php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75015 Crash in spl_recursive_it_dtor()
Submitted: 2017-08-01 10:57 UTC Modified: 2017-08-01 11:04 UTC
From: jpauli@php.net Assigned:
Status: Closed Package: SPL related
PHP Version: 7.1.7 OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: jpauli@php.net
New email:
PHP Version: OS:

 

 [2017-08-01 10:57 UTC] jpauli@php.net
Description:
------------
Under some circumstences, spl_recursive_it_dtor() crashes because it accessed a NULL pointer free'ed before by spl_RecursiveIteratorIterator_free_storage().

This is related to #51697 , seems very similar. 51697 is marked as closed though

Test script:
---------------
I could not isolate easily the behavior.
But launching Symfony tests with latest PHPUnit under PHP 7.1 can trigger the crash in the Debug component of Symfony.

Stack trace is then
#0  0x00000000008605fe in zval_get_type (pz=0xd0) at /home/julien.pauli/workspace/php/Zend/zend_types.h:332
#1  0x00000000008610ae in spl_recursive_it_dtor (_iter=0x7fffdd787300) at /home/julien.pauli/workspace/php/ext/spl/spl_iterators.c:178
#2  0x0000000000a95a2f in iter_wrapper_free (object=0x7fffdd787300) at /home/julien.pauli/workspace/php/Zend/zend_iterators.c:69
#3  0x0000000000abef48 in zend_objects_store_free_object_storage (objects=0x14bfa78 <executor_globals+824>) at /home/julien.pauli/workspace/php/Zend/zend_objects_API.c:99
#4  0x0000000000a516d5 in shutdown_executor () at /home/julien.pauli/workspace/php/Zend/zend_execute_API.c:363
#5  0x0000000000a6b6ea in zend_deactivate () at /home/julien.pauli/workspace/php/Zend/zend.c:999
#6  0x00000000009d122b in php_request_shutdown (dummy=0x0) at /home/julien.pauli/workspace/php/main/main.c:1877

This happens because spl_RecursiveIteratorIterator_free_storage() has been called, and free'ed object->iterators but did not reset the level (object->level). Then spl_recursive_it_dtor tries to read from object->iterators (NULL).

The patch is simply to reset the level while dtor'ing.

Expected result:
----------------
No crash

Actual result:
--------------
Crash with NULL pointer dereference

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-08-01 11:04 UTC] jpauli@php.net
Could not reproduce (as my tests require PHP>=7.1), but PHP-7.0 branch should also be inpacted and should get the fix as well.
 [2017-08-01 14:03 UTC] jpauli@php.net
Automatic comment on behalf of jpauli
Revision: http://git.php.net/?p=php-src.git;a=commit;h=64e6ddc7f705041886258e2940afe912f6db61c3
Log: Fix #75015. Crash in SPL destructors
 [2017-08-01 14:03 UTC] jpauli@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Oct 13 22:01:27 2024 UTC