php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #62737 Segfault invoking SplFileInfo->openFile
Submitted: 2012-08-03 11:06 UTC Modified: 2021-02-16 13:21 UTC
Votes:8
Avg. Score:3.8 ± 1.0
Reproduced:2 of 3 (66.7%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: leight at gmail dot com Assigned: cmb (profile)
Status: Closed Package: Reproducible crash
PHP Version: master-Git-2012-08-03 (Git) OS: Linux / OSX
Private report: No CVE-ID: None
View Developer Edit
 [2012-08-03 11:06 UTC] leight at gmail dot com 
Description:
------------
When SplFileObject is on the disable_classes list, and SplFileInfo->openFile is 
called, PHP crashes because there is no check on whether the SplFileObject object 
was actually created or not, before trying to use it.

The offending code is in ext/spl/spl_directory.c in 
spl_filesystem_object_create_type

Test script:
---------------
<?php

// Run with -d disable_classes=SplFileObject 

$a = new SplFileInfo('/bin/ls');
$a->openFile('r');

Expected result:
----------------
A message stating SplFileObject is disabled.

Actual result:
--------------
Segmentation fault

Patches

bug62737.phpt (last revision 2012-08-04 15:14 UTC by laruence@php.net)
bug62737.patch (last revision 2012-08-04 15:13 UTC by laruence@php.net)
ChangeDisableClassHandler.patch (last revision 2012-08-03 16:21 UTC by laruence@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-08-03 14:12 UTC] laruence@php.net 
I think this is not only splFileObject, many classes may has such issues. 
(especially those who preserves their own class entry).
 [2012-08-03 14:13 UTC] laruence@php.net
-Status: Open +Status: Analyzed
 [2012-08-03 14:25 UTC] laruence@php.net 
this is a very badly bug. 

but I think it's not a spl issues, we should change the behavior of 
zend_disable_class, 

since for now, it will delete the class entry, which will make the class entry 
pointer (preserved by extension) become a wild pointer..

dereference it is a undefined behavior, in this sense, segfault is lucky.
 [2012-08-03 15:02 UTC] laruence@php.net 
The following patch has been added/updated:

Patch Name: ChangeDisableClassHandler.patch
Revision:   1344006168
URL:        https://bugs.php.net/patch-display.php?bug=62737&patch=ChangeDisableClassHandler.patch&revision=1344006168
 [2012-08-03 15:03 UTC] laruence@php.net 
I have made a patch for this.
 [2012-08-03 15:43 UTC] reeze dot xia at gmail dot com 
Hi,
  by replace create_object function pointer and free function table 
isn't enough, after apply the patch, I got this,

maybe more handlers need to be replaced and cleanup. 


Fatal error: Uncaught exception 'RuntimeException' with message 
'get_class_vars() expects exactly 1 parameter, 2 given' in 
/Users/reeze/Opensource/php-test/php-src-5.3-dev/xx.php:6
Stack trace:
#0 [internal function]: SplFileObject->get_class_vars('/bin/ls', 'r')
#1 /Users/reeze/Opensource/php-test/php-src-5.3-dev/xx.php(6): SplFileInfo-
>openFile('r')
#2 {main}
  thrown in /Users/reeze/Opensource/php-test/php-src-5.3-dev/xx.php on line 6
 [2012-08-03 16:21 UTC] laruence@php.net 
The following patch has been added/updated:

Patch Name: ChangeDisableClassHandler.patch
Revision:   1344010885
URL:        https://bugs.php.net/patch-display.php?bug=62737&patch=ChangeDisableClassHandler.patch&revision=1344010885
 [2012-08-03 16:23 UTC] laruence@php.net 
sure, I am still working on this, thanks
 [2012-08-03 16:27 UTC] laruence@php.net 
Actually,  I have improved the patch, and I don't know what's your test script? 

get_class_vars("splFileObject")? 

you can try with the new patch.
 [2012-08-04 02:58 UTC] laruence@php.net 
I split the "dangling pointer" bug out to #62744, we can look at this one after we 
fixed that one.
 [2012-08-04 15:13 UTC] laruence@php.net 
The following patch has been added/updated:

Patch Name: bug62737.patch
Revision:   1344093237
URL:        https://bugs.php.net/patch-display.php?bug=62737&patch=bug62737.patch&revision=1344093237
 [2012-08-04 15:14 UTC] laruence@php.net 
The following patch has been added/updated:

Patch Name: bug62737.phpt
Revision:   1344093279
URL:        https://bugs.php.net/patch-display.php?bug=62737&patch=bug62737.phpt&revision=1344093279
 [2012-08-05 07:34 UTC] reeze dot xia at gmail dot com 
Hi, laruence, 
   I use the test case in this bug report. after apply the latest patch(#62744 
and the attached one). i got:

Fatal error: Couldn't find implementation for method SplFileObject::__construct 
in Unknown on line 0

if any internal's parent class was disabled may cause segfault, I have test 
RecursiveArrayIterator (by disable ArrayIterator), it will segfault if not apply 
the patch for #62744, and will leaks after apply the patch. There must be 
other classes have the same problem,

even though we fixed this bug, there will really
a lot of them need to  be fixed too :(   we may need a better way to handle
class disabling.
 [2012-08-05 08:28 UTC] laruence@php.net 
you have to realize that they are two different bugs.

1. dangling pointer ; //this is bad. 
2. spl's bug.  //this should be fixed later. that is what I am working on. if    
throw exception(in disable_class_new) is allowd, this will be easy. but for NOW, 
I don't think so, so yeah, it will be a little tough.
 [2020-04-24 18:49 UTC] alexinbeijing at gmail dot com 
Related To: Bug #78583
 [2021-02-16 13:21 UTC] cmb@php.net
-Status: Analyzed +Status: Closed -Assigned To: +Assigned To: cmb
 [2021-02-16 13:21 UTC] cmb@php.net 
This has apparently been fixed in the meantime.  Running the test
script wth PHP-7.3, PHP-7.4 and PHP-8.0, prints:

Warning: SplFileInfo() has been disabled for security reasons in %s on line %d

Fatal error: Uncaught Error: Call to undefined method SplFileInfo::openFile() in %s:%d
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Oct 28 12:00:01 2025 UTC