php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60216 Use page_files to dynamically define a function name results in crash
Submitted: 2011-11-04 03:06 UTC Modified: 2011-11-04 03:30 UTC
From: contact at nullivex dot com Assigned:
Status: Not a bug Package: Reproducible crash
PHP Version: 5.3.8 OS: debian 6.0.3
Private report: No CVE-ID:
 [2011-11-04 03:06 UTC] contact at nullivex dot com
Description:
------------
Please note this started out as circular reference error which is my mistake. But, PHP should handle this more gracefully.

root@dev:/opt/magic# php -v
PHP 5.3.3-7+squeeze3 with Suhosin-Patch (cli) (built: Jun 28 2011 08:24:40)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
    with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH
root@dev:/opt/magic# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 6.0.3 (squeeze)
Release:        6.0.3
Codename:       squeeze

here is my output

root@dev:/opt/magic# php test.php
Segmentation fault


here is the log files

Nov  3 20:02:37 dev kernel: [2586752.054908] php[2127]: segfault at 7fff90037fe8 ip 00000000006a38e0 sp 00007fff90038018 error 6 in php5[400000+6f9000]



Test script:
---------------
<?php


class Test {

        static $urls = array(
                'page_files'
        );

        public static function _all(){
                $urls = array();
                foreach(self::$urls as $func) $urls['url_'.$func] = self::$func();
                return $urls;
        }
        public static function page_files(){
                return self::page_files().'&do=files';
        }

}

Test::_all();


Expected result:
----------------
E_FATAL describing a circular reference.

Actual result:
--------------
Nov  3 20:02:37 dev kernel: [2586752.054908] php[2127]: segfault at 7fff90037fe8 ip 00000000006a38e0 sp 00007fff90038018 error 6 in php5[400000+6f9000]


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-11-04 03:12 UTC] laruence@php.net
I can not reproduce this segfault with PHP-5.3-trunk-snap, instead , the script 
terminated by run out of memory.

PHP Fatal error:  Allowed memory size of 536870912 bytes exhausted ***

could you try with the 5.3-trunk-snap?
 [2011-11-04 03:25 UTC] contact at nullivex dot com
I will give this a shot.

Maybe it is a problem with debians build. Let me grab a config string.

I narrowed it down.

Its an issue with suoshin. I always forget that debian in their infinite wisdom has enabled this module by default.

Is the suoshin module part of the PHP project or is there a separate site I should file this?
 [2011-11-04 03:28 UTC] laruence@php.net
-Status: Open +Status: Bogus
 [2011-11-04 03:28 UTC] laruence@php.net
suoshin is not a part of PHP, you can file a bug to it at http://www.hardened-
php.net/suhosin/

thanks
 [2011-11-04 03:30 UTC] contact at nullivex dot com
Alright,

I will do that now. Go ahead and close this. Hopefully it will help someone else track it down.

Thanks
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 23 14:02:33 2014 UTC