php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69388 Use after free on recursieve calls to PHP compiler
Submitted: 2015-04-06 20:41 UTC Modified: 2015-04-06 20:41 UTC
From: dmitry@php.net Assigned: nikic (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: master-Git-2015-04-06 (Git) OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: dmitry@php.net
New email:
PHP Version: OS:

 

 [2015-04-06 20:41 UTC] dmitry@php.net
Description:
------------
The bug visible only with opcache disabled. PHP-5.5 and 5.6 are not affected.

Test script:
---------------
<?php
error_reporting(E_ALL | E_STRICT);
function handle_error($code, $message, $file, $line, $context) {
	if (!function_exists("bla")) {
		eval('function bla($s) {echo "$s\n";}');
	}
	bla($message);
}

set_error_handler('handle_error');
eval('namespace {use Exception;}');


Expected result:
----------------
The use statement with non-compound name 'Exception' has no effect

Actual result:
--------------
The use statement with non-compound name 'Exception' has no effect
==24404== Invalid read of size 4
==24404==    at 0x85E9F42: _zend_is_inconsistent (zend_hash.c:44)
==24404==    by 0x85EB22F: _zend_hash_add_or_update_i (zend_hash.c:475)
==24404==    by 0x85EB522: _zend_hash_add (zend_hash.c:537)
==24404==    by 0x85B6F4B: zend_hash_add_ptr (zend_hash.h:458)
==24404==    by 0x85C2753: zend_compile_use (zend_compile.c:5188)
==24404==    by 0x85C66B4: zend_compile_stmt (zend_compile.c:6726)
==24404==    by 0x85C62E2: zend_compile_top_stmt (zend_compile.c:6630)
==24404==    by 0x85C62C3: zend_compile_top_stmt (zend_compile.c:6625)
==24404==    by 0x85C2C5D: zend_compile_namespace (zend_compile.c:5329)
==24404==    by 0x85C66D4: zend_compile_stmt (zend_compile.c:6732)
==24404==    by 0x85C62E2: zend_compile_top_stmt (zend_compile.c:6630)
==24404==    by 0x85C62C3: zend_compile_top_stmt (zend_compile.c:6625)
==24404==  Address 0x6d82b80 is 8 bytes inside a block of size 44 free'd
==24404==    at 0x400826D: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==24404==    by 0x85B6142: _efree (zend_alloc.c:2216)
==24404==    by 0x85BA838: zend_reset_import_tables (zend_compile.c:1628)
==24404==    by 0x85BA8D7: zend_end_namespace (zend_compile.c:1648)
==24404==    by 0x85BA90F: zend_do_end_compilation (zend_compile.c:1659)
==24404==    by 0x859E02B: compile_string (zend_language_scanner.l:753)
==24404==    by 0x8627865: ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (zend_vm_execute.h:3364)
==24404==    by 0x8621632: execute_ex (zend_vm_execute.h:394)
==24404==    by 0x85CAEEA: zend_call_function (zend_execute_API.c:838)
==24404==    by 0x85CA732: call_user_function_ex (zend_execute_API.c:661)
==24404==    by 0x85DD295: zend_error (zend.c:1231)
==24404==    by 0x85C24F2: zend_compile_use (zend_compile.c:5125)


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-04-06 20:41 UTC] dmitry@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: nikic
 [2015-04-20 16:19 UTC] nikic@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0381c1b79e9491e68c9ca85a21e0a5bd68f3840f
Log: Fixed bug #69388
 [2015-04-20 16:19 UTC] nikic@php.net
-Status: Assigned +Status: Closed
 [2016-07-20 11:39 UTC] davey@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0381c1b79e9491e68c9ca85a21e0a5bd68f3840f
Log: Fixed bug #69388
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved.
Last updated: Wed Jul 09 16:02:26 2025 UTC