php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69388 Use after free on recursieve calls to PHP compiler
Submitted: 2015-04-06 20:41 UTC Modified: 2015-04-06 20:41 UTC
From: dmitry@php.net Assigned: nikic (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: master-Git-2015-04-06 (Git) OS: *
Private report: No CVE-ID: None
 [2015-04-06 20:41 UTC] dmitry@php.net
Description:
------------
The bug visible only with opcache disabled. PHP-5.5 and 5.6 are not affected.

Test script:
---------------
<?php
error_reporting(E_ALL | E_STRICT);
function handle_error($code, $message, $file, $line, $context) {
	if (!function_exists("bla")) {
		eval('function bla($s) {echo "$s\n";}');
	}
	bla($message);
}

set_error_handler('handle_error');
eval('namespace {use Exception;}');


Expected result:
----------------
The use statement with non-compound name 'Exception' has no effect

Actual result:
--------------
The use statement with non-compound name 'Exception' has no effect
==24404== Invalid read of size 4
==24404==    at 0x85E9F42: _zend_is_inconsistent (zend_hash.c:44)
==24404==    by 0x85EB22F: _zend_hash_add_or_update_i (zend_hash.c:475)
==24404==    by 0x85EB522: _zend_hash_add (zend_hash.c:537)
==24404==    by 0x85B6F4B: zend_hash_add_ptr (zend_hash.h:458)
==24404==    by 0x85C2753: zend_compile_use (zend_compile.c:5188)
==24404==    by 0x85C66B4: zend_compile_stmt (zend_compile.c:6726)
==24404==    by 0x85C62E2: zend_compile_top_stmt (zend_compile.c:6630)
==24404==    by 0x85C62C3: zend_compile_top_stmt (zend_compile.c:6625)
==24404==    by 0x85C2C5D: zend_compile_namespace (zend_compile.c:5329)
==24404==    by 0x85C66D4: zend_compile_stmt (zend_compile.c:6732)
==24404==    by 0x85C62E2: zend_compile_top_stmt (zend_compile.c:6630)
==24404==    by 0x85C62C3: zend_compile_top_stmt (zend_compile.c:6625)
==24404==  Address 0x6d82b80 is 8 bytes inside a block of size 44 free'd
==24404==    at 0x400826D: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==24404==    by 0x85B6142: _efree (zend_alloc.c:2216)
==24404==    by 0x85BA838: zend_reset_import_tables (zend_compile.c:1628)
==24404==    by 0x85BA8D7: zend_end_namespace (zend_compile.c:1648)
==24404==    by 0x85BA90F: zend_do_end_compilation (zend_compile.c:1659)
==24404==    by 0x859E02B: compile_string (zend_language_scanner.l:753)
==24404==    by 0x8627865: ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (zend_vm_execute.h:3364)
==24404==    by 0x8621632: execute_ex (zend_vm_execute.h:394)
==24404==    by 0x85CAEEA: zend_call_function (zend_execute_API.c:838)
==24404==    by 0x85CA732: call_user_function_ex (zend_execute_API.c:661)
==24404==    by 0x85DD295: zend_error (zend.c:1231)
==24404==    by 0x85C24F2: zend_compile_use (zend_compile.c:5125)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-04-06 20:41 UTC] dmitry@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: nikic
 [2015-04-20 16:19 UTC] nikic@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0381c1b79e9491e68c9ca85a21e0a5bd68f3840f
Log: Fixed bug #69388
 [2015-04-20 16:19 UTC] nikic@php.net
-Status: Assigned +Status: Closed
 [2016-07-20 11:39 UTC] davey@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0381c1b79e9491e68c9ca85a21e0a5bd68f3840f
Log: Fixed bug #69388
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 15:01:28 2024 UTC