php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61165 Segfault - strip_tags()
Submitted: 2012-02-22 15:08 UTC Modified: 2012-03-02 02:52 UTC
From: tomas dot liska at actumg2 dot cz Assigned: laruence
Status: Closed Package: Reproducible crash
PHP Version: Irrelevant OS: Linux
Private report: No CVE-ID:
 [2012-02-22 15:08 UTC] tomas dot liska at actumg2 dot cz
Description:
------------
Running attached script causes heap corruption resulting in segfault or other simillar results in all tested PHP versions: 5.3.2, 5.3.8, 5.3.9, 5.3.10, 5.4.0-RC*

Passing object with __toString() causes segfault in random script iteration. When casted to string beforehand, it runs OK.



Test script:
---------------
http://dl.dropbox.com/u/63573745/test.tar.gz

Since I'm not sure what causes the problem, I was unable to create a smaller test case.

Expected result:
----------------
Range of numbers from 0 to 9999 (included).

Actual result:
--------------
php-5.3.8:
$ php go.php
0
1
Segmentation fault

php-5.3.9:
0
1
...
739
740
Segmentation fault

Core dump:
Program terminated with signal 11, Segmentation fault.
#0  0x0000000000795ad1 in _zval_dtor_func (zvalue=0x7fff3f7421a0, __zend_filename=0xb00838 "/home/users/tliska/wd/php/php-5.3.9/Zend/zend_execute.c", __zend_lineno=690) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_variables.c:52
52                                      Z_OBJ_HT_P(zvalue)->del_ref(zvalue TSRMLS_CC);
(gdb) bt
#0  0x0000000000795ad1 in _zval_dtor_func (zvalue=0x7fff3f7421a0, __zend_filename=0xb00838 "/home/users/tliska/wd/php/php-5.3.9/Zend/zend_execute.c", __zend_lineno=690) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_variables.c:52
#1  0x00000000007c9ac1 in _zval_dtor (zvalue=0x7fff3f7421a0, __zend_filename=0xb00838 "/home/users/tliska/wd/php/php-5.3.9/Zend/zend_execute.c", __zend_lineno=690) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_variables.h:35
#2  0x0000000000802714 in zend_assign_to_variable (variable_ptr_ptr=0xf3810f8, value=0xf389130, is_tmp_var=0) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_execute.c:690
#3  0x000000000080218e in ZEND_ASSIGN_DIM_SPEC_VAR_CONST_HANDLER (execute_data=0x2b3bb0b002f8) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_vm_execute.h:10382
#4  0x00000000007cc29e in execute (op_array=0xf3313f8) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_vm_execute.h:107
#5  0x0000000000787822 in zend_call_function (fci=0x7fff3f742860, fci_cache=0x7fff3f7427f0) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_execute_API.c:969
#6  0x00000000007b6c75 in zend_call_method (object_pp=0x7fff3f742918, obj_ce=0xf355c60, fn_proxy=0xf355e50, function_name=0xb005be "__tostring", function_name_len=10, retval_ptr_ptr=0x7fff3f742928, param_count=0, arg1=0x0, arg2=0x0)
    at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_interfaces.c:97
#7  0x00000000007c84f7 in zend_std_cast_object_tostring (readobj=0xf389130, writeobj=0xf389130, type=6) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_object_handlers.c:1269
#8  0x0000000000799d68 in parse_arg_object_to_string (arg=0x2b3bb0aff4f8) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_API.c:258
#9  0x000000000079c608 in zend_parse_va_args (num_args=1, type_spec=0xadeffc "s|Z", va=0x7fff3f742c00, flags=0) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_API.c:692
#10 0x000000000079d022 in zend_parse_parameters (num_args=1, type_spec=0xadeffc "s|Z") at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_API.c:871
#11 0x00000000006b6d87 in zif_strip_tags (ht=1, return_value=0xf388750, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0) at /home/users/tliska/wd/php/php-5.3.9/ext/standard/string.c:4056
#12 0x00000000007cd2bb in zend_do_fcall_common_helper_SPEC (execute_data=0x2b3bb0aff090) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_vm_execute.h:320
#13 0x00000000007d3185 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x2b3bb0aff090) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_vm_execute.h:1640
#14 0x00000000007cc29e in execute (op_array=0xf3569f0) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend_vm_execute.h:107
#15 0x0000000000798f1a in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/users/tliska/wd/php/php-5.3.9/Zend/zend.c:1236
#16 0x0000000000717a8e in php_execute_script (primary_file=0x7fff3f745560) at /home/users/tliska/wd/php/php-5.3.9/main/main.c:2308
#17 0x000000000088c464 in main (argc=2, argv=0x7fff3f7457e8) at /home/users/tliska/wd/php/php-5.3.9/sapi/cli/php_cli.c:1184


php-5.4.0RC8:
0
1
...
689
/php-5.4.0RC8/Zend/zend_hash.c(551) : ht=0x2ada805a4960 is being destroyed

No core dump produced here.


