php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70808 array_merge_recursive corrupts memory of unset items (Drupal 8 test failure)
Submitted: 2015-10-29 01:32 UTC Modified: 2015-10-29 03:18 UTC
From: fabian at tag1consulting dot com Assigned: laruence
Status: Closed Package: Reproducible crash
PHP Version: 7.0.0RC5 OS: Linux / Ubuntu
Private report: No CVE-ID:
 [2015-10-29 01:32 UTC] fabian at tag1consulting dot com
Description:
------------
This is a very hard to reproduce bug, but I managed to transform it down to the bare minimum. It is very fragile, too and little changes lead to it no longer being reproducible.

I am not sure why the autoload.php is needed, but I guess it loads enough classes so that the memory corruption becomes relevant. I was not able to create a test case without this autoload.php ...

I imagine if the index is just NULL by accident that then the thing succeeds even though the memory is corrupted, just because the data structure are correct by accident ...

This is a pretty critical bug as it clearly leads to a segfault without the user doing anything problematic.

It also is one of two last blockers for Drupal 8's test suite passing on PHP 7.

Test script:
---------------
You need Drupal 8, but no database, get setup with the following commands:

curl http://ftp.drupal.org/files/projects/drupal-8.0.0-rc2.tar.gz -O
tar xzf drupal-8.0.0-rc2.tar.gz
cd drupal-8.0.0-rc2/
curl https://gist.githubusercontent.com/LionsAd/73e027259c9ff8444eeb/raw/ab60b2041949f335a079731e4a83030b2bd81878/test_php7_crash.php -O
mv test_php7_crash.php tc.php
php tc.php

Note: The filename of the script does matter - yes this memory corruption bug is that fragile :-/.

Expected result:
----------------
Array
(
    [html_head] => Array
        (
            [0] => 0
            [2] => 2
        )

)

Note:

PHP5 however gives back:

Array
(
    [html_head] => Array
        (
            [0] => 0
            [1] => 2
        )

)

so the array_merge_recursive() has done an automatic re-index - which also 'work-arounds' the bug in here and might be the cause of the problems in the first place.

Actual result:
--------------
Array
(
    [html_head] => Array
        (
            [0] => 0
            [Segmentation fault (core dumped)


Core was generated by `php tc.php'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  print_hash (write_func=write_func@entry=0x755040 <php_output_wrapper>, indent=12, indent@entry=8, is_object=is_object@entry=0 '\000', 
    ht=<optimized out>, ht=<optimized out>) at /home/ubuntu/php7/php-src/Zend/zend.c:202
202					ZEND_WRITE_EX(ZSTR_VAL(string_key), ZSTR_LEN(string_key));
Traceback (most recent call last):
  File "/usr/share/gdb/auto-load/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19-gdb.py", line 63, in <module>
    from libstdcxx.v6.printers import register_libstdcxx_printers
ImportError: No module named 'libstdcxx'
(gdb) bt
#0  print_hash (write_func=write_func@entry=0x755040 <php_output_wrapper>, indent=12, indent@entry=8, is_object=is_object@entry=0 '\000', 
    ht=<optimized out>, ht=<optimized out>) at /home/ubuntu/php7/php-src/Zend/zend.c:202
#1  0x00000000007b22fe in zend_print_zval_r_ex (write_func=write_func@entry=0x755040 <php_output_wrapper>, expr=expr@entry=0x7f6ed0ce0a20, 
    indent=indent@entry=8) at /home/ubuntu/php7/php-src/Zend/zend.c:340
#2  0x00000000007b258e in print_hash (write_func=write_func@entry=0x755040 <php_output_wrapper>, indent=4, indent@entry=0, 
    is_object=is_object@entry=0 '\000', ht=<optimized out>, ht=<optimized out>) at /home/ubuntu/php7/php-src/Zend/zend.c:210
#3  0x00000000007b22fe in zend_print_zval_r_ex (write_func=0x755040 <php_output_wrapper>, expr=0x7f6ed0c13310, indent=indent@entry=0)
    at /home/ubuntu/php7/php-src/Zend/zend.c:340
#4  0x00000000007b23c4 in zend_print_zval_r (expr=<optimized out>, indent=indent@entry=0) at /home/ubuntu/php7/php-src/Zend/zend.c:324
#5  0x00000000006dcda0 in zif_print_r (execute_data=<optimized out>, return_value=0x7f6ed0c132a0)
    at /home/ubuntu/php7/php-src/ext/standard/basic_functions.c:5487
#6  0x00000000007fbc8d in ZEND_DO_ICALL_SPEC_HANDLER () at /home/ubuntu/php7/php-src/Zend/zend_vm_execute.h:586
#7  0x00000000007ee43b in execute_ex (ex=<optimized out>) at /home/ubuntu/php7/php-src/Zend/zend_vm_execute.h:414
#8  0x00000000008374c7 in zend_execute (op_array=0x7f6ed0c7e000, op_array@entry=0x7f6ed0c85120, return_value=return_value@entry=0x7f6ed0c131f0)
    at /home/ubuntu/php7/php-src/Zend/zend_vm_execute.h:458
#9  0x00000000007b31d4 in zend_execute_scripts (type=type@entry=8, retval=0x7f6ed0c131f0, retval@entry=0x0, file_count=file_count@entry=3)
    at /home/ubuntu/php7/php-src/Zend/zend.c:1428
#10 0x0000000000757658 in php_execute_script (primary_file=primary_file@entry=0x7ffff3fb9660) at /home/ubuntu/php7/php-src/main/main.c:2471
#11 0x0000000000839093 in do_cli (argc=2, argv=0x15f1e40) at /home/ubuntu/php7/php-src/sapi/cli/php_cli.c:974
#12 0x0000000000441db0 in main (argc=2, argv=0x15f1e40) at /home/ubuntu/php7/php-src/sapi/cli/php_cli.c:1345
(gdb) 


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-10-29 03:18 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence
 [2015-10-29 06:35 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=179fba3f3801d5528cfc5e82be09cf8ef512b0ba
Log: Fixed bug #70808 (array_merge_recursive corrupts memory of unset items)
 [2015-10-29 06:35 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2015-10-29 06:35 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=179fba3f3801d5528cfc5e82be09cf8ef512b0ba
Log: Fixed bug #70808 (array_merge_recursive corrupts memory of unset items)
 [2015-11-09 18:12 UTC] ab@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=51f9948b2bcfb7b33f6739b13b88957c063be9a6
Log: Fixed bug #70808 (array_merge_recursive corrupts memory of unset items)
 [2016-07-20 11:35 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=179fba3f3801d5528cfc5e82be09cf8ef512b0ba
Log: Fixed bug #70808 (array_merge_recursive corrupts memory of unset items)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC