php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67359 Segfault in recursiveDirectoryIterator
Submitted: 2014-05-29 13:55 UTC Modified: 2014-06-01 11:40 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: kevin dot waterson at gmail dot com Assigned:
Status: Closed Package: SPL related
PHP Version: 5.6Git-2014-05-29 (Git) OS: Linux
Private report: No CVE-ID:
 [2014-05-29 13:55 UTC] kevin dot waterson at gmail dot com
Description:
------------
(gdb) bt
#0  0x0000000000a04d5d in zend_call_function (fci=0x7fffda4a13d0, fci_cache=0x7fffda4a1360, tsrm_ls=0x1d754b0)
    at /home/kevin/php/php5.6-201405270630/Zend/zend_execute_API.c:711
#1  0x0000000000a4220e in zend_call_method (object_pp=0x7fffda4a1490, obj_ce=0x1eb6df0, fn_proxy=0x7fed57b82238, function_name=0xe8d1a3 "valid", function_name_len=5, 
    retval_ptr_ptr=0x7fffda4a14b8, param_count=0, arg1=0x0, arg2=0x0, tsrm_ls=0x1d754b0) at /home/kevin/php/php5.6-201405270630/Zend/zend_interfaces.c:97
#2  0x00000000007a6037 in zim_spl_DirectoryIterator_seek (ht=1, return_value=0x7fed57b81b38, return_value_ptr=0x7fed57b46488, this_ptr=0x7fed57b7f4a8, return_value_used=0, 
    tsrm_ls=0x1d754b0) at /home/kevin/php/php5.6-201405270630/ext/spl/spl_directory.c:837
#3  0x0000000000a6c601 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fed57b46620, tsrm_ls=0x1d754b0) at /home/kevin/php/php5.6-201405270630/Zend/zend_vm_execute.h:558
#4  0x0000000000a6d0df in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7fed57b46620, tsrm_ls=0x1d754b0)
    at /home/kevin/php/php5.6-201405270630/Zend/zend_vm_execute.h:693
#5  0x0000000000a6b830 in execute_ex (execute_data=0x7fed57b46620, tsrm_ls=0x1d754b0) at /home/kevin/php/php5.6-201405270630/Zend/zend_vm_execute.h:363
#6  0x0000000000a6b913 in zend_execute (op_array=0x7fed57b804d8, tsrm_ls=0x1d754b0) at /home/kevin/php/php5.6-201405270630/Zend/zend_vm_execute.h:388
#7  0x0000000000a1e5a3 in zend_execute_scripts (type=8, tsrm_ls=0x1d754b0, retval=0x0, file_count=3) at /home/kevin/php/php5.6-201405270630/Zend/zend.c:1330
#8  0x000000000095bc69 in php_execute_script (primary_file=0x7fffda4a4b30, tsrm_ls=0x1d754b0) at /home/kevin/php/php5.6-201405270630/main/main.c:2584
#9  0x0000000000aeb10a in do_cli (argc=2, argv=0x1d753d0, tsrm_ls=0x1d754b0) at /home/kevin/php/php5.6-201405270630/sapi/cli/php_cli.c:994
#10 0x0000000000aec49d in main (argc=2, argv=0x1d753d0) at /home/kevin/php/php5.6-201405270630/sapi/cli/php_cli.c:1378
(gdb) quit


Test script:
---------------
http://pastie.org/private/9fwdoeiukaip9dhyjlu1g

Expected result:
----------------
Exception

Actual result:
--------------
Seg Fault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-05-29 14:10 UTC] rasmus@php.net
-Status: Open +Status: Verified
 [2014-05-29 14:10 UTC] rasmus@php.net
Reproduced. Here is the relevant Valgrind output:

==27787== Invalid read of size 4
==27787==    at 0x86AECC: zim_spl_DirectoryIterator_seek (spl_directory.c:827)
==27787==    by 0xAAB89E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:558)
==27787==    by 0xAAC075: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:693)
==27787==    by 0xAAAF13: execute_ex (zend_vm_execute.h:363)
==27787==    by 0xAAAF9C: zend_execute (zend_vm_execute.h:388)
==27787==    by 0xA65F2F: zend_execute_scripts (zend.c:1330)
==27787==    by 0x9CDEF1: php_execute_script (main.c:2584)
==27787==    by 0xB190AC: do_cli (php_cli.c:994)
==27787==    by 0xB1A3DA: main (php_cli.c:1378)
==27787==  Address 0x10d575f4 is not stack'd, malloc'd or (recently) free'd
==27787==
==27787== Invalid read of size 4
==27787==    at 0x86B073: zim_spl_DirectoryIterator_seek (spl_directory.c:835)
==27787==    by 0xAAB89E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:558)
==27787==    by 0xAAC075: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:693)
==27787==    by 0xAAAF13: execute_ex (zend_vm_execute.h:363)
==27787==    by 0xAAAF9C: zend_execute (zend_vm_execute.h:388)
==27787==    by 0xA65F2F: zend_execute_scripts (zend.c:1330)
==27787==    by 0x9CDEF1: php_execute_script (main.c:2584)
==27787==    by 0xB190AC: do_cli (php_cli.c:994)
==27787==    by 0xB1A3DA: main (php_cli.c:1378)
==27787==  Address 0x10d575f4 is not stack'd, malloc'd or (recently) free'd
==27787==
==27787== Invalid read of size 8
==27787==    at 0xA861A0: zend_call_method (zend_interfaces.c:75)
==27787==    by 0x86AFBB: zim_spl_DirectoryIterator_seek (spl_directory.c:837)
==27787==    by 0xAAB89E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:558)
==27787==    by 0xAAC075: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:693)
==27787==    by 0xAAAF13: execute_ex (zend_vm_execute.h:363)
==27787==    by 0xAAAF9C: zend_execute (zend_vm_execute.h:388)
==27787==    by 0xA65F2F: zend_execute_scripts (zend.c:1330)
==27787==    by 0x9CDEF1: php_execute_script (main.c:2584)
==27787==    by 0xB190AC: do_cli (php_cli.c:994)
==27787==    by 0xB1A3DA: main (php_cli.c:1378)
==27787==  Address 0x10d57610 is not stack'd, malloc'd or (recently) free'd
==27787==
==27787== Invalid write of size 8
==27787==    at 0xA8624D: zend_call_method (zend_interfaces.c:81)
==27787==    by 0x86AFBB: zim_spl_DirectoryIterator_seek (spl_directory.c:837)
==27787==    by 0xAAB89E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:558)
==27787==    by 0xAAC075: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:693)
==27787==    by 0xAAAF13: execute_ex (zend_vm_execute.h:363)
==27787==    by 0xAAAF9C: zend_execute (zend_vm_execute.h:388)
==27787==    by 0xA65F2F: zend_execute_scripts (zend.c:1330)
==27787==    by 0x9CDEF1: php_execute_script (main.c:2584)
==27787==    by 0xB190AC: do_cli (php_cli.c:994)
==27787==    by 0xB1A3DA: main (php_cli.c:1378)
==27787==  Address 0x10d57610 is not stack'd, malloc'd or (recently) free'd
==27787==
==27787== Invalid read of size 8
==27787==    at 0xA861A0: zend_call_method (zend_interfaces.c:75)
==27787==    by 0x86B04D: zim_spl_DirectoryIterator_seek (spl_directory.c:845)
==27787==    by 0xAAB89E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:558)
==27787==    by 0xAAC075: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:693)
==27787==    by 0xAAAF13: execute_ex (zend_vm_execute.h:363)
==27787==    by 0xAAAF9C: zend_execute (zend_vm_execute.h:388)
==27787==    by 0xA65F2F: zend_execute_scripts (zend.c:1330)
==27787==    by 0x9CDEF1: php_execute_script (main.c:2584)
==27787==    by 0xB190AC: do_cli (php_cli.c:994)
==27787==    by 0xB1A3DA: main (php_cli.c:1378)
==27787==  Address 0x10d57608 is not stack'd, malloc'd or (recently) free'd
==27787==
==27787== Invalid write of size 8
==27787==    at 0xA8624D: zend_call_method (zend_interfaces.c:81)
==27787==    by 0x86B04D: zim_spl_DirectoryIterator_seek (spl_directory.c:845)
==27787==    by 0xAAB89E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:558)
==27787==    by 0xAAC075: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:693)
==27787==    by 0xAAAF13: execute_ex (zend_vm_execute.h:363)
==27787==    by 0xAAAF9C: zend_execute (zend_vm_execute.h:388)
==27787==    by 0xA65F2F: zend_execute_scripts (zend.c:1330)
==27787==    by 0x9CDEF1: php_execute_script (main.c:2584)
==27787==    by 0xB190AC: do_cli (php_cli.c:994)
==27787==    by 0xB1A3DA: main (php_cli.c:1378)
==27787==  Address 0x10d57608 is not stack'd, malloc'd or (recently) free'd
==27787==
==27787== Invalid read of size 8
==27787==    at 0xA8625B: zend_call_method (zend_interfaces.c:84)
==27787==    by 0x86AFBB: zim_spl_DirectoryIterator_seek (spl_directory.c:837)
==27787==    by 0xAAB89E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:558)
==27787==    by 0xAAC075: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:693)
