|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75015 Crash in spl_recursive_it_dtor()
Submitted: 2017-08-01 10:57 UTC Modified: 2017-08-01 11:04 UTC
From: Assigned:
Status: Closed Package: SPL related
PHP Version: 7.1.7 OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
New email:
PHP Version: OS:


 [2017-08-01 10:57 UTC]
Under some circumstences, spl_recursive_it_dtor() crashes because it accessed a NULL pointer free'ed before by spl_RecursiveIteratorIterator_free_storage().

This is related to #51697 , seems very similar. 51697 is marked as closed though

Test script:
I could not isolate easily the behavior.
But launching Symfony tests with latest PHPUnit under PHP 7.1 can trigger the crash in the Debug component of Symfony.

Stack trace is then
#0  0x00000000008605fe in zval_get_type (pz=0xd0) at /home/julien.pauli/workspace/php/Zend/zend_types.h:332
#1  0x00000000008610ae in spl_recursive_it_dtor (_iter=0x7fffdd787300) at /home/julien.pauli/workspace/php/ext/spl/spl_iterators.c:178
#2  0x0000000000a95a2f in iter_wrapper_free (object=0x7fffdd787300) at /home/julien.pauli/workspace/php/Zend/zend_iterators.c:69
#3  0x0000000000abef48 in zend_objects_store_free_object_storage (objects=0x14bfa78 <executor_globals+824>) at /home/julien.pauli/workspace/php/Zend/zend_objects_API.c:99
#4  0x0000000000a516d5 in shutdown_executor () at /home/julien.pauli/workspace/php/Zend/zend_execute_API.c:363
#5  0x0000000000a6b6ea in zend_deactivate () at /home/julien.pauli/workspace/php/Zend/zend.c:999
#6  0x00000000009d122b in php_request_shutdown (dummy=0x0) at /home/julien.pauli/workspace/php/main/main.c:1877

This happens because spl_RecursiveIteratorIterator_free_storage() has been called, and free'ed object->iterators but did not reset the level (object->level). Then spl_recursive_it_dtor tries to read from object->iterators (NULL).

The patch is simply to reset the level while dtor'ing.

Expected result:
No crash

Actual result:
Crash with NULL pointer dereference


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-08-01 11:04 UTC]
Could not reproduce (as my tests require PHP>=7.1), but PHP-7.0 branch should also be inpacted and should get the fix as well.
 [2017-08-01 14:03 UTC]
Automatic comment on behalf of jpauli
Log: Fix #75015. Crash in SPL destructors
 [2017-08-01 14:03 UTC]
-Status: Open +Status: Closed
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Wed Sep 27 15:01:25 2023 UTC