php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #54662 Nested objects cause segmentation fault
Submitted: 2011-05-04 19:11 UTC Modified: 2011-05-06 21:42 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: aleksey dot v dot korzun at gmail dot com Assigned:
Status: Closed Package: SPL related
PHP Version: 5.3.6 OS: Tested on Freebsd/CentOS
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: aleksey dot v dot korzun at gmail dot com
New email:
PHP Version: OS:

 

 [2011-05-04 19:11 UTC] aleksey dot v dot korzun at gmail dot com
Description:
------------
Another discussion on this subject could be found here:

http://groups.google.com/group/igbinary/browse_thread/thread/16b8824cbce14c83/8fe37ea6d44556f0#8fe37ea6d44556f0



Test script:
---------------
<?php
/**
 * Proof of concept, segmentation fault (spl_array.c/igbinary.c)
 * when using nested objects.
 *
 * PHP 5.3.6, PECL-Memcached 1.x, Igbinary 1.x
 *
 * @author Aleksey Korzun 
 */

/**
 * You must have pecl-memcached + igbinary
 */
DEFINE('MEMCACHE_SERVER', '192.168.2.85');
DEFINE('MEMCACHE_PORT', 11211);

class Storage
{
    public $storage;
    public function __construct() {
        $this->storage = new Object;
    }
}

class Object
{
}

class Collection extends \ArrayObject
{
    CONST LIMIT = 1000;
    public function populate() {
        $limit = 0;
        while($limit append(new Storage);
            ++$limit;
        }
    }
}

$memcached = new Memcached;
$memcached->setOption(
    $memcached::OPT_SERIALIZER, $memcached::SERIALIZER_IGBINARY);
$memcached->addServer(MEMCACHE_SERVER, MEMCACHE_PORT);

$collection = new Collection;
$collection->populate();

if($memcached->set('foobar', $collection, 10)) {
    if($memcached->get('foobar')) {
        print "Passed";
    }
}

Expected result:
----------------
Script should output 'Passed'

Actual result:
--------------
#0  0x000000000053b2b4 in var_push_dtor (var_hashx=0x0, rval=0x80163b9f0)
    at /usr/ports/lang/php5/work/php-5.3.6/ext/standard/var_unserializer.c:60
60              var_entries *var_hash = var_hashx->first_dtor, *prev = NULL;

