php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #58233 Crash due to ops->prototype not being set [PATCH]
Submitted: 2008-06-13 00:44 UTC Modified: 2009-01-22 11:21 UTC
From: tstarling at wikimedia dot org Assigned:
Status: Closed Package: parsekit (PECL)
PHP Version: 5.2.5 OS: Linux
Private report: No CVE-ID: None
 [2008-06-13 00:44 UTC] tstarling at wikimedia dot org
Description:
------------
In PHP 5.2.6 (not selected above because it wasn't in the list), parsekit tries to read memory pointed to by an uninitialised memory location, and so crashes if history of the application is such that that location contains an invalid address.

ops->prototype is not set by init_op_array(), it is only set by zend_do_begin_function_declaration(), so for file-level or eval'd code, this member is invalid. 

ops->function_name is set to null by init_op_array(), and to the function name by zend_do_begin_function_declaration(), so the following hack fixes the problem:

Index: parsekit.c
===================================================================
RCS file: /repository/pecl/parsekit/parsekit.c,v
retrieving revision 1.20
diff -u -r1.20 parsekit.c
--- parsekit.c	31 Mar 2008 10:03:54 -0000	1.20
+++ parsekit.c	13 Jun 2008 04:32:12 -0000
@@ -267,7 +267,7 @@
 		add_assoc_null(return_value, "scope");
 	}
 	add_assoc_long(return_value, "fn_flags", ops->fn_flags);
-	if (ops->prototype) {
+	if (ops->function_name && ops->prototype) {
 		MAKE_STD_ZVAL(tmpzval);
 		array_init(tmpzval);
 		add_assoc_long(tmpzval, "type", ops->prototype->type);



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-11-12 09:41 UTC] sean@php.net
Can you please provide a script that causes this crash?

S
 [2008-11-12 16:30 UTC] tstarling at wikimedia dot org
<?php
parsekit_compile_string('foo();');
parsekit_compile_string('foo();');
parsekit_compile_string('foo();');
parsekit_compile_string('foo();');
parsekit_compile_string('foo();');
parsekit_compile_string('foo();');
parsekit_compile_string('foo();');
?>

Works for me. Just about any string will trigger the bug. BTW can I have maintainership? Five months is a long time for a one-line fix.
 [2009-01-22 11:21 UTC] sb at sebastian-bergmann dot de
This bug has been fixed in CVS.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.


 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun May 26 11:01:26 2019 UTC