|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62737 Segfault invoking SplFileInfo->openFile
Submitted: 2012-08-03 11:06 UTC Modified: 2012-08-05 08:28 UTC
Avg. Score:5.0 ± 0.0
Reproduced:2 of 3 (66.7%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: leight at gmail dot com Assigned:
Status: Analyzed Package: Reproducible crash
PHP Version: master-Git-2012-08-03 (Git) OS: Linux / OSX
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2012-08-03 11:06 UTC] leight at gmail dot com
When SplFileObject is on the disable_classes list, and SplFileInfo->openFile is 
called, PHP crashes because there is no check on whether the SplFileObject object 
was actually created or not, before trying to use it.

The offending code is in ext/spl/spl_directory.c in 

Test script:

// Run with -d disable_classes=SplFileObject 

$a = new SplFileInfo('/bin/ls');

Expected result:
A message stating SplFileObject is disabled.

Actual result:
Segmentation fault


bug62737.phpt (last revision 2012-08-04 15:14 UTC) by
bug62737.patch (last revision 2012-08-04 15:13 UTC) by
ChangeDisableClassHandler.patch (last revision 2012-08-03 16:21 UTC) by

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2012-08-03 14:12 UTC]
I think this is not only splFileObject, many classes may has such issues. 
(especially those who preserves their own class entry).
 [2012-08-03 14:13 UTC]
-Status: Open +Status: Analyzed
 [2012-08-03 14:25 UTC]
this is a very badly bug. 

but I think it's not a spl issues, we should change the behavior of 

since for now, it will delete the class entry, which will make the class entry 
pointer (preserved by extension) become a wild pointer..

dereference it is a undefined behavior, in this sense, segfault is lucky.
 [2012-08-03 15:02 UTC]
The following patch has been added/updated:

Patch Name: ChangeDisableClassHandler.patch
Revision:   1344006168
 [2012-08-03 15:03 UTC]
I have made a patch for this.
 [2012-08-03 15:43 UTC] reeze dot xia at gmail dot com
  by replace create_object function pointer and free function table 
isn't enough, after apply the patch, I got this,

maybe more handlers need to be replaced and cleanup. 

Fatal error: Uncaught exception 'RuntimeException' with message 
'get_class_vars() expects exactly 1 parameter, 2 given' in 
Stack trace:
#0 [internal function]: SplFileObject->get_class_vars('/bin/ls', 'r')
#1 /Users/reeze/Opensource/php-test/php-src-5.3-dev/xx.php(6): SplFileInfo-
#2 {main}
  thrown in /Users/reeze/Opensource/php-test/php-src-5.3-dev/xx.php on line 6
 [2012-08-03 16:21 UTC]
The following patch has been added/updated:

Patch Name: ChangeDisableClassHandler.patch
Revision:   1344010885
 [2012-08-03 16:23 UTC]
sure, I am still working on this, thanks
 [2012-08-03 16:27 UTC]
Actually,  I have improved the patch, and I don't know what's your test script? 


you can try with the new patch.
 [2012-08-04 02:58 UTC]
I split the "dangling pointer" bug out to #62744, we can look at this one after we 
fixed that one.
 [2012-08-04 15:13 UTC]
The following patch has been added/updated:

Patch Name: bug62737.patch
Revision:   1344093237
 [2012-08-04 15:14 UTC]
The following patch has been added/updated:

Patch Name: bug62737.phpt
Revision:   1344093279
 [2012-08-05 07:34 UTC] reeze dot xia at gmail dot com
Hi, laruence, 
   I use the test case in this bug report. after apply the latest patch(#62744 
and the attached one). i got:

Fatal error: Couldn't find implementation for method SplFileObject::__construct 
in Unknown on line 0

if any internal's parent class was disabled may cause segfault, I have test 
RecursiveArrayIterator (by disable ArrayIterator), it will segfault if not apply 
the patch for #62744, and will leaks after apply the patch. There must be 
other classes have the same problem,

even though we fixed this bug, there will really
a lot of them need to  be fixed too :(   we may need a better way to handle
class disabling.
 [2012-08-05 08:28 UTC]
you have to realize that they are two different bugs.

1. dangling pointer ; //this is bad. 
2. spl's bug.  //this should be fixed later. that is what I am working on. if    
throw exception(in disable_class_new) is allowd, this will be easy. but for NOW, 
I don't think so, so yeah, it will be a little tough.
PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Wed Nov 25 02:01:33 2015 UTC