php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #54465 PHP crashes when passing large object to string functions
Submitted: 2011-04-04 16:04 UTC Modified: 2011-04-12 20:24 UTC
Votes:7
Avg. Score:4.7 ± 0.7
Reproduced:6 of 6 (100.0%)
Same Version:3 (50.0%)
Same OS:1 (16.7%)
From: wwwound at gmail dot com Assigned:
Status: Wont fix Package: Reproducible crash
PHP Version: 5.3.6 OS: CentOs
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: wwwound at gmail dot com
New email:
PHP Version: OS:

 

 [2011-04-04 16:04 UTC] wwwound at gmail dot com 
Description:
------------
PHP crashes when passing large object ( with __toString() method ) to string functions (like substr(), urlencode() etc.)

Test script:
---------------
<?php

class Foo
{


protected $obj;

function rec($i = 0, $obj)
{
	$this -> obj = $obj;

	// >5603 - segmentation fault or zend_mm_heap corrupted
	// With some values can work as expected 
	if ( $i < 15604) {  
		$this -> rec(++$i, $this);
	}
	
}

function __toString()
{
	$this -> rec(0, $this);
	return "Hello, world!";
}

}


$foo = new Foo();

substr($foo, 0, 5);

// This is ok
//echo "\nHello!\n";

// But if we begin using variables "zend_mm_heap corrupted" or "Segmentation Fault"
$a = "aaaaa\n";
echo $a;

?>

Expected result:
----------------
Expecting correct appication exit

Actual result:
--------------
"Segmentation Fault" or "zend_mm_heap corrupted" errors

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-04-05 09:21 UTC] scottmac@php.net 
Isn't this just smashing the stack with a recursion 15603 levels deep?
 [2011-04-05 11:53 UTC] wwwound at gmail dot com 
May be... But if we passing strval($foo) instead of $foo, it works fine and 
recursion doesnt currupt heap or violate memory access
 [2011-04-12 20:24 UTC] iliaa@php.net 
The crash is the result of a stack overflow, caused by recursive function use. The 
code will eventually crash even when $foo without strval() is used. It is just 
that with strval() the stack is being more heavily utilized.
 [2011-04-12 20:24 UTC] iliaa@php.net
-Status: Open +Status: Wont fix
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 26 09:01:29 2024 UTC