php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66127 Segmentation fault with ArrayObject unset
Submitted: 2013-11-20 18:06 UTC Modified: 2014-06-08 22:41 UTC
Votes:4
Avg. Score:4.0 ± 0.7
Reproduced:3 of 3 (100.0%)
Same Version:3 (100.0%)
Same OS:2 (66.7%)
From: webm4st0r at gmail dot com Assigned: stas
Status: Closed Package: Reproducible crash
PHP Version: 5.5.6 OS: CentOS confirmed
Private report: No CVE-ID:
 [2013-11-20 18:06 UTC] webm4st0r at gmail dot com
Description:
------------
This appears to have been introduced as the result of the patch to https://bugs.php.net/bug.php?id=52861.

I ran into this issue while regression testing our application on PHP 5.5.5, and was able to create a short script to reproduce the segfault.

Building PHP 5.4.13 with the patch for #52861 removed results in a successful execution and proper execution of the error handler. Build was on a clean version of the 5.4.13 distribution, with no configure options provided.

gdb backtrace for PHP 5.4.13:

#0  _zend_mm_alloc_int (heap=0xd2b290, size=32) at /root/build/php-5.4.13/Zend/zend_alloc.c:1906
#1  0x00000000006765ad in zend_error (type=1024, format=0xa7dee1 "%s") at /root/build/php-5.4.13/Zend/zend.c:1123
#2  0x0000000000687419 in zif_trigger_error (ht=<value optimized out>, return_value=0x7ffff7fe2290, return_value_ptr=<value optimized out>, this_ptr=<value optimized out>, return_value_used=<value optimized out>)
    at /root/build/php-5.4.13/Zend/zend_builtin_functions.c:1504
#3  0x00000000006ee76a in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /root/build/php-5.4.13/Zend/zend_vm_execute.h:642
#4  0x00000000006dbe60 in execute (op_array=0xe9ff50) at /root/build/php-5.4.13/Zend/zend_vm_execute.h:410
#5  0x000000000067616e in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/build/php-5.4.13/Zend/zend.c:1315
#6  0x000000000061c17e in php_execute_script (primary_file=0x7fffffffe2b0) at /root/build/php-5.4.13/main/main.c:2492
#7  0x000000000071bbb3 in do_cli (argc=2, argv=0x7fffffffe6b8) at /root/build/php-5.4.13/sapi/cli/php_cli.c:988
#8  0x000000000071c2b4 in main (argc=2, argv=0x7fffffffe6b8) at /root/build/php-5.4.13/sapi/cli/php_cli.c:1364

gdb backtrace for PHP 5.5.6:

#0  _zend_mm_alloc_int (heap=0xd9ed00, size=32) at /root/build/php-5.5.6/Zend/zend_alloc.c:1910
#1  0x0000000000691b9a in zend_error (type=1024, format=0xa6f4ec "%s") at /root/build/php-5.5.6/Zend/zend.c:1126
#2  0x00000000006a3c5b in zif_trigger_error (ht=<value optimized out>, return_value=0x7ffff7fe22d0, return_value_ptr=<value optimized out>, this_ptr=<value optimized out>, return_value_used=<value optimized out>)
    at /root/build/php-5.5.6/Zend/zend_builtin_functions.c:1521
#3  0x0000000000713da3 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /root/build/php-5.5.6/Zend/zend_vm_execute.h:550
#4  0x0000000000705350 in execute_ex (execute_data=0x7ffff7fad310) at /root/build/php-5.5.6/Zend/zend_vm_execute.h:363
#5  0x0000000000691749 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/build/php-5.5.6/Zend/zend.c:1320
#6  0x00000000006335b9 in php_execute_script (primary_file=0x7fffffffe2b0) at /root/build/php-5.5.6/main/main.c:2489
#7  0x0000000000741ccc in do_cli (argc=2, argv=0xd9ea20) at /root/build/php-5.5.6/sapi/cli/php_cli.c:994
#8  0x0000000000742468 in main (argc=2, argv=0xd9ea20) at /root/build/php-5.5.6/sapi/cli/php_cli.c:1378


Test script:
---------------
<?php

function crash()
{
    set_error_handler(function () {});
    $var = 1;
    trigger_error('error');
    $var2 = $var;
    $var3 = $var;
    trigger_error('error');
}

$items = new ArrayObject();

unset($items[0]);
unset($items[0][0]);
crash();
echo "Worked!\n";


Expected result:
----------------
Worked!

