PHP :: Bug #70918 :: Segfault using static outside of class scope

Bug #70918	Segfault using static outside of class scope
Submitted:	2015-11-15 02:06 UTC	Modified:	2015-11-16 10:21 UTC
From:	leigh@php.net	Assigned:	laruence (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	master-Git-2015-11-15 (Git)	OS:	Linux
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	leigh@php.net
New email:
PHP Version:		OS:

New/Additional Comment:

[2015-11-15 02:06 UTC] leigh@php.net

Description:
------------
Using static outside of a class scope causes a segfault in git master. 7.0 is _not_ affected.

https://3v4l.org/nOblY

Test script:
---------------
<?php

static::x;

Expected result:
----------------
Fatal error: Cannot access static:: when no class scope is active in ....

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x0000000000d99464 in zend_hash_find_bucket (ht=0xb0, ht@entry=0x7ffff6855430, ht=0xb0, ht@entry=0x7ffff6855430, key=0x7ffff6855380) at /home/leigh/php-src/Zend/zend_hash.c:437
437             nIndex = h | ht->nTableMask;
(gdb) bt
#0  0x0000000000d99464 in zend_hash_find_bucket (ht=0xb0, ht@entry=0x7ffff6855430, ht=0xb0, ht@entry=0x7ffff6855430, key=0x7ffff6855380) at /home/leigh/php-src/Zend/zend_hash.c:437
#1  zend_hash_find (ht=ht@entry=0xb0, key=0x7ffff6855380) at /home/leigh/php-src/Zend/zend_hash.c:1890
#2  0x0000000000edddf8 in ZEND_FETCH_CLASS_CONSTANT_SPEC_UNUSED_CONST_HANDLER () at /home/leigh/php-src/Zend/zend_vm_execute.h:23918
#3  0x0000000000ec3ff3 in execute_ex (ex=<optimized out>) at /home/leigh/php-src/Zend/zend_vm_execute.h:414
#4  0x00000000010b8d7b in zend_execute (op_array=op_array@entry=0x7ffff687e000, return_value=return_value@entry=0x0) at /home/leigh/php-src/Zend/zend_vm_execute.h:458
#5  0x0000000000cc5abc in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=-159305680, file_count@entry=3) at /home/leigh/php-src/Zend/zend.c:1428
#6  0x0000000000a85968 in php_execute_script (primary_file=0x7fffffffd2d0) at /home/leigh/php-src/main/main.c:2471
#7  0x00000000010c0911 in do_cli (argc=176, argv=0x7ffff6855380) at /home/leigh/php-src/sapi/cli/php_cli.c:974
#8  0x000000000042ff61 in main (argc=176, argv=0x7ffff6855380) at /home/leigh/php-src/sapi/cli/php_cli.c:1345

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-11-15 02:42 UTC] laruence@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=06fe956460f93041abdaf4a12ccde43d317fa20c
Log: Fixed Bug #70918 (Segfault using static outside of class scope)

[2015-11-15 02:42 UTC] laruence@php.net

-Status: Open +Status: Closed

[2015-11-16 09:41 UTC] leigh@php.net

-Status: Closed +Status: Re-Opened

[2015-11-16 09:41 UTC] leigh@php.net

Hi Laruence, while fuzzing after your patch I found some more issues with static outside of class scope.

new static;
static::$i;
static::x();

Can you think of any other handlers that also need updating?



leigh@zaru:~/php-src$ git log -n 1 06fe95
commit 06fe956460f93041abdaf4a12ccde43d317fa20c
Author: Xinchen Hui <laruence@gmail.com>
Date:   Sat Nov 14 18:41:55 2015 -0800

    Fixed Bug #70918 (Segfault using static outside of class scope)