#0  0x000000000053b2b4 in var_push_dtor (var_hashx=0x0, rval=0x80163b9f0)
    at /usr/ports/lang/php5/work/php-5.3.6/ext/standard/var_unserializer.c:60
        var_hash = (var_entries *) 0x80163c560
        prev = (var_entries *) 0x77bc58
#1  0x000000000053e2bd in process_nested_data (rval=0x7fffffffc690, p=0x7fffffffc888, max=0x80481553b "", var_hash=0x0, 
    ht=0x80163c560, elements=0) at /usr/ports/lang/php5/work/php-5.3.6/ext/standard/var_unserializer.c:292
        key = (zval *) 0x80163c600
        data = (zval *) 0x80163c678
        old_data = (zval **) 0x80163b9f0
#2  0x000000000053de87 in object_common2 (rval=0x7fffffffc690, p=0x7fffffffc888, max=0x80481553b "", var_hash=0x0, elements=1)
    at /usr/ports/lang/php5/work/php-5.3.6/ext/standard/var_unserializer.c:363
        retval_ptr = (zval *) 0x0
        fname = {value = {lval = 0, dval = 0, str = {val = 0x0, len = 75584827}, ht = 0x0, obj = {handle = 0, 
      handlers = 0x481553b}}, refcount__gc = 0, type = 0 '\0', is_ref__gc = 0 '\0'}
#3  0x000000000053c450 in php_var_unserialize (rval=0x7fffffffc690, p=0x7fffffffc888, max=0x80481553b "", var_hash=0x0)
    at /usr/ports/lang/php5/work/php-5.3.6/ext/standard/var_unserializer.c:647
        len3 = 7
        user_func = (zval *) 0x5fd1a4
        arg_func_name = (zval *) 0x98
        pce = (zend_class_entry **) 0x80487e7f8
        custom_object = 0
        len = 7
        len2 = 7
        maxlen = 531
        elements = 1
        class_name = 0x80163ba80 "storage"
        ce = (zend_class_entry *) 0x801631cd8
        incomplete_class = 0
        retval_ptr = (zval *) 0x7fffffffc5e0
        args = {0x10}
        yych = 34 '"'
        cursor = (
    const unsigned char *) 0x80481532f "\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:4;"...
        limit = (
    const unsigned char *) 0x804815323 "O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Objec"...
        marker = (
    const unsigned char *) 0x804815324 ":7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object"...
        start = (
    const unsigned char *) 0x804815323 "O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Objec"...
        rval_ref = (zval **) 0x78
        yybm = '\0' <repeats 48 times>, "\200\200\200\200\200\200\200\200\200\200", '\0' <repeats 197 times>
#4  0x000000000053e156 in process_nested_data (rval=0x80163bef0, p=0x7fffffffc888, max=0x80481553b "", var_hash=0x0, 
    ht=0x80163c1f0, elements=9) at /usr/ports/lang/php5/work/php-5.3.6/ext/standard/var_unserializer.c:275
        key = (zval *) 0x80163c328
        data = (zval *) 0x80163c478
        old_data = (zval **) 0x77bc58
#5  0x000000000053c7c7 in php_var_unserialize (rval=0x80163bef0, p=0x7fffffffc888, max=0x80481553b "", var_hash=0x0)
    at /usr/ports/lang/php5/work/php-5.3.6/ext/standard/var_unserializer.c:713
        elements = 10
        yych = 123 '{'
        cursor = (
    const unsigned char *) 0x80481531f "i:0;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"O"...
        limit = (
    const unsigned char *) 0x804815319 "a:10:{i:0;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";"...
        marker = (
    const unsigned char *) 0x80481531a ":10:{i:0;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";O"...
        start = (
---Type <return> to continue, or q <return> to quit---
    const unsigned char *) 0x804815319 "a:10:{i:0;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";"...
        rval_ref = (zval **) 0x78
        yybm = '\0' <repeats 48 times>, "\200\200\200\200\200\200\200\200\200\200", '\0' <repeats 197 times>
#6  0x000000000049dc43 in spl_array_unserialize_helper (intern=0x80163bed8, 
    buf=0x804815313 "x:i:0;a:10:{i:0;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"sto"..., buf_len=552, 
    var_hash_p=0x0) at /usr/ports/lang/php5/work/php-5.3.6/ext/spl/spl_array.c:1763
        p = (
    const unsigned char *) 0x804815353 "}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:4;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\""...
        s = (
    const unsigned char *) 0x804815313 "x:i:0;a:10:{i:0;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"sto"...
        pmembers = (zval *) 0x72a008dc400
        pflags = (zval *) 0x80163c328
        flags = 0
#7  0x000000000049e084 in spl_array_unserialize (object=0x7fffffffcbe8, ce=0x801632fc8, 
    buf=0x804815313 "x:i:0;a:10:{i:0;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage\":1:{s:7:\"sto"..., buf_len=552, 
    data=0x0) at /usr/ports/lang/php5/work/php-5.3.6/ext/spl/spl_array.c:1852
        intern = (spl_array_object *) 0x80163bed8
