php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #54400 AppendIterator call stack overflow
Submitted: 2011-03-27 15:27 UTC Modified: 2018-05-05 17:12 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: felipe@php.net Assigned: cmb (profile)
Status: Duplicate Package: Reproducible crash
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
 [2011-03-27 15:27 UTC] felipe@php.net
Description:
------------
See below.

Test script:
---------------
<?php

$x = new AppendIterator;
$x->append($x);

Expected result:
----------------
No crash

Actual result:
--------------
SIGSEGV

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-03-27 15:27 UTC] felipe@php.net
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2012-06-03 18:30 UTC] felipe@php.net
-Type: Security +Type: Bug -Package: SPL related +Package: Reproducible crash
 [2016-07-28 23:30 UTC] brian dot carpenter at gmail dot com
This is still a thing in PHP 5.6.24:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000f7a8d4 in zend_parse_parameters (num_args=0, 
    type_spec=0x166342f "") at /home/geeknik/php-5.6.24/Zend/zend_API.c:917
917	{
(gdb) bt
#0  0x0000000000f7a8d4 in zend_parse_parameters (num_args=0, 
    type_spec=0x166342f "") at /home/geeknik/php-5.6.24/Zend/zend_API.c:917
#1  0x00007fffff7ff348 in ?? ()
#2  0x00007ffff7fcb910 in ?? ()
#3  0x0000000000000000 in ?? ()
(gdb) list
912		return retval;
913	}
914	/* }}} */
915	
916	ZEND_API int zend_parse_parameters(int num_args TSRMLS_DC, const char *type_spec, ...) /* {{{ */
917	{
918		va_list va;
919		int retval;
920	
921		RETURN_IF_ZERO_ARGS(num_args, type_spec, 0);

valgrind -q ~/php-5.6.24/sapi/cli/php 10.php
==117124== Conditional jump or move depends on uninitialised value(s)
==117124==    at 0x1031834: zend_std_get_method (zend_object_handlers.c:1114)
==117124==    by 0xA0B820: spl_dual_it_get_method (spl_iterators.c:1357)
==117124==    by 0x10A5598: ZEND_INIT_METHOD_CALL_SPEC_CV_CONST_HANDLER (zend_vm_execute.h:33443)
==117124==    by 0x1071B29: execute_ex (zend_vm_execute.h:363)
==117124==    by 0xF4DE44: zend_execute_scripts (zend.c:1341)
==117124==    by 0xD12DBF: php_execute_script (main.c:2613)
==117124==    by 0x12A0B38: do_cli (php_cli.c:994)
==117124==    by 0x429380: main (php_cli.c:1378)
==117124== 
==117124== Stack overflow in thread 1: can't grow stack to 0xffe801f68
==117124== 
==117124== Process terminating with default action of signal 11 (SIGSEGV)
==117124==  Access not within mapped region at address 0xFFE801F68
==117124==    at 0xED568C: zend_call_function (zend_execute_API.c:638)
==117124==  If you believe this happened as a result of a stack
==117124==  overflow in your program's main thread (unlikely but
==117124==  possible), you can try to increase the size of the
==117124==  main thread stack using the --main-stacksize= flag.
==117124==  The main thread stack size used in this run was 8388608.
==117124== Stack overflow in thread 1: can't grow stack to 0xffe801f60
==117124== 
==117124== Process terminating with default action of signal 11 (SIGSEGV)
==117124==  Access not within mapped region at address 0xFFE801F60
==117124==    at 0x4A236C0: _vgnU_freeres (vg_preloaded.c:58)
==117124==  If you believe this happened as a result of a stack
==117124==  overflow in your program's main thread (unlikely but
==117124==  possible), you can try to increase the size of the
==117124==  main thread stack using the --main-stacksize= flag.
==117124==  The main thread stack size used in this run was 8388608.
Segmentation fault
 [2018-05-05 17:12 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2018-05-05 17:12 UTC] cmb@php.net
I'm marking this as duplicate of bug #74977; actually, it's the
other way round, but the other ticket has already more useful
info.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Thu Dec 12 09:01:24 2019 UTC