php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70156 Segfault in zend_find_alias_name
Submitted: 2015-07-28 08:25 UTC Modified: 2015-07-28 08:42 UTC
From: lbarnaud@php.net Assigned:
Status: Closed Package: Reflection related
PHP Version: 7.0.0beta2 OS:
Private report: No CVE-ID: None
 [2015-07-28 08:25 UTC] lbarnaud@php.net
Description:
------------
ReflectionClass->getMethods() can crash in the presence of traits and aliased methods

Test script:
---------------
https://gist.github.com/arnaud-lb/b86c8d989877270a7643 (this is a minimal reduction of https://github.com/cebe/markdown/blob/208be0fbf2c097e84daa741e76d66870a9e3a5c7/Markdown.php#L15 )

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x000000000086e985 in zend_find_alias_name (ce=0x7ffff60045a8, name=0x7ffff607b140) at /php-src/Zend/zend_API.c:4109
4109                if (ZSTR_LEN(alias->alias) == ZSTR_LEN(name) &&
(gdb) bt
#0  0x000000000086e985 in zend_find_alias_name (ce=0x7ffff60045a8, name=0x7ffff607b140) at /php-src/Zend/zend_API.c:4109
#1  0x000000000086eb4c in zend_resolve_method_name (ce=0x7ffff60045a8, f=0x7ffff6004940) at /php-src/Zend/zend_API.c:4145
#2  0x00000000006845cb in reflection_method_factory (ce=0x7ffff60045a8, method=0x7ffff6004940, closure_object=0x0, object=0x7fffffffaf80)
    at /php-src/ext/reflection/php_reflection.c:1306
#3  0x000000000068ec30 in _addmethod (mptr=0x7ffff6004940, ce=0x7ffff60045a8, retval=0x7ffff60151a0, filter=512, obj=0x0)
    at /php-src/ext/reflection/php_reflection.c:4147
#4  0x000000000068edbd in _addmethod_va (el=0x7ffff6061e20, num_args=4, args=0x7fffffffb040, hash_key=0x7fffffffb030)
    at /php-src/ext/reflection/php_reflection.c:4162
#5  0x000000000087425c in zend_hash_apply_with_arguments (ht=0x7ffff60045e8, apply_func=0x68ec45 <_addmethod_va>, num_args=4)
    at /php-src/Zend/zend_hash.c:1496
#6  0x000000000068ef76 in zim_reflection_class_getMethods (execute_data=0x7ffff60151c0, return_value=0x7ffff60151a0)
    at /php-src/ext/reflection/php_reflection.c:4189
#7  0x00000000008b8ec0 in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x7ffff60150e0) at /php-src/Zend/zend_vm_execute.h:835
#8  0x00000000008b7cf1 in execute_ex (ex=0x7ffff6015030) at /php-src/Zend/zend_vm_execute.h:409
#9  0x00000000008b7e1b in zend_execute (op_array=0x7ffff607c000, return_value=0x0) at /php-src/Zend/zend_vm_execute.h:450
#10 0x000000000085eac6 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /php-src/Zend/zend.c:1399
#11 0x00000000007cef8b in php_execute_script (primary_file=0x7fffffffe790) at /php-src/main/main.c:2475
#12 0x0000000000922c4d in do_cli (argc=2, argv=0x10c3550) at /php-src/sapi/cli/php_cli.c:971
#13 0x0000000000923c22 in main (argc=2, argv=0x10c3550) at /php-src/sapi/cli/php_cli.c:1338

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-07-28 08:42 UTC] laruence@php.net
-Summary: Segfault in ReflectionClass->getMethods() with trait aliases +Summary: Segfault in zend_find_alias_name
 [2015-07-28 08:42 UTC] laruence@php.net
An more general reproduce script is:

<?php
trait T1 {
    protected function foo1()
    {
        $this->bar();
    }
}

trait T2 {
    protected function foo2()
    {
        debug_print_backtrace();
    }
}

class dummy {
    use T1 {
        foo1 as private;
    }
    use T2 {
        foo2 as bar;
    }
    public function __construct()
    {
        $this->foo1();
    }
}

new dummy();

also changed title
 [2015-07-28 08:45 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0bddc18619062e2801ac4aecf76e95963d1990e3
Log: Fixed bug #70156 (Segfault in zend_find_alias_name)
 [2015-07-28 08:45 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2015-08-04 20:54 UTC] ab@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0bddc18619062e2801ac4aecf76e95963d1990e3
Log: Fixed bug #70156 (Segfault in zend_find_alias_name)
 [2016-07-20 11:37 UTC] davey@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0bddc18619062e2801ac4aecf76e95963d1990e3
Log: Fixed bug #70156 (Segfault in zend_find_alias_name)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC