PHP :: Bug #77664 :: Segmentation fault when using undefined constant in custom wrapper

Bug #77664	Segmentation fault when using undefined constant in custom wrapper
Submitted:	2019-02-25 01:16 UTC	Modified:	-
From:	lucas dot nodari at gmail dot com	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	master-Git-2019-02-25 (Git)	OS:	any
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	lucas dot nodari at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2019-02-25 01:16 UTC] lucas dot nodari at gmail dot com

Description:
------------
Segmentation fault happens when trying to access a custom wrapper that was registered with a class that uses an undefined class constant.

A class is declared with a field that uses an undefined class constant.
This class is registered as a stream wrapper.
When using the wrapper with any filesystem function, php will crash.
This happens in all php 7 versions: https://3v4l.org/KKqGn

If the class is instantiated directly with the operator new, it will throw an undefined constant error.

If the undefined constant is used in a constructor instead, it works correctly, meaning, it fails to open and throws an error. 

Test script:
---------------
class ErrorWrapper { 
	public $context;
	public $var = self::INVALID;
}
stream_wrapper_register('error',ErrorWrapper::class);
file_get_contents('error://test');

Expected result:
----------------
Expected that it would throw an error, and fail to open the stream. The error should be the same that is thrown when creating a new instance of that class with the operator new.

Uncaught Error: Undefined class constant 'self::INVALID'

Actual result:
--------------
Backtrace:
#0  0x00000000086d6cde in add_property_zval_ex (arg=0x9745958, key=0x8f098fd "context", key_len=7, value=0x7ffffffe9f80) at php-src/Zend/zend_API.c:1734
#1  0x00000000086d6a06 in add_property_resource_ex (arg=0x9745958, key=0x8f098fd "context", key_len=7, r=0x9745930) at php-src/Zend/zend_API.c:1681
#2  0x0000000008660143 in user_stream_create_object (uwrap=0x97455d0, context=0x9745400, object=0x9745958) at php-src/main/streams/userspace.c:293
#3  0x0000000008660428 in user_wrapper_opener (wrapper=0x97455e8, filename=0x9745528 "error://test", mode=0x8ed7fbb "rb", options=0, opened_path=0x0, context=0x9745400, __php_stream_call_depth=1,
    __zend_filename=0x8f08708 "php-src/main/streams/streams.c", __zend_lineno=2032, __zend_orig_filename=0x8ed7f00 "php-src/ext/standard/file.c", __zend_orig_lineno=553) at php-src/main/streams/userspace.c:358
#4  0x00000000086576d1 in _php_stream_open_wrapper_ex (path=0x9745528 "error://test", mode=0x8ed7fbb "rb", options=8, opened_path=0x0, context=0x9745400, __php_stream_call_depth=0, __zend_filename=0x8ed7f00 "php-src/ext/standard/file.c",
    __zend_lineno=553, __zend_orig_filename=0x0, __zend_orig_lineno=0) at php-src/main/streams/streams.c:2030
#5  0x0000000008505811 in zif_file_get_contents (execute_data=0x7fffff6300a0, return_value=0x7ffffffea550) at php-src/ext/standard/file.c:551
#6  0x00000000083d512a in phar_file_get_contents (execute_data=0x7fffff6300a0, return_value=0x7ffffffea550) at php-src/ext/phar/func_interceptors.c:222
#7  0x000000000873c26f in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER () at php-src/Zend/zend_vm_execute.h:930
#8  0x00000000087ad141 in execute_ex (ex=0x7fffff630030) at php-src/Zend/zend_vm_execute.h:59868
#9  0x00000000087b33a0 in zend_execute (op_array=0x9745610, return_value=0x0) at php-src/Zend/zend_vm_execute.h:66092
#10 0x00000000086cee83 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at php-src/Zend/zend.c:1633
#11 0x0000000008634815 in php_execute_script (primary_file=0x7ffffffecd40) at php-src/main/main.c:2609
#12 0x00000000087b6163 in do_cli (argc=3, argv=0x9505ea0) at php-src/sapi/cli/php_cli.c:992
#13 0x00000000087b72da in main (argc=3, argv=0x9505ea0) at php-src/sapi/cli/php_cli.c:1384

