php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75015 Crash in spl_recursive_it_dtor()
Submitted: 2017-08-01 10:57 UTC Modified: 2017-08-01 11:04 UTC
From: jpauli@php.net Assigned:
Status: Closed Package: SPL related
PHP Version: 7.1.7 OS: *
Private report: No CVE-ID: None
 [2017-08-01 10:57 UTC] jpauli@php.net
Description:
------------
Under some circumstences, spl_recursive_it_dtor() crashes because it accessed a NULL pointer free'ed before by spl_RecursiveIteratorIterator_free_storage().

This is related to #51697 , seems very similar. 51697 is marked as closed though

Test script:
---------------
I could not isolate easily the behavior.
But launching Symfony tests with latest PHPUnit under PHP 7.1 can trigger the crash in the Debug component of Symfony.

Stack trace is then
#0  0x00000000008605fe in zval_get_type (pz=0xd0) at /home/julien.pauli/workspace/php/Zend/zend_types.h:332
#1  0x00000000008610ae in spl_recursive_it_dtor (_iter=0x7fffdd787300) at /home/julien.pauli/workspace/php/ext/spl/spl_iterators.c:178
#2  0x0000000000a95a2f in iter_wrapper_free (object=0x7fffdd787300) at /home/julien.pauli/workspace/php/Zend/zend_iterators.c:69
#3  0x0000000000abef48 in zend_objects_store_free_object_storage (objects=0x14bfa78 <executor_globals+824>) at /home/julien.pauli/workspace/php/Zend/zend_objects_API.c:99
#4  0x0000000000a516d5 in shutdown_executor () at /home/julien.pauli/workspace/php/Zend/zend_execute_API.c:363
#5  0x0000000000a6b6ea in zend_deactivate () at /home/julien.pauli/workspace/php/Zend/zend.c:999
#6  0x00000000009d122b in php_request_shutdown (dummy=0x0) at /home/julien.pauli/workspace/php/main/main.c:1877

This happens because spl_RecursiveIteratorIterator_free_storage() has been called, and free'ed object->iterators but did not reset the level (object->level). Then spl_recursive_it_dtor tries to read from object->iterators (NULL).

The patch is simply to reset the level while dtor'ing.

Expected result:
----------------
No crash

Actual result:
--------------
Crash with NULL pointer dereference

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-08-01 11:04 UTC] jpauli@php.net
Could not reproduce (as my tests require PHP>=7.1), but PHP-7.0 branch should also be inpacted and should get the fix as well.
 [2017-08-01 14:03 UTC] jpauli@php.net
Automatic comment on behalf of jpauli
Revision: http://git.php.net/?p=php-src.git;a=commit;h=64e6ddc7f705041886258e2940afe912f6db61c3
Log: Fix #75015. Crash in SPL destructors
 [2017-08-01 14:03 UTC] jpauli@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC