php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #43298 segfault with long class names supplied to stream_wrapper_register/class_exists
Submitted: 2007-11-14 19:40 UTC Modified: 2007-11-14 23:33 UTC
From: hoffie at gentoo dot org Assigned:
Status: Not a bug Package: Reproducible crash
PHP Version: 5.2.5 OS: Linux 2.6
Private report: No CVE-ID:
 [2007-11-14 19:40 UTC] hoffie at gentoo dot org
Description:
------------
stream_wrapper_register() crashes when it gets a very long class name string passed. A lot of (all?) other functions which accept a class name as an argument have the same problem (for example: is_subclass_of(), get_class_vars(), class_exists(), property_exists(), get_class_methods()...)
This was originally from http://www.securityfocus.com/archive/1/483644/30/0/threaded (which only mentions stream_wrapper_register)

I guess the fix has to be somewhere in zend_str_tolower_copy(), but I don't quite understand what is actually causing the segfault.

Reproduce code:
---------------
php -r 'var_dump(stream_wrapper_register("something", str_repeat("a", 10000000)));'
php -r 'var_dump(class_exists(str_repeat("a", 10000000)));'

Expected result:
----------------
bool(false)
bool(false)

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x0000000000553367 in zend_lookup_class_ex (name=0x2b105681b070 'a' <repeats 200 times>..., 
    name_length=10000000, use_autoload=1, ce=0x7fff552d8910)
    at /tmp/php-5.2.5.build/Zend/zend_execute_API.c:1046
1046            zend_str_tolower_copy(lc_name, name, name_length);
(gdb) bt
#0  0x0000000000553367 in zend_lookup_class_ex (
    name=0x2b105681b070 'a' <repeats 200 times>..., name_length=10000000, use_autoload=1, 
    ce=0x7fff552d8910) at /tmp/php-5.2.5.build/Zend/zend_execute_API.c:1046
#1  0x000000000055373c in zend_lookup_class (name=0x2b105681b070 'a' <repeats 200 times>..., 
    name_length=10000000, ce=0x7fff552d8910)
    at /tmp/php-5.2.5.build/Zend/zend_execute_API.c:1128
#2  0x00000000005753a9 in zif_class_exists (ht=1, return_value=0x9569c0, return_value_ptr=0x0, 
    this_ptr=0x0, return_value_used=1)
    at /tmp/php-5.2.5.build/Zend/zend_builtin_functions.c:1032
#3  0x0000000000589b19 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff552d8b10)
    at /tmp/php-5.2.5.build/Zend/zend_vm_execute.h:200
#4  0x000000000058fc7d in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7fff552d8b10)
    at /tmp/php-5.2.5.build/Zend/zend_vm_execute.h:1681
#5  0x00000000005895ba in execute (op_array=0x957648)
    at /tmp/php-5.2.5.build/Zend/zend_vm_execute.h:92
#6  0x00000000005538ce in zend_eval_string (
    str=0x7fff552da0fb "var_dump(class_exists(str_repeat(\"a\", 10000000)));", retval_ptr=0x0, 
    string_name=0x67a6f4 "Command line code")
    at /tmp/php-5.2.5.build/Zend/zend_execute_API.c:1171
#7  0x0000000000553a4b in zend_eval_string_ex (
    str=0x7fff552da0fb "var_dump(class_exists(str_repeat(\"a\", 10000000)));", retval_ptr=0x0, 
    string_name=0x67a6f4 "Command line code", handle_exceptions=1)
    at /tmp/php-5.2.5.build/Zend/zend_execute_API.c:1205
#8  0x00000000005e37c3 in main (argc=3, argv=0x7fff552d90a8)
    at /tmp/php-5.2.5.build/sapi/cli/php_cli.c:1179


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-11-14 23:33 UTC] jani@php.net
Please do not submit the same bug more than once. An existing
bug report already describes this very problem. Even if you feel
that your issue is somewhat different, the resolution is likely
to be the same. 

Thank you for your interest in PHP.

See bug #43128
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 02:02:11 2014 UTC