(gdb) r -r 'new static;'
Starting program: /home/leigh/php-src/sapi/cli/php -r 'new static;'
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
_object_init_ex (arg=arg@entry=0x7fffffffcea0, class_type=class_type@entry=0x0)
    at /home/leigh/php-src/Zend/zend_API.c:1296
1296		return _object_and_properties_init(arg, class_type, 0 ZEND_FILE_LINE_RELAY_CC);
(gdb) bt
#0  _object_init_ex (arg=arg@entry=0x7fffffffcea0, class_type=class_type@entry=0x0)
    at /home/leigh/php-src/Zend/zend_API.c:1296
#1  0x000000000109e2f0 in ZEND_NEW_SPEC_UNUSED_HANDLER ()
    at /home/leigh/php-src/Zend/zend_vm_execute.h:22572
#2  0x0000000000ec40a3 in execute_ex (ex=<optimized out>)
    at /home/leigh/php-src/Zend/zend_vm_execute.h:414
#3  0x00000000010b8deb in zend_execute (op_array=op_array@entry=0x7ffff687e000, 
    return_value=return_value@entry=0x7fffffffcf70)
    at /home/leigh/php-src/Zend/zend_vm_execute.h:458
#4  0x0000000000c65d4f in zend_eval_stringl (str=str@entry=0x14fca40 "new static;", str_len=11, 
    retval_ptr=retval_ptr@entry=0x0, string_name=0x7ffff6812030 " \215O\001", 
    string_name@entry=0x1273b67 "Command line code")
    at /home/leigh/php-src/Zend/zend_execute_API.c:1125
#5  0x0000000000c66293 in zend_eval_stringl_ex (handle_exceptions=1, 
    string_name=0x1273b67 "Command line code", retval_ptr=0x0, str_len=<optimized out>, 
    str=0x14fca40 "new static;") at /home/leigh/php-src/Zend/zend_execute_API.c:1166
#6  zend_eval_string_ex (str=0x14fca40 "new static;", retval_ptr=0x0, 
    string_name=0x1273b67 "Command line code", handle_exceptions=1)
    at /home/leigh/php-src/Zend/zend_execute_API.c:1177
#7  0x00000000010c0237 in do_cli (argc=-12640, argv=0x0)
    at /home/leigh/php-src/sapi/cli/php_cli.c:1005
#8  0x000000000042ff61 in main (argc=-12640, argv=0x0)
    at /home/leigh/php-src/sapi/cli/php_cli.c:1345



(gdb) r -r 'static::$i;'
Starting program: /home/leigh/php-src/sapi/cli/php -r 'static::$i;'
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000000000d99514 in zend_hash_find_bucket (ht=0x78, ht@entry=0xf0, ht=0x78, ht@entry=0xf0, 
    key=key@entry=0x7ffff6854420) at /home/leigh/php-src/Zend/zend_hash.c:437
437		nIndex = h | ht->nTableMask;
(gdb) bt
#0  0x0000000000d99514 in zend_hash_find_bucket (ht=0x78, ht@entry=0xf0, ht=0x78, ht@entry=0xf0, 
    key=key@entry=0x7ffff6854420) at /home/leigh/php-src/Zend/zend_hash.c:437
#1  zend_hash_find (ht=ht@entry=0x78, key=key@entry=0x7ffff6854420)
    at /home/leigh/php-src/Zend/zend_hash.c:1890
#2  0x0000000000ea3564 in zend_hash_find_ptr (key=0x7ffff6854420, key@entry=0x0, ht=0x78)
    at /home/leigh/php-src/Zend/zend_hash.h:670
#3  zend_std_get_static_property (ce=ce@entry=0x0, 
    property_name=property_name@entry=0x7ffff6854420, silent=silent@entry=0 '\000')
    at /home/leigh/php-src/Zend/zend_object_handlers.c:1270
#4  0x000000000102d325 in zend_fetch_static_prop_helper_SPEC_CONST_UNUSED (type=0)
    at /home/leigh/php-src/Zend/zend_vm_execute.h:7309
#5  ZEND_FETCH_STATIC_PROP_R_SPEC_CONST_UNUSED_HANDLER ()
    at /home/leigh/php-src/Zend/zend_vm_execute.h:7337
#6  0x0000000000ec40a3 in execute_ex (ex=<optimized out>)
    at /home/leigh/php-src/Zend/zend_vm_execute.h:414
#7  0x00000000010b8deb in zend_execute (op_array=op_array@entry=0x7ffff687e000, 
    return_value=return_value@entry=0x7fffffffcf70)
    at /home/leigh/php-src/Zend/zend_vm_execute.h:458
#8  0x0000000000c65d4f in zend_eval_stringl (str=str@entry=0x14fca40 "static::$i;", str_len=11, 
    retval_ptr=retval_ptr@entry=0x0, string_name=0x7ffff6812030 " \215O\001", 
    string_name@entry=0x1273b67 "Command line code")
    at /home/leigh/php-src/Zend/zend_execute_API.c:1125
#9  0x0000000000c66293 in zend_eval_stringl_ex (handle_exceptions=1, 
    string_name=0x1273b67 "Command line code", retval_ptr=0x0, str_len=<optimized out>, 
    str=0x14fca40 "static::$i;") at /home/leigh/php-src/Zend/zend_execute_API.c:1166
#10 zend_eval_string_ex (str=0x14fca40 "static::$i;", retval_ptr=0x0, 
    string_name=0x1273b67 "Command line code", handle_exceptions=1)
    at /home/leigh/php-src/Zend/zend_execute_API.c:1177
#11 0x00000000010c0237 in do_cli (argc=120, argv=0x7ffff6854420)
    at /home/leigh/php-src/sapi/cli/php_cli.c:1005
#12 0x000000000042ff61 in main (argc=120, argv=0x7ffff6854420)
    at /home/leigh/php-src/sapi/cli/php_cli.c:1345