#8  0x0000000803ef1d58 in igbinary_unserialize_object_ser (igsd=0x7fffffffcb20, t=igbinary_type_object_ser16, z=0x7fffffffcbe8, 
    ce=0x801632fc8) at /usr/ports/converters/igbinary/work/igbinary-1.1.1/igbinary.c:1757
        n = 552
#9  0x0000000803ef1a07 in igbinary_unserialize_object (igsd=0x7fffffffcb20, t=igbinary_type_object_ser16, z=0x7fffffffcbe8)
    at /usr/ports/converters/igbinary/work/igbinary-1.1.1/igbinary.c:1884
        ce = (zend_class_entry *) 0x801632fc8
        pce = (zend_class_entry **) 0x804880a78
        h = (zval *) 0x0
        f = {value = {lval = 140737488341576, dval = 6.9533558071555652e-310, str = {val = 0x7fffffffca48 "(»c\001\b", 
      len = -13776}, ht = 0x7fffffffca48, obj = {handle = 4294953544, handlers = 0x7fffffffca30}}, refcount__gc = 4294953648, 
  type = 0 '\0', is_ref__gc = 0 '\0'}
        name = 0x804815306 "Collection\036\002(x:i:0;a:10:{i:0;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:1;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:2;O:7:\"Storage\":1:{s:7:\"storage\";O:6:\"Object\":0:{}}i:3;O:7:\"Storage"...
        name_len = 10
        r = 45
        incomplete_class = false
        user_func = (zval *) 0x98
        retval_ptr = (zval *) 0x80163ba90
        args = {0x80160a300}
        arg_func_name = (zval *) 0x40
#10 0x0000000803ef0e7a in igbinary_unserialize_zval (igsd=0x7fffffffcb20, z=0x7fffffffcbe8)
    at /usr/ports/converters/igbinary/work/igbinary-1.1.1/igbinary.c:1999
        t = igbinary_type_object8
        tmp_long = 140737488341744
        tmp_double = 6.9533558071662371e-310
        tmp_chararray = 0x803ef4278 "/usr/ports/converters/igbinary/work/igbinary-1.1.1/igbinary.c"
        tmp_size_t = 5450313498624
#11 0x0000000803eee705 in igbinary_unserialize (buf=0x804815300 "", buf_len=571, z=0x7fffffffcbe8)
    at /usr/ports/converters/igbinary/work/igbinary-1.1.1/igbinary.c:363
        igsd = {buffer = 0x804815300 "", buffer_size = 571, buffer_offset = 19, strings = 0x80163bae0, strings_count = 1, 
  strings_capacity = 4, references = 0x80163b6f8, references_count = 1, references_capacity = 4, error = 0, string0_buf = {
    c = 0x0, len = 0, a = 0}}
#12 0x000000080423f3f8 in php_memc_zval_from_payload (value=0x801631630, payload=0x804815300 "", payload_len=571, flags=5, 
    serializer=SERIALIZER_IGBINARY) at /root/php-memcached/php_memcached.c:2719
        payload_emalloc = 0 '\0'
        buffer = 0x0
#13 0x0000000804238381 in php_memc_get_impl (ht=1, return_value=0x801631630, return_value_ptr=0x0, this_ptr=0x80162e600, 
    return_value_used=1, by_key=0 '\0') at /root/php-memcached/php_memcached.c:625
        rc = 0
        return_value_set = 0 '\0'
        key = 0x80163b810 "foobar"
        key_len = 6
        server_key = 0x0
        server_key_len = 0
        payload = 0x804815300 ""
        payload_len = 571
---Type <return> to continue, or q <return> to quit---
        flags = 5
        cas = 0
        keys = {0x80163b810 "foobar"}
        key_lens = {6}
        cas_token = (zval *) 0x0
        fci = {size = 0, function_table = 0x0, function_name = 0x0, symbol_table = 0x0, retval_ptr_ptr = 0x0, param_count = 0, 
  params = 0x0, object_ptr = 0x0, no_separation = 0 '\0'}
        fcc = {initialized = 0 '\0', function_handler = 0x0, calling_scope = 0x0, called_scope = 0x0, object_ptr = 0x0}
        result = {item_flags = 4294954352, item_expiration = 16, key_length = 140737488342384, item_cas = 6268759, 
  root = 0x80163ba90, value = {end = 0x80160a300 "\001", string = 0x1a520 <Address 0x1a520 out of bounds>, current_size = 16, 
    root = 0x80160aa18, options = {is_allocated = true, is_initialized = false}}, 
  item_key = "Ⱥc\001\b\000\000\000\001\000\000\000Üø\022sð\217y\000\000\000\000\000\000\020#\004»\001\000\000h~y\000\000\000\000\000\220Õ_\000\001\000\000\000\020¸c\001\b\000\000\000\000£`\001\b\000\000\000À·c\001\b", '\0' <repeats 15 times>, "\001\000\000\000Ž_\000\000\000\000\000p½c\001\b\000\000\000\001\000\000\000Üø\022sh~y\000\000\000\000\000°¿c\001>\001\000\000ÐÐy\000\000\000\000\000`\205\210\004\001\000\000\0000\026c\001\b\000\000\000Ž_\000\000\000\000\000à\025c\001\b\000\000\000\001\000\000\000Üø\022sh~y\000\000\000\000\000JÊ_\000\000\000\000\000\220Ðy\000\000\000\000\000`\000\000\000\000"..., options = {is_allocated = false, 
    is_initialized = false}}
        status = MEMCACHED_SUCCESS
        object = (zval *) 0x80162e600
        i_obj = (php_memc_t *) 0x801634410
        m_obj = (struct memc_obj *) 0x801638070
#14 0x0000000804237c0b in zim_Memcached_get (ht=1, return_value=0x801631630, return_value_ptr=0x0, this_ptr=0x80162e600, 
