96d01a1dade28f2875bdd9bbbf73a40160
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 11:01:29 2024 UTC