php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #74733 stack-overflow in spl_autoload_register
Submitted: 2017-06-09 21:37 UTC Modified: 2017-06-29 01:04 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: martino dot sani at gmail dot com Assigned:
Status: Not a bug Package: SPL related
PHP Version: 7.2Git-2017-06-09 (Git) OS: Linux x86_64
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: martino dot sani at gmail dot com
New email:
PHP Version: OS:

 

 [2017-06-09 21:37 UTC] martino dot sani at gmail dot com 
Description:
------------
American fuzzy lop detects an infinite recursion that can lead to a stack-overflow.

Test platform:
Linux 4.9.20-std-1 #1 SMP Tue Apr 4 12:56:17 UTC 2017 x86_64 GNU/Linux

GIT SHA:
e72970026d381ab250b5cc4f9e3ad5f0a384ddaf

Test script:
---------------
<?php spl_autoload_register(function($e){static$i;if($i++){}class_exists(''.$i);});var_dump(class_exists('0'))?>

Actual result:
--------------
$ ./php -f 0.php.tmin
                         
ASAN:DEADLYSIGNAL

==18723==ERROR: AddressSanitizer: stack-overflow on address 0x7ffed1e32da8 (pc 0x0000004dcc91 bp 0x7ffed1e33650 sp 0x7ffed1e32db0 T0)
    #0 0x4dcc90 in __interceptor_memcmp.part.69 (/tmp/bin/php+0x4dcc90)               
    #1 0x1aa4d2e in zend_hash_find_bucket /tmp/php-src-latest/Zend/zend_hash.c:491:8
    #2 0x1aa4944 in zend_hash_find /tmp/php-src-latest/Zend/zend_hash.c:1958:6                                
    #3 0x1db91c4 in ZEND_BIND_STATIC_SPEC_CV_CONST_HANDLER /tmp/php-src-latest/Zend/zend_vm_execute.h:38766:10
    #4 0x1b8de13 in execute_ex /tmp/php-src-latest/Zend/zend_vm_execute.h:59725:7                             
    #5 0x19f18d3 in zend_call_function /tmp/php-src-latest/Zend/zend_execute_API.c:863:3                      
    #6 0x143a561 in zif_spl_autoload_call /tmp/php-src-latest/ext/spl/php_spl.c:451:4                         
    #7 0x19f1cda in zend_call_function /tmp/php-src-latest/Zend/zend_execute_API.c:877:4     
    #8 0x19f40f0 in zend_lookup_class_ex /tmp/php-src-latest/Zend/zend_execute_API.c:1040:7   
    #9 0x19f464d in zend_lookup_class /tmp/php-src-latest/Zend/zend_execute_API.c:1061:9                      
    #10 0x1ac3441 in zif_class_exists /tmp/php-src-latest/Zend/zend_builtin_functions.c:1391:8

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-06-10 07:43 UTC] requinix@php.net 
Well yeah, of course that results in infinite recursion.

The only "bug" I see is that class_exists has no problem trying to load a class with an invalid name. Same for interface_exists and trait_exists. Not that it should ever happen in real code, though.
 [2017-06-15 18:51 UTC] kalle@php.net 
If anything this should result in a memory_limit error, much like other recursive loops
 [2017-06-29 00:38 UTC] cmb@php.net 
> The only "bug" I see is that class_exists has no problem trying
> to load a class with an invalid name.

Hmm, it appears that '0' is a valid class name, see
<https://3v4l.org/BhJqk>. :(
 [2017-06-29 01:04 UTC] requinix@php.net
-Status: Open +Status: Not a bug
 [2017-06-29 01:04 UTC] requinix@php.net 
Well, either that's a bug too, or we treat it like we do variable variables
  https://3v4l.org/RWpUJ
(which I forgot about) and say it's legal code.

...which is what I'm thinking now: either permit all invalid names through the variable variables syntax, or reject all. Which then makes BC an issue - if it wasn't already. So I guess we allow it, and if you want to jump through hoops to get weird names then go ahead? ¯\_(ツ)_/¯

Between that and the usual ruling for recursive code problems (ie, developer error and running out of memory and/or stack space is expected) I'd call this NAB.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Dec 17 23:00:01 2025 UTC