php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #46381 wrong $this passed to internal methods causes segfault
Submitted: 2008-10-24 13:45 UTC Modified: 2008-10-24 13:56 UTC
From: tony2001@php.net Assigned: tony2001
Status: Closed Package: Reproducible crash
PHP Version: 5.2.7RC2 OS: any
Private report: No CVE-ID:
 [2008-10-24 13:45 UTC] tony2001@php.net
Description:
------------
The code below makes PHP crash.
This happens because PHP uses wrong $this (PHP4 compatibility, bah..) and extensions have no means to check that.
The problem is not present in 5.3+, as it was fixed by Marcus in February as a part of big patch.

Reproduce code:
---------------
<?php
class test {
    public function test() {
        return PDO::lastInsertId();
    }
}
$test = new test();
$test->test(); 
?>

Actual result:
--------------
==5855== Invalid read of size 8
==5855==    at 0x5FEDAC: zim_PDO_lastInsertId (pdo_dbh.c:952)
==5855==    by 0x8C328E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200)
==5855==    by 0x8C3FF6: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322)
==5855==    by 0x8C2D2F: execute (zend_vm_execute.h:92)
==5855==    by 0x8C341D: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==5855==    by 0x8C3FF6: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322)
==5855==    by 0x8C2D2F: execute (zend_vm_execute.h:92)
==5855==    by 0x89A35F: zend_execute_scripts (zend.c:1134)
==5855==    by 0x83FAC1: php_execute_script (main.c:2011)
==5855==    by 0x9209C0: main (php_cli.c:1134)
==5855==  Address 0x8e68760 is not stack'd, malloc'd or (recently) free'd
==5855==
==5855== Invalid write of size 8
==5855==    at 0x5FEDBC: zim_PDO_lastInsertId (pdo_dbh.c:952)
==5855==    by 0x8C328E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200)
==5855==    by 0x8C3FF6: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322)
==5855==    by 0x8C2D2F: execute (zend_vm_execute.h:92)
==5855==    by 0x8C341D: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==5855==    by 0x8C3FF6: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322)
==5855==    by 0x8C2D2F: execute (zend_vm_execute.h:92)
==5855==    by 0x89A35F: zend_execute_scripts (zend.c:1134)
==5855==    by 0x83FAC1: php_execute_script (main.c:2011)
==5855==    by 0x9209C0: main (php_cli.c:1134)
==5855==  Address 0x8e68760 is not stack'd, malloc'd or (recently) free'd
==5855==
==5855== Invalid read of size 4
==5855==    at 0x8C0B70: zend_objects_store_del_ref (zend_objects_API.c:165)
==5855==    by 0x5FEDD6: zim_PDO_lastInsertId (pdo_dbh.c:952)
==5855==    by 0x8C328E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200)
==5855==    by 0x8C3FF6: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322)
==5855==    by 0x8C2D2F: execute (zend_vm_execute.h:92)
==5855==    by 0x8C341D: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==5855==    by 0x8C3FF6: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:322)
==5855==    by 0x8C2D2F: execute (zend_vm_execute.h:92)
==5855==    by 0x89A35F: zend_execute_scripts (zend.c:1134)
==5855==    by 0x83FAC1: php_execute_script (main.c:2011)
==5855==    by 0x9209C0: main (php_cli.c:1134)
==5855==  Address 0x8e68768 is not stack'd, malloc'd or (recently) free'd
and so on.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-10-24 13:56 UTC] tony2001@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 14:01:50 2014 UTC