Valgrind log:
==19317== Memcheck, a memory error detector
==19317== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==19317== Using Valgrind-3.14.0.SVN and LibVEX; rerun with -h for copyright info
==19317== Command: php -f error_wrapper.php
==19317== Parent PID: 4
==19317== 
==19317== error calling PR_SET_PTRACER, vgdb might block
==19317== Invalid read of size 8
==19317==    at 0x7DECDE: add_property_zval_ex (zend_API.c:1734)
==19317==    by 0x7DEA05: add_property_resource_ex (zend_API.c:1681)
==19317==    by 0x768142: user_stream_create_object (userspace.c:293)
==19317==    by 0x768427: user_wrapper_opener (userspace.c:358)
==19317==    by 0x75F6D0: _php_stream_open_wrapper_ex (streams.c:2030)
==19317==    by 0x60D810: zif_file_get_contents (file.c:551)
==19317==    by 0x4DD129: phar_file_get_contents (func_interceptors.c:222)
==19317==    by 0x84426E: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:930)
==19317==    by 0x8B5140: execute_ex (zend_vm_execute.h:59868)
==19317==    by 0x8BB39F: zend_execute (zend_vm_execute.h:66092)
==19317==    by 0x7D6E82: zend_execute_scripts (zend.c:1633)
==19317==    by 0x73C814: php_execute_script (main.c:2609)
==19317==    by 0x8BE162: do_cli (php_cli.c:992)
==19317==    by 0x8BF2D9: main (php_cli.c:1384)
==19317==  Address 0x18 is not stack'd, malloc'd or (recently) free'd
==19317== 
==19317== 
==19317== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==19317==  Access not within mapped region at address 0x18
==19317==    at 0x7DECDE: add_property_zval_ex (zend_API.c:1734)
==19317==    by 0x7DEA05: add_property_resource_ex (zend_API.c:1681)
==19317==    by 0x768142: user_stream_create_object (userspace.c:293)
==19317==    by 0x768427: user_wrapper_opener (userspace.c:358)
==19317==    by 0x75F6D0: _php_stream_open_wrapper_ex (streams.c:2030)
==19317==    by 0x60D810: zif_file_get_contents (file.c:551)
==19317==    by 0x4DD129: phar_file_get_contents (func_interceptors.c:222)
==19317==    by 0x84426E: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:930)
==19317==    by 0x8B5140: execute_ex (zend_vm_execute.h:59868)
==19317==    by 0x8BB39F: zend_execute (zend_vm_execute.h:66092)
==19317==    by 0x7D6E82: zend_execute_scripts (zend.c:1633)
==19317==    by 0x73C814: php_execute_script (main.c:2609)
==19317==    by 0x8BE162: do_cli (php_cli.c:992)
==19317==    by 0x8BF2D9: main (php_cli.c:1384)
==19317==  If you believe this happened as a result of a stack
==19317==  overflow in your program's main thread (unlikely but
==19317==  possible), you can try to increase the size of the
==19317==  main thread stack using the --main-stacksize= flag.
==19317==  The main thread stack size used in this run was 8388608.
==19317== 
==19317== HEAP SUMMARY:
==19317==     in use at exit: 2,757,432 bytes in 21,500 blocks
==19317==   total heap usage: 25,063 allocs, 3,563 frees, 3,625,903 bytes allocated
==19317== 
==19317== LEAK SUMMARY:
==19317==    definitely lost: 0 bytes in 0 blocks
==19317==    indirectly lost: 0 bytes in 0 blocks
==19317==      possibly lost: 1,857,842 bytes in 16,524 blocks
==19317==    still reachable: 899,590 bytes in 4,976 blocks
==19317==         suppressed: 0 bytes in 0 blocks
==19317== Rerun with --leak-check=full to see details of leaked memory
==19317== 
==19317== For counts of detected and suppressed errors, rerun with: -v
==19317== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-02-25 06:43 UTC] laruence@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4a72dd782df3089a0d944a7e51eabebdf1f1abc3
Log: Fixed bug #77664 (Segmentation fault when using undefined constant in custom wrapper)

[2019-02-25 06:43 UTC] laruence@php.net

-Status: Open +Status: Closed

[2019-02-25 12:03 UTC] nikic@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4a72dd782df3089a0d944a7e51eabebdf1f1abc3
Log: Fixed bug #77664 (Segmentation fault when using undefined constant in custom wrapper)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Nov 23 07:01:29 2024 UTC