(gdb) r -r 'static::x();'
Starting program: /home/leigh/php-src/sapi/cli/php -r 'static::x();'
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
ZEND_INIT_STATIC_METHOD_CALL_SPEC_UNUSED_CONST_HANDLER ()
    at /home/leigh/php-src/Zend/zend_vm_execute.h:23762
23762			if (ce->get_static_method) {
(gdb) bt
#0  ZEND_INIT_STATIC_METHOD_CALL_SPEC_UNUSED_CONST_HANDLER ()
    at /home/leigh/php-src/Zend/zend_vm_execute.h:23762
#1  0x0000000000ec40a3 in execute_ex (ex=<optimized out>)
    at /home/leigh/php-src/Zend/zend_vm_execute.h:414
#2  0x00000000010b8deb in zend_execute (op_array=op_array@entry=0x7ffff687e000, 
    return_value=return_value@entry=0x7fffffffcf80)
    at /home/leigh/php-src/Zend/zend_vm_execute.h:458
#3  0x0000000000c65d4f in zend_eval_stringl (str=str@entry=0x14fca40 "static::x();", str_len=12, 
    retval_ptr=retval_ptr@entry=0x0, string_name=0x7ffff6812030 " \215O\001", 
    string_name@entry=0x1273b67 "Command line code")
    at /home/leigh/php-src/Zend/zend_execute_API.c:1125
#4  0x0000000000c66293 in zend_eval_stringl_ex (handle_exceptions=1, 
    string_name=0x1273b67 "Command line code", retval_ptr=0x0, str_len=<optimized out>, 
    str=0x14fca40 "static::x();") at /home/leigh/php-src/Zend/zend_execute_API.c:1166
#5  zend_eval_string_ex (str=0x14fca40 "static::x();", retval_ptr=0x0, 
    string_name=0x1273b67 "Command line code", handle_exceptions=1)
    at /home/leigh/php-src/Zend/zend_execute_API.c:1177
#6  0x00000000010c0237 in do_cli (argc=-159379392, argv=0x0)
    at /home/leigh/php-src/sapi/cli/php_cli.c:1005
#7  0x000000000042ff61 in main (argc=-159379392, argv=0x0)
    at /home/leigh/php-src/sapi/cli/php_cli.c:1345

[2015-11-16 09:41 UTC] leigh@php.net

Related To: Bug #70918

[2015-11-16 10:09 UTC] laruence@php.net

-Assigned To: +Assigned To: laruence

[2015-11-16 10:21 UTC] laruence@php.net

-Status: Re-Opened +Status: Closed

[2015-11-16 10:21 UTC] laruence@php.net

they should be fixed in : https://github.com/php/php-src/commit/7d80ab2e12df9bca5f393a195c86f177022ce04d

thanks :)

[2016-04-18 09:30 UTC] bwoebi@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=06fe956460f93041abdaf4a12ccde43d317fa20c
Log: Fixed Bug #70918 (Segfault using static outside of class scope)

[2016-07-20 11:35 UTC] davey@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=06fe956460f93041abdaf4a12ccde43d317fa20c
Log: Fixed Bug #70918 (Segfault using static outside of class scope)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Wed Apr 24 07:01:29 2024 UTC