php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #74733 stack-overflow in spl_autoload_register
Submitted: 2017-06-09 21:37 UTC Modified: 2017-06-29 01:04 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: martino dot sani at gmail dot com Assigned:
Status: Not a bug Package: SPL related
PHP Version: 7.2Git-2017-06-09 (Git) OS: Linux x86_64
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: martino dot sani at gmail dot com
New email:
PHP Version: OS:

 

 [2017-06-09 21:37 UTC] martino dot sani at gmail dot com 
Description:
------------
American fuzzy lop detects an infinite recursion that can lead to a stack-overflow.

Test platform:
Linux 4.9.20-std-1 #1 SMP Tue Apr 4 12:56:17 UTC 2017 x86_64 GNU/Linux

GIT SHA:
e72970026d381ab250b5cc4f9e3ad5f0a384ddaf

Test script:
---------------
<?php spl_autoload_register(function($e){static$i;if($i++){}class_exists(''.$i);});var_dump(class_exists('0'))?>

Actual result:
--------------
$ ./php -f 0.php.tmin
                         
ASAN:DEADLYSIGNAL

==18723==ERROR: AddressSanitizer: stack-overflow on address 0x7ffed1e32da8 (pc 0x0000004dcc91 bp 0x7ffed1e33650 sp 0x7ffed1e32db0 T0)
    #0 0x4dcc90 in __interceptor_memcmp.part.69 (/tmp/bin/php+0x4dcc90)               
    #1 0x1aa4d2e in zend_hash_find_bucket /tmp/php-src-latest/Zend/zend_hash.c:491:8
    #2 0x1aa4944 in zend_hash_find /tmp/php-src-latest/Zend/zend_hash.c:1958:6                                
    #3 0x1db91c4 in ZEND_BIND_STATIC_SPEC_CV_CONST_HANDLER /tmp/php-src-latest/Zend/zend_vm_execute.h:38766:10
    #4 0x1b8de13 in execute_ex /tmp/php-src-latest/Zend/zend_vm_execute.h:59725:7                             
    #5 0x19f18d3 in zend_call_function /tmp/php-src-latest/Zend/zend_execute_API.c:863:3                      
    #6 0x143a561 in zif_spl_autoload_call /tmp/php-src-latest/ext/spl/php_spl.c:451:4                         
    #7 0x19f1cda in zend_call_function /tmp/php-src-latest/Zend/zend_execute_API.c:877:4     
    #8 0x19f40f0 in zend_lookup_class_ex /tmp/php-src-latest/Zend/zend_execute_API.c:1040:7   
    #9 0x19f464d in zend_lookup_class /tmp/php-src-latest/Zend/zend_execute_API.c:1061:9                      
    #10 0x1ac3441 in zif_class_exists /tmp/php-src-latest/Zend/zend_builtin_functions.c:1391:8

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-06-10 07:43 UTC] requinix@php.net 
Well yeah, of course that results in infinite recursion.

The only "bug" I see is that class_exists has no problem trying to load a class with an invalid name. Same for interface_exists and trait_exists. Not that it should ever happen in real code, though.
 [2017-06-15 18:51 UTC] kalle@php.net 
If anything this should result in a memory_limit error, much like other recursive loops
 [2017-06-29 00:38 UTC] cmb@php.net 
> The only "bug" I see is that class_exists has no problem trying
> to load a class with an invalid name.

Hmm, it appears that '0' is a valid class name, see
<https://3v4l.org/BhJqk>. :(
 [2017-06-29 01:04 UTC] requinix@php.net
-Status: Open +Status: Not a bug
 [2017-06-29 01:04 UTC] requinix@php.net 
Well, either that's a bug too, or we treat it like we do variable variables
  https://3v4l.org/RWpUJ
(which I forgot about) and say it's legal code.

...which is what I'm thinking now: either permit all invalid names through the variable variables syntax, or reject all. Which then makes BC an issue - if it wasn't already. So I guess we allow it, and if you want to jump through hoops to get weird names then go ahead? ¯\_(ツ)_/¯

Between that and the usual ruling for recursive code problems (ie, developer error and running out of memory and/or stack space is expected) I'd call this NAB.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Wed Apr 24 19:01:31 2024 UTC