php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #57416 Buffer overflow in runkit_method_rename()
Submitted: 2006-12-05 12:06 UTC Modified: 2013-02-26 04:31 UTC
From: anter at voliacable dot com Assigned: pollita (profile)
Status: Closed Package: runkit (PECL)
PHP Version: 5.1.6 OS: Windows XP Pro SP2
Private report: No CVE-ID: None
 [2006-12-05 12:06 UTC] anter at voliacable dot com
Description:
------------
When the third parameter of runkit_method_rename() is more than 14 symbols, crash of Apache is possible.

It is a pity, that you give not enough time on runkit. The matter is that this extension is of great importance for PHP. Runkit allows to realize support of Aspect-Oriented Programming. I hope, you will be interested with this application of your work, and you can give it to little bit more time.

Reproduce code:
---------------
function getClassMethods($class)
{
    $methods = array();
    $class = new ReflectionClass($class);
    foreach ($class->getMethods() as $method) {
        array_push($methods, $method->getName());
    }
    return $methods;
}

class Ancestor
{
    public function __construct(){}
}

class Descendant extends Ancestor
{
    public function someMethod(){}
}

class AnotherDescendant extends Ancestor
{
    public function anotherMethod(){}
}

runkit_method_rename('Descendant', '__construct', 'abcdefghmnoprst');
print_r(getClassMethods('Descendant'));
print_r(getClassMethods('AnotherDescendant'));

Expected result:
----------------
Array
(
    [0] => someMethod
    [1] => abcdefghmnoprst
)
Array
(
    [0] => anotherMethod
    [1] => abcdefghmnoprst
)

Actual result:
--------------
Array
(
    [0] => someMethod
    [1] => abcdefghmnoprst
)
Array
(
    [0] => anotherMethod
    [1] => [abracadabra or crash of Apache]
)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-02-26 04:31 UTC] pollita@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: pollita
 [2013-02-26 04:31 UTC] pollita@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

This seems to have been resolved by earlier fixes (apart from your expected 
output not being quite right since AnotherAncestor should remain unaffected), so 
I'd try a newer git revision.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 02:01:28 2024 UTC