php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73553 segfault in zend_objects_destroy_object (zend_objects.c:62)
Submitted: 2016-11-17 08:24 UTC Modified: 2017-01-02 12:26 UTC
From: brian dot carpenter at gmail dot com Assigned:
Status: Duplicate Package: Scripting Engine problem
PHP Version: 5.6.28 OS: Debian 8.x
Private report: No CVE-ID: None
 [2016-11-17 08:24 UTC] brian dot carpenter at gmail dot com
Description:
------------
According to 3v4l.org, this script crashes 5.6.0-5.6.28 and 7.0.0-7.1.0RC6.

Test script:
---------------
<?php class Node{private$n0;public function setNe0t($node=0){$this->n0=$node;return$this;}}class Lin0edList{private$d;public function addNode(){$this->head=(new Node)->setNe0t($this->head);}}$ll=new Lin0edList;for(;$i<100000;$i++){$ll->addNode();}

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x00000000019ae6a0 in zend_objects_destroy_object (object=0x7ffff0d83120,
    handle=88868) at /root/php-5.6.28/Zend/zend_objects.c:62
62      {
(gdb) list
57                      efree(object->properties_table);
58              }
59      }
60
61      ZEND_API void zend_objects_destroy_object(zend_object *object, zend_object_handle handle TSRMLS_DC)
62      {
63              zend_function *destructor = object ? object->ce->destructor : NULL;
64
65              if (destructor) {
66                      zval *old_exception;
(gdb) bt
#0  0x00000000019ae6a0 in zend_objects_destroy_object (object=0x7ffff0d83120,
    handle=88868) at /root/php-5.6.28/Zend/zend_objects.c:62
#1  0x00000000019ae630 in .AFL_VARS ()
#2  0x00007ffff1606128 in ?? ()
#3  0x0000000000000000 in ?? ()

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-25 21:35 UTC] stas@php.net
-Type: Security +Type: Bug -Package: Reproducible crash +Package: Scripting Engine problem
 [2016-11-25 21:35 UTC] stas@php.net
Looks like case of stack exhaustion by building a long chain of nested destructors.
 [2017-01-02 12:26 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 [2017-01-02 12:26 UTC] nikic@php.net
Duplicate of bug #68606.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Feb 17 06:01:25 2019 UTC