php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75193 segfault in collator_convert_object_to_string
Submitted: 2017-09-12 06:58 UTC Modified: -
From: remi@php.net Assigned:
Status: Closed Package: intl (PECL)
PHP Version: 7.0.23 OS:
Private report: No CVE-ID:
 [2017-09-12 06:58 UTC] remi@php.net
Description:
------------
Segfault in collator_convert_object_to_string when sorting array of objects.



Test script:
---------------
<?php
$a = new \Collator('en_US');
$b = [new stdclass, new stdclass];
var_dump($a->sort($b));

Expected result:
----------------
bool(true)


Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.

(gdb) bt
#0  i_zval_ptr_dtor (zval_ptr=0x7fffffffa770) at /usr/src/debug/php-7.1.9/Zend/zend_variables.h:47
#1  _zval_ptr_dtor (zval_ptr=0x7fffffffa770) at /usr/src/debug/php-7.1.9/Zend/zend_execute_API.c:550
#2  0x00007fffed27f678 in collator_convert_object_to_string (obj=obj@entry=0x7ffff3a5d668, rv=rv@entry=0x7fffffffa770)
    at /usr/src/debug/php-7.1.9/ext/intl/collator/collator_convert.c:258
#3  0x00007fffed27e367 in collator_regular_compare_function (result=0x7fffffffa810, op1=<optimized out>, op2=0x7ffff3a5d668)
    at /usr/src/debug/php-7.1.9/ext/intl/collator/collator_sort.c:63
#4  0x00007fffed27e2a8 in collator_compare_func (a=a@entry=0x7ffff3a5d648, b=b@entry=0x7ffff3a5d668) at /usr/src/debug/php-7.1.9/ext/intl/collator/collator_sort.c:223
#5  0x0000555555810e95 in zend_sort_2 (swp=0x5555557fffc0 <zend_hash_bucket_renum_swap>, cmp=0x7fffed27e280 <collator_compare_func>, b=0x7ffff3a5d668, a=0x7ffff3a5d648)
    at /usr/src/debug/php-7.1.9/Zend/zend_sort.c:94
#6  zend_insert_sort (base=0x7ffff3a5d648, nmemb=<optimized out>, siz=32, cmp=0x7fffed27e280 <collator_compare_func>, swp=0x5555557fffc0 <zend_hash_bucket_renum_swap>)
    at /usr/src/debug/php-7.1.9/Zend/zend_sort.c:159
#7  0x0000555555808f4b in zend_hash_sort_ex (ht=ht@entry=0x7ffff3a561f8, sort=<optimized out>, compar=compar@entry=0x7fffed27e280 <collator_compare_func>, 
    renumber=renumber@entry=1 '\001') at /usr/src/debug/php-7.1.9/Zend/zend_hash.c:2270
#8  0x00007fffed27e89f in collator_sort_internal (renumber=1, execute_data=<optimized out>, return_value=<optimized out>)
    at /usr/src/debug/php-7.1.9/ext/intl/collator/collator_sort.c:325
#9  0x00005555558972d4 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER () at /usr/src/debug/php-7.1.9/Zend/zend_vm_execute.h:1097
#10 0x000055555583e0eb in execute_ex (ex=<optimized out>) at /usr/src/debug/php-7.1.9/Zend/zend_vm_execute.h:429
#11 0x0000555555899738 in zend_execute (op_array=op_array@entry=0x7ffff3a83000, return_value=return_value@entry=0x7ffff3a641c0)
    at /usr/src/debug/php-7.1.9/Zend/zend_vm_execute.h:474
#12 0x00005555557f43a3 in zend_execute_scripts (type=-207540176, type@entry=8, retval=0x7ffff3a641c0, retval@entry=0x0, file_count=file_count@entry=3)
    at /usr/src/debug/php-7.1.9/Zend/zend.c:1480
#13 0x0000555555790270 in php_execute_script (primary_file=primary_file@entry=0x7fffffffcf60) at /usr/src/debug/php-7.1.9/main/main.c:2552
#14 0x000055555589b99c in do_cli (argc=5, argv=0x555555c1ee10) at /usr/src/debug/php-7.1.9/sapi/cli/php_cli.c:993
#15 0x0000555555621cca in main (argc=5, argv=0x555555c1ee10) at /usr/src/debug/php-7.1.9/sapi/cli/php_cli.c:1381


Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-09-12 07:00 UTC] remi@php.net
This segfault is erratic (ex reproduced with 7.1, 7.2 not 7.0 on RHEL-6, but reproduced with 7.0, 7.1 not 7.2 on RHEL-7)

First check:

			/* cast_object failed => bail out. */
			zval_ptr_dtor( zstr );
			COLLATOR_CONVERT_RETURN_FAILED( obj );

But zstr is stack allocated, not initialized, so may contain random data
 [2017-09-12 10:15 UTC] ab@php.net
Automatic comment on behalf of remi@remirepo.net
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b09497c0e2b923efef5c6c30789bc82687af9e26
Log: Fixed bug #75193 segfault in collator_convert_object_to_string
 [2017-09-12 10:15 UTC] ab@php.net
-Status: Open +Status: Closed
 [2017-09-12 10:23 UTC] ab@php.net
Automatic comment on behalf of remi@remirepo.net
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7305432d9a9f7e26a06314b701fb83ad981fb8f0
Log: Fixed bug #75193 segfault in collator_convert_object_to_string
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC