php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #63882 zend_std_compare_objects crash on recursion
Submitted: 2013-01-01 19:27 UTC Modified: 2013-01-09 07:35 UTC
Votes:2
Avg. Score:1.0 ± 0.0
Reproduced:1 of 2 (50.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: gynvael at coldwind dot pl Assigned: dmitry
Status: Closed Package: Reproducible crash
PHP Version: 5.4.10 OS: any
Private report: No CVE-ID:
 [2013-01-01 19:27 UTC] gynvael at coldwind dot pl
Description:
------------
The standard PHP object compare handler (zend_std_compare_objects) together with 
the == operator (compare_function) have no limit on nesting levels nor any anti-
recursion protection.

The array comparing function in compare_function does have this protection. It 
would be good to add it to the object standard compare handler as well.

Test script:
---------------
<?php
class Test { public $x = 5; }

$testobj1 = new Test;
$testobj2 = new Test;
$testobj1->x = $testobj1;
$testobj2->x = $testobj2;

$testobj1 == $testobj2; // Crash (stack exhaustion)


Expected result:
----------------
PHP Fatal error:  Nesting level too deep - recursive dependency? in test.php on 
line 9

Actual result:
--------------
segmentation fault (core dumped)

Patches

63882.patch (last revision 2013-01-02 18:53 UTC) by ab@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-01-02 18:53 UTC] ab@php.net
The following patch has been added/updated:

Patch Name: 63882.patch
Revision:   1357152805
URL:        https://bugs.php.net/patch-display.php?bug=63882&patch=63882.patch&revision=1357152805
 [2013-01-02 19:03 UTC] ab@php.net
The stack overflow happens only with default class properties. Non default object properties are stored in the HashTable and it's protected against recursion.

The solution I'm suggesting in the patch is simple but could be binary incompatible to the stuff in the outer world. I mean the stuff like pre compiled pecl extensions, as the zend_object size changes. May be that should only go into 5.5

Another solution were quite complex - compare_function could be extended with a recursion count argument, but that would need a lot of places to be touched.
 [2013-01-02 19:21 UTC] ab@php.net
-Status: Open +Status: Analyzed
 [2013-01-07 06:15 UTC] pajoye@php.net
-Assigned To: +Assigned To: dmitry
 [2013-01-07 06:15 UTC] pajoye@php.net
hi Dmitry,

Can you take a look at the patch please?

btw, don't we have that already in place in the hash table for that? Wondering if 
we really need to add that for props as they are stored in the hash table anyway.
 [2013-01-09 07:34 UTC] dmitry@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f9e8678dd3a41ed8a100d8201153a41d6fd25f2e
Log: Fixed bug #63882 (zend_std_compare_objects crash on recursion)
 [2013-01-09 07:34 UTC] dmitry@php.net
-Status: Analyzed +Status: Closed
 [2013-01-09 07:35 UTC] dmitry@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2013-01-12 16:39 UTC] derick@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f9e8678dd3a41ed8a100d8201153a41d6fd25f2e
Log: Fixed bug #63882 (zend_std_compare_objects crash on recursion)
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 10:02:09 2014 UTC