php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #65050 zend_hash_apply not interruption safe
Submitted: 2013-06-17 18:22 UTC Modified: 2021-07-23 08:12 UTC
From: nikic@php.net Assigned: nikic (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5.5.0RC3 OS:
Private report: No CVE-ID: None
 [2013-06-17 18:22 UTC] nikic@php.net
Description:
------------
The zend_hash_apply is used all over the place, but it isn't interruption safe (just like iteration using HashPosition).

Here is an example making use of OB callbacks in var_dump:

<?php

$array1 = [0, 1];
$array2 = [&$array1];

ob_start(function($str) use(&$array1) {
    static $i = 0;
    if ($i++ == 4) {
        unset($array1[0]);
        //unset($array1[1]);
    }
    return "$i: $str";
}, 1);

var_dump($array2);

nikic@pluto:~/dev/php-dev$ sapi/cli/php t16.php 
1: array(1) {
2:   [0]=>
3:   4: &array(2) {
5:     [0]=>
6:     Segmentation fault (core dumped)

Valgrind output (only first entry):

==11997== Invalid read of size 4
==11997==    at 0x819057F: php_var_dump (var.c:99)
==11997==    by 0x81903EF: php_array_element_dump (var.c:51)
==11997==    by 0x827C917: zend_hash_apply_with_arguments (zend_hash.c:748)
==11997==    by 0x8190A58: php_var_dump (var.c:146)
==11997==    by 0x81903EF: php_array_element_dump (var.c:51)
==11997==    by 0x827C917: zend_hash_apply_with_arguments (zend_hash.c:748)
==11997==    by 0x8190A58: php_var_dump (var.c:146)
==11997==    by 0x8190C07: zif_var_dump (var.c:183)
==11997==    by 0x82A72BA: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:547)
==11997==    by 0x82ABD3F: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2328)
==11997==    by 0x82A67F6: execute_ex (zend_vm_execute.h:356)
==11997==    by 0x82A68AB: zend_execute (zend_vm_execute.h:381)
==11997==  Address 0x447f15c is 12 bytes inside a block of size 36 free'd
==11997==    at 0x402B06C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==11997==    by 0x823257E: _efree (zend_alloc.c:2437)
==11997==    by 0x827C09B: zend_hash_del_key_or_index (zend_hash.c:512)
==11997==    by 0x82FC731: ZEND_UNSET_DIM_SPEC_CV_CONST_HANDLER (zend_vm_execute.h:33119)
==11997==    by 0x82A67F6: execute_ex (zend_vm_execute.h:356)
==11997==    by 0x82A68AB: zend_execute (zend_vm_execute.h:381)
==11997==    by 0x8258E71: zend_call_function (zend_execute_API.c:939)
==11997==    by 0x8277CD4: zend_fcall_info_call (zend_API.c:3381)
==11997==    by 0x81E7B47: php_output_handler_op (output.c:962)
==11997==    by 0x81E8026: php_output_op (output.c:1063)
==11997==    by 0x81E5E6C: php_output_write (output.c:255)
==11997==    by 0x81C9442: php_printf (main.c:682)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-07-23 08:12 UTC] nikic@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2021-07-23 08:12 UTC] nikic@php.net
Don't think this issue is particularly useful anymore. zend_hash_apply is still not interruption safe, but it probably shouldn't be either, and is used relatively little nowadays. The var_dump() case in particular now adds a temporary addref to the array to prevent modifications.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 15:01:29 2024 UTC