php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #56572 Heap corruption caused by runkit_method_rename
Submitted: 2005-10-02 23:41 UTC Modified: 2005-10-31 16:45 UTC
From: skissane at gmail dot com Assigned:
Status: Closed Package: runkit (PECL)
PHP Version: 5.0.3 OS: Linux
Private report: No CVE-ID: None
 [2005-10-02 23:41 UTC] skissane at gmail dot com
Description:
------------
using php 5.0.5 & runkit 0.5
runkit_method_rename somehow causes heap corruption in the zend opcode array. In the context of a complex script, this corruption can cause PHP to segfault during request shutdown. (My reproduce script below has been simplified to the point that while the heap corruption still occurs, PHP doesn't segfault.)

Strangely, the behaviour appears to be influenced by the length of the class/method names in question: substituting the long names in the script below for very short ones (A, B, C, etc.) results in no memory leak message.

Reproduce code:
---------------
<?
class LongEnoughName  {
function ThisIsALongEnoughName() { } }
class LongEnoughNameForBugToHappen extends LongEnoughName 
{ }
runkit_method_rename('LongEnoughNameForBugToHappen',
'ThisIsALongEnoughName','EvenLongerThisIsALongEnoughName');


Expected result:
----------------
No memory leak messages

Actual result:
--------------
---------------------------------------
/home/skissane/unpacked/php-5.0.5/Zend/zend_opcode.c(227) : Block 0x08A9F7A0 status:
Beginning:      Cached (allocated on Zend/zend_language_scanner.c:4661, 22 bytes)
      End:      OK
---------------------------------------
/home/skissane/unpacked/runkit-0.5/runkit_methods.c(503) :  Freeing 0x08A8C984 (33 bytes), script=simple.php
=== Total 1 memory leaks detected ===


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-10-31 16:45 UTC] pollita@php.net
This bug has been fixed in CVS.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.

Fixed in Release 0.7
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat May 08 19:01:24 2021 UTC