Actual result:
--------------
Segmentation fault (core dumped)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-11-22 04:54 UTC] laruence@php.net
-Assigned To: +Assigned To: stas
 [2013-11-22 04:54 UTC] laruence@php.net
@Stas, could you please look into this?
 [2014-06-05 11:15 UTC] arjen at react dot com
Still crashes: 5.4.13 - 5.6.0beta3

http://3v4l.org/j4GdO
 [2014-06-08 00:16 UTC] rasmus@php.net
Here is the Valgrind memcheck output for this:

https://gist.github.com/anonymous/3d813b987629d0eb6022

This is from a PHP-5.6-dev checkout from today.

Basically we are accessing memory that has already been free'ed here.
 [2014-06-08 22:41 UTC] stas@php.net
Proposed fix:

diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 34f3a38..758947a 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -402,7 +402,7 @@ static zval *spl_array_read_dimension_ex(int check_inherited, zval *object, zval
        /* When in a write context,
         * ZE has to be fooled into thinking this is in a reference set
         * by separating (if necessary) and returning as an is_ref=1 zval (even if refcount == 1) */
-       if ((type == BP_VAR_W || type == BP_VAR_RW || type == BP_VAR_UNSET) && !Z_ISREF_PP(ret)) {
+       if ((type == BP_VAR_W || type == BP_VAR_RW || type == BP_VAR_UNSET) && !Z_ISREF_PP(ret) && ret != &EG(uninitialized_zval_ptr)) {
                if (Z_REFCOUNT_PP(ret) > 1) {
                        zval *newval;
 

Please check if it works for you.
 [2014-06-10 19:29 UTC] arjen at react dot com
Your patch fixes the reported issue, however it introduces a regression in ext/spl/tests/iterator_035.phpt

--TEST--
SPL: ArrayIterator and values assigned by reference
--FILE--
<?php

$tmp = 1;

$a = new ArrayIterator();
$a[] = $tmp;
$a[] = &$tmp;

echo "Done\n";
?>
--EXPECTF--
Fatal error: Cannot assign by reference to overloaded object in %s on line %d


The expected fatal error isn't triggered.
 [2014-06-11 06:21 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=317bcb96d01a1dade28f2875bdd9bbbf73a40160
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)
 [2014-06-11 06:21 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2014-06-11 06:24 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2b04d689724bdfd5db9351c017566e2f51d61568
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)
 [2014-06-12 01:08 UTC] dmitry@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=317bcb96d01a1dade28f2875bdd9bbbf73a40160
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)
 [2014-06-19 00:53 UTC] tyrael@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=317bcb96d01a1dade28f2875bdd9bbbf73a40160
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)
 [2014-06-24 17:27 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2b04d689724bdfd5db9351c017566e2f51d61568
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)
 [2014-06-24 17:34 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2b04d689724bdfd5db9351c017566e2f51d61568
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)
 [2014-06-30 20:23 UTC] dmitry@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2b04d689724bdfd5db9351c017566e2f51d61568
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)
 [2014-07-02 01:41 UTC] tyrael@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2b04d689724bdfd5db9351c017566e2f51d61568
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)
 [2014-07-02 08:26 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2b04d689724bdfd5db9351c017566e2f51d61568
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)
 [2014-07-02 08:26 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=317bcb96d01a1dade28f2875bdd9bbbf73a40160
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)
 [2014-07-02 08:34 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2b04d689724bdfd5db9351c017566e2f51d61568
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)
 [2014-07-02 08:34 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=317bcb96d01a1dade28f2875bdd9bbbf73a40160
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)
 [2014-07-29 21:56 UTC] johannes@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e2ba5c7987141fc11706207b0ce24ea2eb6dea87
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)
 [2014-08-14 15:34 UTC] johannes@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e2ba5c7987141fc11706207b0ce24ea2eb6dea87
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)
 [2014-08-14 19:32 UTC] dmitry@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e2ba5c7987141fc11706207b0ce24ea2eb6dea87
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)
 [2014-10-07 23:13 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=e2ba5c7987141fc11706207b0ce24ea2eb6dea87
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)
 [2014-10-07 23:14 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=2b04d689724bdfd5db9351c017566e2f51d61568
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)
 [2014-10-07 23:14 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=317bcb96d01a1dade28f2875bdd9bbbf73a40160
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)
 [2014-10-07 23:25 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=e2ba5c7987141fc11706207b0ce24ea2eb6dea87
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)
 [2014-10-07 23:25 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=2b04d689724bdfd5db9351c017566e2f51d61568
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)
 [2014-10-07 23:25 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=317bcb96d01a1dade28f2875bdd9bbbf73a40160
Log: Fix bug #66127 (Segmentation fault with ArrayObject unset)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Apr 23 05:01:47 2017 UTC