    return_value_used=1) at /root/php-memcached/php_memcached.c:465
No locals.
#15 0x000000000065ba1c in zend_do_fcall_common_helper_SPEC (execute_data=0x804888080) at zend_vm_execute.h:316
        opline = (zend_op *) 0x801630ce0
        should_change_scope = 1 '\001'
#16 0x000000000065c9c5 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x804888080) at zend_vm_execute.h:421
No locals.
#17 0x000000000065a9ea in execute (op_array=0x801634540) at zend_vm_execute.h:107
        ret = 0
        execute_data = (zend_execute_data *) 0x804888080
        nested = 1 '\001'
        original_in_execution = 0 '\0'
#18 0x000000000062745d in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /usr/ports/lang/php5/work/php-5.3.6/Zend/zend.c:1194
        files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fffffffd270, reg_save_area = 0x7fffffffd1b0}}
        i = 1
        file_handle = (zend_file_handle *) 0x7fffffffea20
        orig_op_array = (zend_op_array *) 0x0
        orig_retval_ptr_ptr = (zval **) 0x0
#19 0x00000000005a7712 in php_execute_script (primary_file=0x7fffffffea20) at /usr/ports/lang/php5/work/php-5.3.6/main/main.c:2268
        realfile = "/www/ch9/test.php\000\000\000\002\000\000\000pïb\001\b\000\000\000pïb\001\b\000\000\000\002\000\000\000\001\000\000\000`ðb\001\b\000\000\000\200Û\215\000\003\000\000\000@ãÿÿÿ\177\000\000\177®c\000\000\000\000\000pïb\001\b\000\000\000\020\000\000\000\002\000\000\000pïb\001\b", '\0' <repeats 11 times>, "8\230x\000\000\000\000\000ð\000\000\000\003\000\000\000ðãÿÿÿ\177\000\000d\032\\\000\000\000\000\000 ª`\001\000\000\000\000\026", '\0' <repeats 15 times>, "\230x\002\000\000\000\000\000pïb\001\b\000\000\000pïb\001\b\000\000\000p\233w\000\000\000\000\000 ïb\001d\001"...
        __orig_bailout = (sigjmp_buf *) 0x7fffffffe980
        __bailout = {{_sjb = {5928021, 2, 140737488343656, 140737488349280, 140737488350208, 140737488350184, 0, 0, 34382807679, 
      6365355, 140737488349008, 0}}}
        prepend_file_p = (zend_file_handle *) 0x0
        append_file_p = (zend_file_handle *) 0x0
        prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {
      handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, 
      fsizer = 0, closer = 0}}, free_filename = 0 '\0'}
        append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {
      handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, 
      fsizer = 0, closer = 0}}, free_filename = 0 '\0'}
        old_cwd = 0x7fffffffd290 ""
        use_heap = 0 '\0'
        retval = 0
#20 0x000000000071b74a in main (argc=2, argv=0x7fffffffebe8) at /usr/ports/lang/php5/work/php-5.3.6/sapi/cli/php_cli.c:1193
        __orig_bailout = (sigjmp_buf *) 0x0
        __bailout = {{_sjb = {7449865, 2, 140737488349288, 140737488350096, 140737488350208, 140737488350184, 0, 0, 34368979839, 
      34369030656, 34369031168, 34359738368}}}
        exit_status = 0
        c = -1
        file_handle = {type = ZEND_HANDLE_MAPPED, filename = 0x7fffffffee2c "test.php", opened_path = 0x0, handle = {
    fd = 23262976, fp = 0x80162f700, stream = {handle = 0x80162f700, isatty = 0, mmap = {len = 1060, pos = 0, map = 0x8008f4000, 
        buf = 0x8008f4000 <Address 0x8008f4000 out of bounds>, old_handle = 0x801505c20, 
        old_closer = 0x643b30 <zend_stream_stdio_closer>}, reader = 0x643b00 <zend_stream_stdio_reader>, 
---Type <return> to continue, or q <return> to quit---
      fsizer = 0x643b70 <zend_stream_stdio_fsizer>, closer = 0x643cd0 <zend_stream_mmap_closer>}}, free_filename = 0 '\0'}
        behavior = 1
        reflection_what = 0x0
        orig_optind = 1
        orig_optarg = 0x0
        arg_free = 0x7fffffffee2c "test.php"
        arg_excp = (char **) 0x7fffffffebf0
        script_file = 0x7fffffffee2c "test.php"
        interactive = 0
        module_started = 1
        request_started = 1
        lineno = 1
        exec_direct = 0x0
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
        param_error = 0x0
        hide_argv = 0
        ini_entries_len = 110

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-05-05 09:50 UTC] aleksey dot v dot korzun at gmail dot com
Possibly resolved in http://svn.php.net/viewvc?view=revision&revision=265477 will test.
 [2011-05-06 21:42 UTC] aleksey dot v dot korzun at gmail dot com
-Status: Open +Status: Closed
 [2011-05-06 21:42 UTC] aleksey dot v dot korzun at gmail dot com
Closing this issue. Turned out to be a fault within IgBinary extension, resolved in -dev build.

See: http://alekseykorzun.com/post/5249986502/igbinary-nested-objects-crash-fixed
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Mon Dec 06 03:03:34 2021 UTC