php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70970 Segfault when combining error handler with output buffering
Submitted: 2015-11-25 13:30 UTC Modified: 2015-11-25 16:08 UTC
From: sebastian@php.net Assigned: laruence
Status: Closed Package: Output Control
PHP Version: 7.0Git-2015-11-25 (Git) OS: Linux
Private report: No CVE-ID:
 [2015-11-25 13:30 UTC] sebastian@php.net
Description:
------------
While researching the changes made to output buffering in PHP 7 for a book I am working on with Arne Blankerts and Stefan Priebsch, Arne discovered the segfault shown below.

Of course, the code shown does not make any sense. Yet it should not lead to a segfault in PHP.

Test script:
---------------
<?php
function exception_error_handler($severity, $message, $file, $line)
{
    throw new ErrorException($message, 0, $severity, $file, $line);
}

set_error_handler('exception_error_handler');

function obHandler($buffer, $phase = null)
{
    try {
        ob_start();
    } catch (\Throwable $e) {
        return (string) $e;
    }

    return $buffer;
}

ob_start('obHandler');

print 'test';


Actual result:
--------------
#0  0x0000000000985e06 in zend_fcall_info_args_clear (fci=0x7372656c, free_mem=1) at /usr/local/src/php/src/Zend/zend_API.c:3427
#1  0x0000000000986368 in zend_fcall_info_argv (fci=0x7372656c, argc=0, argv=0x7fffffffbcc0) at /usr/local/src/php/src/Zend/zend_API.c:3534
#2  0x000000000098653d in zend_fcall_info_argn (fci=0x7372656c, argc=0) at /usr/local/src/php/src/Zend/zend_API.c:3556
#3  0x0000000000903731 in php_output_handler_op (handler=0x7fffee46a2a0, context=0x7fffffffbe30)
    at /usr/local/src/php/src/main/output.c:977
#4  0x0000000000903ef7 in php_output_stack_pop (flags=1) at /usr/local/src/php/src/main/output.c:1221
#5  0x0000000000901fd9 in php_output_end_all () at /usr/local/src/php/src/main/output.c:341
#6  0x00000000008e9682 in php_request_shutdown (dummy=0x0) at /usr/local/src/php/src/main/main.c:1777
#7  0x0000000000a37286 in do_cli (argc=2, argv=0x1357390) at /usr/local/src/php/src/sapi/cli/php_cli.c:1142
#8  0x0000000000a3796e in main (argc=2, argv=0x1357390) at /usr/local/src/php/src/sapi/cli/php_cli.c:1345


Patches

bug70970.patch (last revision 2015-11-25 16:09 UTC) by laruence@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-11-25 16:01 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4a7e83f54aeb6d5464da6cc2b201ce47a23a88d9
Log: Fixed bug #70970 (Segfault when combining error handler with output buffering)
 [2015-11-25 16:01 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2015-11-25 16:08 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence
 [2015-11-25 16:08 UTC] laruence@php.net
instead of the patch I attached, I prefer to make this thing simple and safe, that is restore the catchable error to fatal error.

we may fix this in master but not sure whether it's worthy to do so.
 [2015-11-25 16:09 UTC] laruence@php.net
The following patch has been added/updated:

Patch Name: bug70970.patch
Revision:   1448467753
URL:        https://bugs.php.net/patch-display.php?bug=70970&patch=bug70970.patch&revision=1448467753
 [2016-07-20 11:35 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4a7e83f54aeb6d5464da6cc2b201ce47a23a88d9
Log: Fixed bug #70970 (Segfault when combining error handler with output buffering)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Feb 28 14:01:40 2017 UTC