php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #56572 Heap corruption caused by runkit_method_rename
Submitted: 2005-10-02 23:41 UTC Modified: 2005-10-31 16:45 UTC
From: skissane at gmail dot com Assigned:
Status: Closed Package: runkit (PECL)
PHP Version: 5.0.3 OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: skissane at gmail dot com
New email:
PHP Version: OS:

 

 [2005-10-02 23:41 UTC] skissane at gmail dot com
Description:
------------
using php 5.0.5 & runkit 0.5
runkit_method_rename somehow causes heap corruption in the zend opcode array. In the context of a complex script, this corruption can cause PHP to segfault during request shutdown. (My reproduce script below has been simplified to the point that while the heap corruption still occurs, PHP doesn't segfault.)

Strangely, the behaviour appears to be influenced by the length of the class/method names in question: substituting the long names in the script below for very short ones (A, B, C, etc.) results in no memory leak message.

Reproduce code:
---------------
<?
class LongEnoughName  {
function ThisIsALongEnoughName() { } }
class LongEnoughNameForBugToHappen extends LongEnoughName 
{ }
runkit_method_rename('LongEnoughNameForBugToHappen',
'ThisIsALongEnoughName','EvenLongerThisIsALongEnoughName');


Expected result:
----------------
No memory leak messages

Actual result:
--------------
---------------------------------------
/home/skissane/unpacked/php-5.0.5/Zend/zend_opcode.c(227) : Block 0x08A9F7A0 status:
Beginning:      Cached (allocated on Zend/zend_language_scanner.c:4661, 22 bytes)
      End:      OK
---------------------------------------
/home/skissane/unpacked/runkit-0.5/runkit_methods.c(503) :  Freeing 0x08A8C984 (33 bytes), script=simple.php
=== Total 1 memory leaks detected ===


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-10-31 16:45 UTC] pollita@php.net
This bug has been fixed in CVS.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.

Fixed in Release 0.7
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sat Aug 13 16:05:46 2022 UTC