php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #58894 Empty string as a parametr causes seg fault
Submitted: 2009-10-14 07:20 UTC Modified: 2010-02-22 13:03 UTC
From: toorion at gmail dot com Assigned: crobin (profile)
Status: Closed Package: spidermonkey (PECL)
PHP Version: 5_3 SVN-2009-10-14 (dev) OS: freebsd
Private report: No CVE-ID: None
 [2009-10-14 07:20 UTC] toorion at gmail dot com
Description:
------------
When use a empty string parameter "" or '' for function in javascript assign from php class it causes segmentation fault 11

Reproduce code:
---------------
class myClass
{
   public function test( $str )
   {
      //any code
      echo 'TestWrite';
   }
}

$myclass = new myClass();

$js = new JSContext();
$js->assign("myclass", $myclass);

$js->evaluateScript( 'myclass.test("")' );

Actual result:
--------------
if I set $js->evaluateScript( 'myclass.test("123")' );
all work fine, but if just "" - Segmentation fault: 11 is appear.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-10-27 10:15 UTC] drslump at pollinimini dot net
The following use case also fails with either a "Bus Error (10)" or a "Segmentation fault (11)".

Reproduce code:
---------------
$js = new JsContext();
$result = $js->evaluateScript("''");
// Note that the error only triggers when accessing the PHP variable
var_dump($result);

It seems that there is an error in spidermonkey.c:296 :

/* then we retrieve the pointer to the string */
char *txt = JS_GetStringBytes(str);
RETVAL_STRING(txt, strlen(txt));

The signature for RETVAL_STRING is RETVAL_STRING(string, duplicate), so for an empty string, strlen(txt) is 0 which indicates to not create a copy of the string. Perhaps changing it to:

RETVAL_STRINGL(txt, strlen(txt), true)

or:

if (strlen(txt)) {
  RETVAL_STRING(txt, true);
} else {
  RETVAL_EMPTY_STRING;
}

I'll try to apply those changes and report back
 [2009-10-27 10:26 UTC] drslump at pollinimini dot net
Good news!

I applied the changes indicated above and the bug with empty strings seem to be gone :)

Note that I haven't done anything in C in years so please check that I've got it right.

Index: spidermonkey.c
===================================================================
--- spidermonkey.c	(revision 53)
+++ spidermonkey.c	(working copy)
@@ -293,7 +293,12 @@
 		{
 			/* then we retrieve the pointer to the string */
 			char *txt = JS_GetStringBytes(str);
-			RETVAL_STRING(txt, strlen(txt));
+			int len = strlen(txt);
+			if (len) {
+			    RETVAL_STRINGL(txt, len, true);
+			} else {
+			    RETVAL_EMPTY_STRING();
+			}
 		}
 		else
 		{
 [2009-10-30 13:39 UTC] scottsteffens at gmail dot com
drslump: I get the following error when I try to compile your final changes:
/path/spidermonkey/spidermonkey.c: In function 'jsval_to_zval':
/path/spidermonkey/spidermonkey.c: error: 'true' undeclared (first use in this function)

However, when I change your:
RETVAL_STRINGL(txt, len, true);
to:
RETVAL_STRINGL(txt, len, 1);

..it works, and the original poster's empty space segfault goes away, as well as several others I've tested. I don't understand C, so someone else can tell me if I've this causes other problems.
 [2010-02-22 13:03 UTC] c dot robin at smartphp dot org
This bug has been fixed in SVN.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.


 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sat Nov 28 20:01:24 2020 UTC