php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60042 spl_autoload_call may manipulate a dangling pointer
Submitted: 2011-10-11 17:03 UTC Modified: 2011-10-12 12:55 UTC
From: tom at punkave dot com Assigned: felipe
Status: Closed Package: SPL related
PHP Version: 5.3.8 OS: Any
Private report: No CVE-ID:
 [2011-10-11 17:03 UTC] tom at punkave dot com
Description:
------------
spl_autoload_call initializes retval to null at the start of the function, but 
does not reinitialize it to null after destroying the return value of each 
autoloader call. As a result, if a subsequent autoloader call does not have any 
return value, then the old dangling pointer is used, resulting in a null pointer 
reference and a segmentation fault, bus error or other entertaining symptom 
depending on the time of day.

Many common autoloaders, such as the Symfony autoloaders, always return true or 
false depending on whether they load a class, even though the documentation for 
spl_autoload_register does not call for this at all. This is probably because 
the developers learned the hard way that autoloaders won't play nice together 
unless they return something due to this bug.

A good example of an autoloader that does trigger this bug is the one provided 
with the Amazon AWS standard library for PHP. Their implementation does not 
return a value, so PHP segfaults (or similar) if it is later in the chain of 
autoloaders.

This bug can be fixed as follows:

if (retval) {
  zval_ptr_dtor(&retval);
}

Becomes:

if (retval) {
  zval_ptr_dtor(&retval);
  retval = NULL;
}

Patch attached.


Expected result:
----------------
Multiple autoloaders play nice.

Actual result:
--------------
If an autoloader other than the first one has no return value a PHP crash takes 
place due to a dangling pointer to a destroyed value.

Patches

clear_retval_between_autoloaders (last revision 2011-10-11 17:03 UTC) by tom at punkave dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-10-11 21:04 UTC] tom at punkave dot com
-Summary: spl_autoload_call crashes with multiple autoloaders if some return nothing +Summary: spl_autoload_call may manipulate a dangling poitner
 [2011-10-11 21:04 UTC] tom at punkave dot com
Edit: I determined that this was not causing my segmentation faults. However it 
still may be a bug. I've read the _zval_ptr_dtor source code and although it is 
passed the address of the zval rather than the zval itself it doesn't appear to 
use this opportunity to null it out. Can anyone clarify whether 
zval_ptr_dtor(&retval) actually nulls out retval before closing this?
 [2011-10-11 21:05 UTC] tom at punkave dot com
-Summary: spl_autoload_call may manipulate a dangling poitner +Summary: spl_autoload_call may manipulate a dangling pointer
 [2011-10-11 21:05 UTC] tom at punkave dot com
Fixed typo
 [2011-10-11 22:12 UTC] felipe@php.net
-Status: Open +Status: Bogus
 [2011-10-11 22:12 UTC] felipe@php.net
The retval variable doesn't need to be set to NULL there. The pointer only live in the current scope and it isn't used after zval_ptr_dtor. 

Thanks.
 [2011-10-12 00:28 UTC] tom at punkave dot com
But there's a while loop, and if there are multiple iterations through the loop 
and one of them doesn't change retval then the same value is destroyed more than 
once, isn't it? That's bad, right?
 [2011-10-12 00:59 UTC] felipe@php.net
-Status: Bogus +Status: Open
 [2011-10-12 00:59 UTC] felipe@php.net
Ah, right. I didn't see the loop.
 [2011-10-12 01:02 UTC] felipe@php.net
Automatic comment from SVN on behalf of felipe
Revision: http://svn.php.net/viewvc/?view=revision&revision=318040
Log: - Fixed bug #60042 (spl_autoload_call may manipulate a dangling pointer)
  patch by: tom at punkave dot com
 [2011-10-12 01:02 UTC] felipe@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: felipe
 [2011-10-12 01:02 UTC] felipe@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

;)
 [2011-10-12 12:55 UTC] tom at punkave dot com
Thanks for hitting it so quickly!
 [2012-04-18 09:48 UTC] laruence@php.net
Automatic comment on behalf of felipe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=261353382f2b38e4dce535c9a2560c2fd80f5171
Log: - Fixed bug #60042 (spl_autoload_call may manipulate a dangling pointer)   patch by: tom at punkave dot com
 [2012-07-24 23:39 UTC] rasmus@php.net
Automatic comment on behalf of felipe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=261353382f2b38e4dce535c9a2560c2fd80f5171
Log: - Fixed bug #60042 (spl_autoload_call may manipulate a dangling pointer)   patch by: tom at punkave dot com
 [2013-11-17 09:36 UTC] laruence@php.net
Automatic comment on behalf of felipe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=261353382f2b38e4dce535c9a2560c2fd80f5171
Log: - Fixed bug #60042 (spl_autoload_call may manipulate a dangling pointer)   patch by: tom at punkave dot com
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 23 07:02:14 2014 UTC