php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74977 Recursion leads to crash
Submitted: 2017-07-24 09:45 UTC Modified: 2017-09-11 17:28 UTC
From: zhihua dot yao at dbappsecurity dot com dot cn Assigned:
Status: Re-Opened Package: SPL related
PHP Version: 7.1.7 OS: all
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2017-07-24 09:45 UTC] zhihua dot yao at dbappsecurity dot com dot cn
Description:
------------
This iterator causes a crash due to recursion.


Test script:
---------------
<?php

$iterator = new AppendIterator(array("A","A","A"));
$iterator->append($iterator);
?>


Expected result:
----------------
ho crash 

Actual result:
--------------
gdb-peda$ r
Starting program: /home/hjy/Desktop/php-7.1.7/sapi/cli/php -n poc.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
EAX: 0x8d1bfe8 --> 0x1 
EBX: 0x0 
ECX: 0xb6e6d2b8 --> 0x6 
EDX: 0x8d1bdc0 --> 0x1 
ESI: 0xb6e14020 --> 0xb6e5e3a8 --> 0x854992f (<ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER>:	push   ebp)
EDI: 0xb6e5e3a8 --> 0x854992f (<ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER>:	push   ebp)
EBP: 0xbf800018 
ESP: 0xbf7fffe0 
EIP: 0x84e098b (<zend_vm_stack_push_call_frame+9>:	mov    DWORD PTR [esp+0x4],eax)
EFLAGS: 0x210282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x84e0983 <zend_vm_stack_push_call_frame+1>:	mov    ebp,esp
   0x84e0985 <zend_vm_stack_push_call_frame+3>:	sub    esp,0x38
   0x84e0988 <zend_vm_stack_push_call_frame+6>:	mov    eax,DWORD PTR [ebp+0xc]
=> 0x84e098b <zend_vm_stack_push_call_frame+9>:	mov    DWORD PTR [esp+0x4],eax
   0x84e098f <zend_vm_stack_push_call_frame+13>:	
    mov    eax,DWORD PTR [ebp+0x10]
   0x84e0992 <zend_vm_stack_push_call_frame+16>:	
    mov    DWORD PTR [esp],eax
   0x84e0995 <zend_vm_stack_push_call_frame+19>:	
    call   0x84e092d <zend_vm_calc_used_stack>
   0x84e099a <zend_vm_stack_push_call_frame+24>:	
    mov    DWORD PTR [ebp-0xc],eax
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0xbf7fffe0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x084e098b in zend_vm_stack_push_call_frame (call_info=0x202, func=0x8d1bfe8, 
    num_args=0x0, called_scope=0x8d1bdc0, object=0xb6e6d2b8)
    at /home/hjy/Desktop/php-7.1.7/Zend/zend_execute.h:209
209		uint32_t used_stack = zend_vm_calc_used_stack(num_args, func);

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-07-24 15:42 UTC] andrew dot nester dot dev at gmail dot com
Thanks for reporting the issue!
I've just added PR fixing this.
 [2017-07-25 05:41 UTC] krakjoe@php.net
Automatic comment on behalf of andrew.nester.dev@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=dbc2ffba822d13e74e37f5ba6e106f163c1008e8
Log: Fixed #74977 - Appending AppendIterator leads to segfault
 [2017-07-25 05:41 UTC] krakjoe@php.net
-Status: Open +Status: Closed
 [2017-09-04 19:26 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b689857d53177b6027679f67fecbde8f36c174d1
Log: Revert &quot;Fixed #74977 - Appending AppendIterator leads to segfault&quot;
 [2017-09-04 19:27 UTC] nikic@php.net
-Status: Closed +Status: Re-Opened
 [2017-09-04 19:27 UTC] nikic@php.net
Patch reverted due to regression in bug #75155.
 [2017-09-11 17:28 UTC] jhdxr@php.net
I'm working on this bug now. 

however, I want to know if it's a good idea to throw an exception and stop the append when a recursion append detected.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC