php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68412 Infinite recursion with __call can make the program crash/segfault
Submitted: 2014-11-12 21:33 UTC Modified: 2016-07-14 11:11 UTC
From: drewparoski at gmail dot com Assigned: dmitry (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.6.3RC1 OS: CentOS Linux 6.3
Private report: No CVE-ID: None
 [2014-11-12 21:33 UTC] drewparoski at gmail dot com
Description:
------------
The test script I provided crashes on all versions of PHP 5 and PHP 7 (according to 3v4l.org). Here is the backtrace from PHP 5.5.8:

#0  0x00000000006ae6fe in zend_call_function (fci=0x7fffff7ff050,
    fci_cache=0x7fffff7ff0a0)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_execute_API.c:766
#1  0x00000000006d4f17 in zend_call_method (object_pp=0x7fffff7ff178,
    obj_ce=<optimized out>, fn_proxy=0x7ffff7fdb8c8,
    function_name=0xaac5a2 "__call", function_name_len=<optimized out>,
    retval_ptr_ptr=0x7fffff7ff188, param_count=2, arg1=0x7fffeff10158,
    arg2=0x7fffeff100d0)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_interfaces.c:97
#2  0x00000000006e355d in zend_std_call_user_call (ht=<optimized out>,
    return_value=0x7fffeff100a0, return_value_ptr=<optimized out>,
    this_ptr=0x7fffeff10070, return_value_used=<optimized out>)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_object_handlers.c:896
#3  0x000000000073e6b3 in zend_do_fcall_common_helper_SPEC (
    execute_data=<optimized out>)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_vm_execute.h:550
#4  0x000000000072ff50 in execute_ex (execute_data=0x7fffeff6cd50)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_vm_execute.h:363
#5  0x00000000006af00e in zend_call_function (fci=0x7fffff7ff430,
    fci_cache=<optimized out>)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_execute_API.c:939
#6  0x00000000006d4f17 in zend_call_method (object_pp=0x7fffff7ff558,
    obj_ce=<optimized out>, fn_proxy=0x7ffff7fdb8c8,
---Type <return> to continue, or q <return> to quit---
    function_name=0xaac5a2 "__call", function_name_len=<optimized out>,
    retval_ptr_ptr=0x7fffff7ff568, param_count=2, arg1=0x7fffeff0ffc8,
    arg2=0x7fffeff0ff40)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_interfaces.c:97
#7  0x00000000006e355d in zend_std_call_user_call (ht=<optimized out>,
    return_value=0x7fffeff0ff10, return_value_ptr=<optimized out>,
    this_ptr=0x7fffeff0fee0, return_value_used=<optimized out>)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_object_handlers.c:896
#8  0x000000000073e6b3 in zend_do_fcall_common_helper_SPEC (
    execute_data=<optimized out>)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_vm_execute.h:550
#9  0x000000000072ff50 in execute_ex (execute_data=0x7fffeff6cc00)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_vm_execute.h:363
#10 0x00000000006af00e in zend_call_function (fci=0x7fffff7ff810,
    fci_cache=<optimized out>)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_execute_API.c:939
#11 0x00000000006d4f17 in zend_call_method (object_pp=0x7fffff7ff938,
    obj_ce=<optimized out>, fn_proxy=0x7ffff7fdb8c8,
    function_name=0xaac5a2 "__call", function_name_len=<optimized out>,
    retval_ptr_ptr=0x7fffff7ff948, param_count=2, arg1=0x7fffeff0fe38,
    arg2=0x7fffeff0fdb0)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_interfaces.c:97
#12 0x00000000006e355d in zend_std_call_user_call (ht=<optimized out>,
---Type <return> to continue, or q <return> to quit---
    return_value=0x7fffeff0fd80, return_value_ptr=<optimized out>,
    this_ptr=0x7fffeff0fd50, return_value_used=<optimized out>)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_object_handlers.c:896
#13 0x000000000073e6b3 in zend_do_fcall_common_helper_SPEC (
    execute_data=<optimized out>)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_vm_execute.h:550
#14 0x000000000072ff50 in execute_ex (execute_data=0x7fffeff6cab0)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_vm_execute.h:363
#15 0x00000000006af00e in zend_call_function (fci=0x7fffff7ffbf0,
    fci_cache=<optimized out>)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_execute_API.c:939
#16 0x00000000006d4f17 in zend_call_method (object_pp=0x7fffff7ffd18,
    obj_ce=<optimized out>, fn_proxy=0x7ffff7fdb8c8,
    function_name=0xaac5a2 "__call", function_name_len=<optimized out>,
    retval_ptr_ptr=0x7fffff7ffd28, param_count=2, arg1=0x7fffeff0fca8,
    arg2=0x7fffeff0fc20)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_interfaces.c:97
#17 0x00000000006e355d in zend_std_call_user_call (ht=<optimized out>,
    return_value=0x7fffeff0fbf0, return_value_ptr=<optimized out>,
    this_ptr=0x7fffeff0fbc0, return_value_used=<optimized out>)
    at /data/users/andrewparoski/php-5.5.8/Zend/zend_object_handlers.c:896

Test script:
---------------
<?php
class C {
  public function __call($x, $y) {
    global $z;
    $z->bar();
  }
}
$z = new C;
function main() {
  global $z;
  $z->foo();
}
main();

Expected result:
----------------
Fatal error: Stack overflow in <filename> on line <linenumber>

Actual result:
--------------
Segmentation fault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-07-14 11:11 UTC] dmitry@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: dmitry
 [2016-07-14 11:11 UTC] dmitry@php.net
This is fixed in PHP-7.0, invoking __call() through "trampoline".
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat Oct 19 02:01:27 2019 UTC