PHP :: Bug #64455 :: Using PDFlib causes a segfault

Bug #64455

Using PDFlib causes a segfault

Submitted:

2013-03-19 14:16 UTC

Modified:

2013-04-08 15:00 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

marcel at webdisplay dot nl

Assigned:

rjs (profile)

Status:

Closed

Package:

pdflib (PECL)

PHP Version:

5.4.13

OS:

Mac OS X + CentOS

Private report:

CVE-ID:

None

View Developer Edit

[2013-03-19 14:16 UTC] marcel at webdisplay dot nl

Description:
------------
Using PDFlib causes a segfault in certain situations.

Platforms tested:
CentOS 6.4 with PHP 5.4.11
Mac OS X 10.8.3 with PHP 5.4.13
PDFLib 8.0.5 and PDFlib 9.0.0


Test script:
---------------
class Pdf extends PDFLib {

    /** Just some public variable */
    public $someVar;
}

$pdf = new Pdf();

//print_r($pdf);


Expected result:
----------------
The script should return normally

Actual result:
--------------
A segmentation fault occurs

Backtrace:
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000020
0x00000001001ebb2d in zend_hash_destroy ()
(gdb) bt
#0  0x00000001001ebb2d in zend_hash_destroy ()
#1  0x0000000101ad3677 in pdflib_object_dtor ()
#2  0x0000000100203b71 in zend_objects_store_del_ref_by_handle_ex ()
#3  0x0000000100203c2a in zend_objects_store_del_ref ()
#4  0x00000001001d2ac1 in _zval_ptr_dtor ()
#5  0x00000001001eb854 in zend_hash_apply_deleter ()
#6  0x00000001001eb910 in zend_hash_reverse_apply ()
#7  0x00000001001d5ac7 in shutdown_destructors ()
#8  0x00000001001df958 in zend_call_destructors ()
#9  0x0000000100182247 in php_request_shutdown ()
#10 0x000000010026bdd8 in main ()
(gdb)

Please note that the segfault does not occur if either:
a) the public variable is removed from the class
b) print_r($pdf) is uncommented

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-03-19 17:02 UTC] aharvey@php.net

-Package: PDF related +Package: pdflib

[2013-04-08 15:00 UTC] rjs@php.net

The wrapper for PDFlib uses some old code construct to ....


    zend_hash_init(intern->std.properties, 0, NULL, ZVAL_PTR_DTOR, 0);
    zend_hash_copy(intern->std.properties,

and 

    zend_hash_destroy(intern->std.properties);
    FREE_HASHTABLE(intern->std.properties);

as destructor.

PHP has introduced new API's for this with PHP 5.2:

    zend_object_std_init((zend_object *) tobj, class_type TSRMLS_CC);

with
    zend_object_std_dtor(&intern->std TSRMLS_CC);
as destructor.

In PHP 5.2 and PHP  5.3 the old code worked fine. With PHP 5.4  some internals 
must have been changed so that now the old code crashes PHP.

This will be fixed in PDFlib 9.0.1 and 8.0.6. The PECL package 2.1.10 already 
contains the bugfix.

[2013-04-08 15:00 UTC] rjs@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: rjs

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Apr 01 15:01:31 2025 UTC