==27787==    by 0xAAAF13: execute_ex (zend_vm_execute.h:363)
==27787==    by 0xAAAF9C: zend_execute (zend_vm_execute.h:388)
==27787==    by 0xA65F2F: zend_execute_scripts (zend.c:1330)
==27787==    by 0x9CDEF1: php_execute_script (main.c:2584)
==27787==    by 0xB190AC: do_cli (php_cli.c:994)
==27787==    by 0xB1A3DA: main (php_cli.c:1378)
==27787==  Address 0x10d57610 is not stack'd, malloc'd or (recently) free'd
==27787==
==27787== Invalid read of size 8
==27787==    at 0xA8625B: zend_call_method (zend_interfaces.c:84)
==27787==    by 0x86B04D: zim_spl_DirectoryIterator_seek (spl_directory.c:845)
==27787==    by 0xAAB89E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:558)
==27787==    by 0xAAC075: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:693)
==27787==    by 0xAAAF13: execute_ex (zend_vm_execute.h:363)
==27787==    by 0xAAAF9C: zend_execute (zend_vm_execute.h:388)
==27787==    by 0xA65F2F: zend_execute_scripts (zend.c:1330)
==27787==    by 0x9CDEF1: php_execute_script (main.c:2584)
==27787==    by 0xB190AC: do_cli (php_cli.c:994)
==27787==    by 0xB1A3DA: main (php_cli.c:1378)
==27787==  Address 0x10d57608 is not stack'd, malloc'd or (recently) free'd
 [2014-06-01 11:40 UTC] laruence@php.net
-Summary: Seg Fault +Summary: Segfault in recursiveDirectoryIterator
 [2014-06-01 11:43 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=38be99b739c6ad55b01fe304a083e7a1e36c05ee
Log: Fixed bug #67359 (Segfault in recursiveDirectoryIterator)
 [2014-06-01 11:43 UTC] laruence@php.net
-Status: Verified +Status: Closed
 [2014-06-01 15:05 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=38be99b739c6ad55b01fe304a083e7a1e36c05ee
Log: Fixed bug #67359 (Segfault in recursiveDirectoryIterator)
 [2014-06-04 01:22 UTC] tyrael@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=38be99b739c6ad55b01fe304a083e7a1e36c05ee
Log: Fixed bug #67359 (Segfault in recursiveDirectoryIterator)
 [2014-06-06 07:00 UTC] ab@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=38be99b739c6ad55b01fe304a083e7a1e36c05ee
Log: Fixed bug #67359 (Segfault in recursiveDirectoryIterator)
 [2014-06-06 07:07 UTC] ab@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=38be99b739c6ad55b01fe304a083e7a1e36c05ee
Log: Fixed bug #67359 (Segfault in recursiveDirectoryIterator)
 [2014-07-29 21:56 UTC] johannes@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b5051ff939eb9dbada8ce10fbea8cf37e50b5a36
Log: Fixed bug #67359 (Segfault in recursiveDirectoryIterator)
 [2014-08-13 13:27 UTC] aavindraa at gmail dot com
Is there any chance of this patch going to the 5.5 branch?
 [2014-08-14 15:34 UTC] johannes@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b5051ff939eb9dbada8ce10fbea8cf37e50b5a36
Log: Fixed bug #67359 (Segfault in recursiveDirectoryIterator)
 [2014-08-14 19:32 UTC] dmitry@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b5051ff939eb9dbada8ce10fbea8cf37e50b5a36
Log: Fixed bug #67359 (Segfault in recursiveDirectoryIterator)
 [2014-10-07 23:13 UTC] stas@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=b5051ff939eb9dbada8ce10fbea8cf37e50b5a36
Log: Fixed bug #67359 (Segfault in recursiveDirectoryIterator)
 [2014-10-07 23:14 UTC] stas@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=38be99b739c6ad55b01fe304a083e7a1e36c05ee
Log: Fixed bug #67359 (Segfault in recursiveDirectoryIterator)
 [2014-10-07 23:25 UTC] stas@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=b5051ff939eb9dbada8ce10fbea8cf37e50b5a36
Log: Fixed bug #67359 (Segfault in recursiveDirectoryIterator)
 [2014-10-07 23:26 UTC] stas@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=38be99b739c6ad55b01fe304a083e7a1e36c05ee
Log: Fixed bug #67359 (Segfault in recursiveDirectoryIterator)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Feb 26 14:01:37 2017 UTC