php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #60042 spl_autoload_call may manipulate a dangling pointer
Submitted: 2011-10-11 17:03 UTC Modified: 2011-10-12 12:55 UTC
From: tom at punkave dot com Assigned: felipe (profile)
Status: Closed Package: SPL related
PHP Version: 5.3.8 OS: Any
Private report: No CVE-ID: None
View Developer Edit
 [2011-10-11 17:03 UTC] tom at punkave dot com 
Description:
------------
spl_autoload_call initializes retval to null at the start of the function, but 
does not reinitialize it to null after destroying the return value of each 
autoloader call. As a result, if a subsequent autoloader call does not have any 
return value, then the old dangling pointer is used, resulting in a null pointer 
reference and a segmentation fault, bus error or other entertaining symptom 
depending on the time of day.

Many common autoloaders, such as the Symfony autoloaders, always return true or 
false depending on whether they load a class, even though the documentation for 
spl_autoload_register does not call for this at all. This is probably because 
the developers learned the hard way that autoloaders won't play nice together 
unless they return something due to this bug.

A good example of an autoloader that does trigger this bug is the one provided 
with the Amazon AWS standard library for PHP. Their implementation does not 
return a value, so PHP segfaults (or similar) if it is later in the chain of 
autoloaders.

This bug can be fixed as follows:

if (retval) {
  zval_ptr_dtor(&retval);
}

Becomes:

if (retval) {
  zval_ptr_dtor(&retval);
  retval = NULL;
}

Patch attached.


Expected result:
----------------
Multiple autoloaders play nice.

Actual result:
--------------
If an autoloader other than the first one has no return value a PHP crash takes 
place due to a dangling pointer to a destroyed value.

Patches

clear_retval_between_autoloaders (last revision 2011-10-11 17:03 UTC by tom at punkave dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-10-11 21:04 UTC] tom at punkave dot com
-Summary: spl_autoload_call crashes with multiple autoloaders if some return nothing +Summary: spl_autoload_call may manipulate a dangling poitner
 [2011-10-11 21:04 UTC] tom at punkave dot com 
Edit: I determined that this was not causing my segmentation faults. However it 
still may be a bug. I've read the _zval_ptr_dtor source code and although it is 
passed the address of the zval rather than the zval itself it doesn't appear to 
use this opportunity to null it out. Can anyone clarify whether 
zval_ptr_dtor(&retval) actually nulls out retval before closing this?
 [2011-10-11 21:05 UTC] tom at punkave dot com
-Summary: spl_autoload_call may manipulate a dangling poitner +Summary: spl_autoload_call may manipulate a dangling pointer
 [2011-10-11 21:05 UTC] tom at punkave dot com 
Fixed typo
 [2011-10-11 22:12 UTC] felipe@php.net
-Status: Open +Status: Bogus
 [2011-10-11 22:12 UTC] felipe@php.net 
The retval variable doesn't need to be set to NULL there. The pointer only live in the current scope and it isn't used after zval_ptr_dtor. 

Thanks.
 [2011-10-12 00:28 UTC] tom at punkave dot com 
But there's a while loop, and if there are multiple iterations through the loop 
and one of them doesn't change retval then the same value is destroyed more than 
once, isn't it? That's bad, right?
 [2011-10-12 00:59 UTC] felipe@php.net
-Status: Bogus +Status: Open
 [2011-10-12 00:59 UTC] felipe@php.net 
Ah, right. I didn't see the loop.
 [2011-10-12 01:02 UTC] felipe@php.net 
Automatic comment from SVN on behalf of felipe
Revision: http://svn.php.net/viewvc/?view=revision&revision=318040
Log: - Fixed bug #60042 (spl_autoload_call may manipulate a dangling pointer)
  patch by: tom at punkave dot com
 [2011-10-12 01:02 UTC] felipe@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: felipe
 [2011-10-12 01:02 UTC] felipe@php.net 
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

;)
 [2011-10-12 12:55 UTC] tom at punkave dot com 
Thanks for hitting it so quickly!
 [2012-04-18 09:48 UTC] laruence@php.net 
Automatic comment on behalf of felipe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=261353382f2b38e4dce535c9a2560c2fd80f5171
Log: - Fixed bug #60042 (spl_autoload_call may manipulate a dangling pointer)   patch by: tom at punkave dot com
 [2012-07-24 23:39 UTC] rasmus@php.net 
Automatic comment on behalf of felipe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=261353382f2b38e4dce535c9a2560c2fd80f5171
Log: - Fixed bug #60042 (spl_autoload_call may manipulate a dangling pointer)   patch by: tom at punkave dot com
 [2013-11-17 09:36 UTC] laruence@php.net 
Automatic comment on behalf of felipe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=261353382f2b38e4dce535c9a2560c2fd80f5171
Log: - Fixed bug #60042 (spl_autoload_call may manipulate a dangling pointer)   patch by: tom at punkave dot com
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Nov 17 01:00:01 2025 UTC