php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62737 Segfault invoking SplFileInfo->openFile
Submitted: 2012-08-03 11:06 UTC Modified: 2012-08-05 08:28 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: leight at gmail dot com Assigned:
Status: Analyzed Package: Reproducible crash
PHP Version: master-Git-2012-08-03 (Git) OS: Linux / OSX
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2012-08-03 11:06 UTC] leight at gmail dot com
Description:
------------
When SplFileObject is on the disable_classes list, and SplFileInfo->openFile is 
called, PHP crashes because there is no check on whether the SplFileObject object 
was actually created or not, before trying to use it.

The offending code is in ext/spl/spl_directory.c in 
spl_filesystem_object_create_type

Test script:
---------------
<?php

// Run with -d disable_classes=SplFileObject 

$a = new SplFileInfo('/bin/ls');
$a->openFile('r');

Expected result:
----------------
A message stating SplFileObject is disabled.

Actual result:
--------------
Segmentation fault

Patches

bug62737.phpt (last revision 2012-08-04 15:14 UTC) by laruence@php.net)
bug62737.patch (last revision 2012-08-04 15:13 UTC) by laruence@php.net)
ChangeDisableClassHandler.patch (last revision 2012-08-03 16:21 UTC) by laruence@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-08-03 14:12 UTC] laruence@php.net
I think this is not only splFileObject, many classes may has such issues. 
(especially those who preserves their own class entry).
 [2012-08-03 14:13 UTC] laruence@php.net
-Status: Open +Status: Analyzed
 [2012-08-03 14:25 UTC] laruence@php.net
this is a very badly bug. 

but I think it's not a spl issues, we should change the behavior of 
zend_disable_class, 

since for now, it will delete the class entry, which will make the class entry 
pointer (preserved by extension) become a wild pointer..

dereference it is a undefined behavior, in this sense, segfault is lucky.
 [2012-08-03 15:02 UTC] laruence@php.net
The following patch has been added/updated:

Patch Name: ChangeDisableClassHandler.patch
Revision:   1344006168
URL:        https://bugs.php.net/patch-display.php?bug=62737&patch=ChangeDisableClassHandler.patch&revision=1344006168
 [2012-08-03 15:03 UTC] laruence@php.net
I have made a patch for this.
 [2012-08-03 15:43 UTC] reeze dot xia at gmail dot com
Hi,
  by replace create_object function pointer and free function table 
isn't enough, after apply the patch, I got this,

maybe more handlers need to be replaced and cleanup. 


Fatal error: Uncaught exception 'RuntimeException' with message 
'get_class_vars() expects exactly 1 parameter, 2 given' in 
/Users/reeze/Opensource/php-test/php-src-5.3-dev/xx.php:6
Stack trace:
#0 [internal function]: SplFileObject->get_class_vars('/bin/ls', 'r')
#1 /Users/reeze/Opensource/php-test/php-src-5.3-dev/xx.php(6): SplFileInfo-
>openFile('r')
#2 {main}
  thrown in /Users/reeze/Opensource/php-test/php-src-5.3-dev/xx.php on line 6
 [2012-08-03 16:21 UTC] laruence@php.net
The following patch has been added/updated:

Patch Name: ChangeDisableClassHandler.patch
Revision:   1344010885
URL:        https://bugs.php.net/patch-display.php?bug=62737&patch=ChangeDisableClassHandler.patch&revision=1344010885
 [2012-08-03 16:23 UTC] laruence@php.net
sure, I am still working on this, thanks
 [2012-08-03 16:27 UTC] laruence@php.net
Actually,  I have improved the patch, and I don't know what's your test script? 

get_class_vars("splFileObject")? 

you can try with the new patch.
 [2012-08-04 02:58 UTC] laruence@php.net
I split the "dangling pointer" bug out to #62744, we can look at this one after we 
fixed that one.
 [2012-08-04 15:13 UTC] laruence@php.net
The following patch has been added/updated:

Patch Name: bug62737.patch
Revision:   1344093237
URL:        https://bugs.php.net/patch-display.php?bug=62737&patch=bug62737.patch&revision=1344093237
 [2012-08-04 15:14 UTC] laruence@php.net
The following patch has been added/updated:

Patch Name: bug62737.phpt
Revision:   1344093279
URL:        https://bugs.php.net/patch-display.php?bug=62737&patch=bug62737.phpt&revision=1344093279
 [2012-08-05 07:34 UTC] reeze dot xia at gmail dot com
Hi, laruence, 
   I use the test case in this bug report. after apply the latest patch(#62744 
and the attached one). i got:

Fatal error: Couldn't find implementation for method SplFileObject::__construct 
in Unknown on line 0

if any internal's parent class was disabled may cause segfault, I have test 
RecursiveArrayIterator (by disable ArrayIterator), it will segfault if not apply 
the patch for #62744, and will leaks after apply the patch. There must be 
other classes have the same problem,

even though we fixed this bug, there will really
a lot of them need to  be fixed too :(   we may need a better way to handle
class disabling.
 [2012-08-05 08:28 UTC] laruence@php.net
you have to realize that they are two different bugs.

1. dangling pointer ; //this is bad. 
2. spl's bug.  //this should be fixed later. that is what I am working on. if    
throw exception(in disable_class_new) is allowd, this will be easy. but for NOW, 
I don't think so, so yeah, it will be a little tough.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 22:02:05 2014 UTC