PHP :: Bug #30457 :: calling non existent function alias stored in a member array of an object

Bug #30457	calling non existent function alias stored in a member array of an object
Submitted:	2004-10-16 11:21 UTC	Modified:	2004-10-16 14:38 UTC
From:	kameshj at fastmail dot fm	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	5.0.2	OS:	Any Operating System
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2004-10-16 11:21 UTC] kameshj at fastmail dot fm

Description:
------------
Calling non existent function alias stored in a member array of an object causes Segmentation fault. This happens in 
PHP-5.0.0
PHP-5.0.1
PHP-5.0.2
PHP-5.1 HEAD

The cause happened to be zend_do_begin_method_call in zend_compile.c.

Here the check exists to check the member method name is __clone. This check causes a Segmentation fault.

Solution is check for the, 
last_op->op2.u.constant.type==IS_STRING before chceking for str.len and zend_binary_strcasecmp.


This bug breaks the working of Xoops 2.0.8 PHP5.0 port of Xoops.

Reproduce code:
---------------
Segmentation fault case
<?php
$obj->kameaps[0]();
?>

Non Segmentation fault case

<?php
$obj->anymembernamenotequalto7insize[0]();
?>


Expected result:
----------------
Fatal error: Function name must be a string in %s on line %d

Actual result:
--------------
Segmentation fault.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-10-16 11:50 UTC] kameshj at fastmail dot fm

Fixed in both 5.1 HEAD and 5.0.2 tree using hyanantha's account

[2004-10-16 12:32 UTC] tony2001@php.net

No bug -> bogus.

[2004-10-16 13:02 UTC] kameshj at fastmail dot fm

What you mean by bogus tony?

[2004-10-16 13:07 UTC] tony2001@php.net

I mean that this bug has already been fixed, so I see no sense in creating this bug report.
If this bug still exists (though, I'm not able to reproduce it), I don't understand what did you mean saying that it's been fixed.

[2004-10-16 13:21 UTC] kameshj at fastmail dot fm

I have fixed it in cvs just an hour back.
This bug is preety much reproducible.
just execute this,
<?php
$obj->kameaps[0]();
?>

[2004-10-16 14:38 UTC] kameshj at fastmail dot fm

I also did not get any eMail regarding this.
But The fix of mine is available in 1.598 in PHP5_1 
1.567.2.11 in PHP5_0 of zend_compile.c.

Before this fix I got consistent crash in PHP5_1 HEAD which I got a latest version on 2PM October 16 IST(GMT+5:30).

It crashes with PHP-5.0.2 too.

The code snippet which causes this segmentation fault 
might sound funny. But it is the root cause of major functionality in xoops application.

This will happen only with 7 character member arrays which is indexed with non existent entry and function call is made on that.

Based on my study of the issue let me explain this,

$somenonexistentobject->sevench[0]()

$somenonexistentobject->sevench[0] this evaluates to Long.

While zend_do_begin_method_call 
last_op_number = get_next_op_number(CG(active_op_array))-1;
last_op = &CG(active_op_array)->opcodes[last_op_number];

Assumes last_op's op2 to be string always which is incorrect in this case.

As the same zendlval is used by the scanner to store and return to parser
Earlier token 'sevench' of string type had a 
zendlval->value.str.len=7.
Later token 0 evalues to Long and 
zendlval->value.dval=0.
And earlier value of zendlval->value.str.len=7 still exists in memory.
This causes 
if ((last_op->op2.op_type == IS_CONST) 
&& (last_op->op2.u.constant.value.str.len == sizeof(ZEND_CLONE_FUNC_NAME)-1)
&& 
!zend_binary_strcasecmp(
last_op->op2.u.constant.value.str.val, 
last_op->op2.u.constant.value.str.len, ZEND_CLONE_FUNC_NAME, sizeof(ZEND_CLONE_FUNC_NAME)-1)) 

This bug causes This condition to true.
(last_op->op2.u.constant.value.str.len == sizeof(ZEND_CLONE_FUNC_NAME)-1)
And hence zend_binary_strcasecmp is called with NULL and hence segmentation fault.

With my check (last_op->op2.u.constant.type==IS_STRING) prior to 
(last_op->op2.u.constant.value.str.len == sizeof(ZEND_CLONE_FUNC_NAME)-1)
makes sure that we are working with string only.

Hope I made the bug report clear.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat May 18 11:01:34 2024 UTC