Patches

bug61165.phpt (last revision 2012-02-24 17:02 UTC) by laruence@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-02-23 05:41 UTC] laruence@php.net
-Assigned To: +Assigned To: dmitry
 [2012-02-23 05:41 UTC] laruence@php.net
I can confirm this issue exists.  but still can not figure out the reason. 
dmitry,  could you plz look at this? thanks
 [2012-02-24 04:56 UTC] laruence@php.net
this is not the strip_tags's issue. 
ervery internal function perfer a 's', will act the same result(segfault).

so the problem should be in the __toString of that object...

I will keep digging..

thanks
 [2012-02-24 08:32 UTC] tomas dot liska at actumg2 dot cz
I might have the cause of this. This code produces $cnt - 1 leaks:

<?php
error_reporting(E_ALL | E_NOTICE | E_STRICT);

class T {
    private $params = array();
    private $_this;

    public function __toString() {
        //$this->params['this'] = $this; // <-- uncoment this
        //$this->_this = $this;          // <-- or this (both cause the leak)
        return 'A';
    }
}

$t = new T;
$cnt = 2;
for ($i = 0; $i < $cnt; $i++) {
    strip_tags($t);
    echo "$i\n";
}

Output:
0
1
[Fri Feb 24 09:27:16 2012]  Script:  'go_own_own.php'
/home/users/tliska/wd/php/php-5.4.0RC8/ext/standard/string.c(4087) :  Freeing 0x2B9B23ADC678 (2 bytes), script=go_own_own.php
 [2012-02-24 09:22 UTC] me at ktamura dot com
I am fairly certain it is some kind of pointer deferencing here on L446 of 
Zend/zend_execution_API.c (php-5.3.10) I am not sure what the exact cause is yet 
though.


 434 ZEND_API void _zval_ptr_dtor(zval **zval_ptr ZEND_FILE_LINE_DC) /* {{{ */
 435 {
 436     zval *zv = *zval_ptr;
 437 
 438 #if DEBUG_ZEND>=2
 439     printf("Reducing refcount for %x (%x): %d->%d\n", *zval_ptr, zval_ptr, 
Z_REFCOUNT_PP(zval_ptr), Z_REFCOUNT_PP(zval_ptr) - 1);
 440 #endif
 441     Z_DELREF_P(zv);
 442     if (Z_REFCOUNT_P(zv) == 0) {
 443         TSRMLS_FETCH();
 444 
 445         if (zv != &EG(uninitialized_zval)) {
 446             GC_REMOVE_ZVAL_FROM_BUFFER(zv);
 447             zval_dtor(zv);
 448             efree_rel(zv);
 [2012-02-24 16:58 UTC] laruence@php.net
this seems introduced by #43450.

so if you stash the $this in __toString, $this will be relased, so undefined 
error occurred (in this case, I guess, the next return_value suddenly point to 
the previous $this which was be released just before, due to the zend mm cache);

I have made a patch, but cause 43450 test failed again ,although I am not sure 
whether the test self is right or not, will keep diggin.
 [2012-02-24 17:02 UTC] laruence@php.net
The following patch has been added/updated:

Patch Name: bug61165.phpt
Revision:   1330102962
URL:        https://bugs.php.net/patch-display.php?bug=61165&patch=bug61165.phpt&revision=1330102962
 [2012-02-25 03:12 UTC] laruence@php.net
Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=323485
Log: Tests for bug #61165
 [2012-02-25 04:36 UTC] laruence@php.net
Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=323489
Log: Fixed bug #61165 (Segfault - strip_tags())
 [2012-02-25 04:36 UTC] laruence@php.net
-Assigned To: dmitry +Assigned To: laruence
 [2012-02-25 04:36 UTC] laruence@php.net
fixed in trunk and 5.3, will close this after merge to 5.4
 [2012-02-26 14:56 UTC] laruence@php.net
Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=323563
Log: Improve fix for #61165, the previous one cause #43450 test failed
 [2012-03-02 02:51 UTC] laruence@php.net
Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=323765
Log: MFH: Fix bug #61165 (Segfault - strip_tags())
 [2012-03-02 02:52 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2012-03-02 02:52 UTC] laruence@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2012-04-18 09:45 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=adb9fe6ca1229141d0d70d07d18cfb3dba115026
Log: MFH: Fix bug #61165 (Segfault - strip_tags())
 [2012-04-18 09:46 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cfa9c90b20637796dcf97bd14a9926a102bec9de
Log: Fixed bug #61165 (Segfault - strip_tags())
 [2012-07-24 23:37 UTC] rasmus@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=adb9fe6ca1229141d0d70d07d18cfb3dba115026
Log: MFH: Fix bug #61165 (Segfault - strip_tags())
 [2012-07-24 23:37 UTC] rasmus@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cfa9c90b20637796dcf97bd14a9926a102bec9de
Log: Fixed bug #61165 (Segfault - strip_tags())
 [2013-11-17 09:33 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=adb9fe6ca1229141d0d70d07d18cfb3dba115026
Log: MFH: Fix bug #61165 (Segfault - strip_tags())
 [2013-11-17 09:33 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cfa9c90b20637796dcf97bd14a9926a102bec9de
Log: Fixed bug #61165 (Segfault - strip_tags())
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 13:02:46 2014 UTC