php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73896 spl_autoload() crashes when calls magic _call()
Submitted: 2017-01-09 12:04 UTC Modified: 2017-01-09 12:05 UTC
From: dmitry@php.net Assigned: dmitry
Status: Closed Package: SPL related
PHP Version: 7.0Git-2017-01-09 (Git) OS: *
Private report: No CVE-ID:
 [2017-01-09 12:04 UTC] dmitry@php.net
Description:
------------
The following script crashes on second attempt to call spl_autoload(), because the first attempt destroyed trampoline function. 

Test script:
---------------
<?php
class Registrator {
    public static function call($callable, array  $args) {
        return call_user_func_array($callable, [$args]);
    }
}

class teLoader {
    public function __construct() {
        Registrator::call('spl_autoload_register', [$this, 'autoload']);
    }

    public function __call($method, $args) {
        $this->doSomething();
    }

    protected function autoload($class) {
    	die("Protected autoload() called!\n");
    }

    public function doSomething() {
        throw new teException();
    }
}

$teLoader = new teLoader();

try {
	new teChild();
} catch (Throwable $e) {
	echo "Exception: ", $e->getMessage() , "\n";
}
?>


Expected result:
----------------
Exception: Class 'teException' not found


Actual result:
--------------
==4663== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==4663==  Access not within mapped region at address 0x5
==4663==    at 0x866E114: ZEND_CALL_TRAMPOLINE_SPEC_HANDLER (zend_vm_execute.h:1974)
==4663==    by 0x866A63A: execute_ex (zend_vm_execute.h:429)
==4663==    by 0x860C079: zend_call_function (zend_execute_API.c:828)
==4663==    by 0x863DD4B: zend_call_method (zend_interfaces.c:101)
==4663==    by 0x8462C20: zif_spl_autoload_call (php_spl.c:408)
==4663==    by 0x860C10E: zend_call_function (zend_execute_API.c:842)
==4663==    by 0x860C611: zend_lookup_class_ex (zend_execute_API.c:1001)
==4663==    by 0x860CF62: zend_fetch_class_by_name (zend_execute_API.c:1436)
==4663==    by 0x866FF76: ZEND_NEW_SPEC_CONST_HANDLER (zend_vm_execute.h:3193)
==4663==    by 0x866A63A: execute_ex (zend_vm_execute.h:429)
==4663==    by 0x860C079: zend_call_function (zend_execute_API.c:828)
==4663==    by 0x863DD4B: zend_call_method (zend_interfaces.c:101)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-09 12:05 UTC] dmitry@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry
 [2017-01-09 12:14 UTC] dmitry@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4f1b24d97447434973a06bdc70fc1670de17bd80
Log: Fixed bug #73896 (spl_autoload() crashes when calls magic _call())
 [2017-01-09 12:14 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Mon Feb 20 22:01:35 2017 UTC