PHP :: Bug #75193 :: segfault in collator_convert_object_to

Bug #75193	segfault in collator_convert_object_to_string
Submitted:	2017-09-12 06:58 UTC	Modified:	-
From:	remi@php.net	Assigned:
Status:	Closed	Package:	intl (PECL)
PHP Version:	7.0.23	OS:
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	remi@php.net
New email:
PHP Version:		OS:

New Comment:

[2017-09-12 06:58 UTC] remi@php.net

Description:
------------
Segfault in collator_convert_object_to_string when sorting array of objects.



Test script:
---------------
<?php
$a = new \Collator('en_US');
$b = [new stdclass, new stdclass];
var_dump($a->sort($b));

Expected result:
----------------
bool(true)


Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.

(gdb) bt
#0  i_zval_ptr_dtor (zval_ptr=0x7fffffffa770) at /usr/src/debug/php-7.1.9/Zend/zend_variables.h:47
#1  _zval_ptr_dtor (zval_ptr=0x7fffffffa770) at /usr/src/debug/php-7.1.9/Zend/zend_execute_API.c:550
#2  0x00007fffed27f678 in collator_convert_object_to_string (obj=obj@entry=0x7ffff3a5d668, rv=rv@entry=0x7fffffffa770)
    at /usr/src/debug/php-7.1.9/ext/intl/collator/collator_convert.c:258
#3  0x00007fffed27e367 in collator_regular_compare_function (result=0x7fffffffa810, op1=<optimized out>, op2=0x7ffff3a5d668)
    at /usr/src/debug/php-7.1.9/ext/intl/collator/collator_sort.c:63
#4  0x00007fffed27e2a8 in collator_compare_func (a=a@entry=0x7ffff3a5d648, b=b@entry=0x7ffff3a5d668) at /usr/src/debug/php-7.1.9/ext/intl/collator/collator_sort.c:223
#5  0x0000555555810e95 in zend_sort_2 (swp=0x5555557fffc0 <zend_hash_bucket_renum_swap>, cmp=0x7fffed27e280 <collator_compare_func>, b=0x7ffff3a5d668, a=0x7ffff3a5d648)
    at /usr/src/debug/php-7.1.9/Zend/zend_sort.c:94
#6  zend_insert_sort (base=0x7ffff3a5d648, nmemb=<optimized out>, siz=32, cmp=0x7fffed27e280 <collator_compare_func>, swp=0x5555557fffc0 <zend_hash_bucket_renum_swap>)
    at /usr/src/debug/php-7.1.9/Zend/zend_sort.c:159
#7  0x0000555555808f4b in zend_hash_sort_ex (ht=ht@entry=0x7ffff3a561f8, sort=<optimized out>, compar=compar@entry=0x7fffed27e280 <collator_compare_func>, 
    renumber=renumber@entry=1 '\001') at /usr/src/debug/php-7.1.9/Zend/zend_hash.c:2270
#8  0x00007fffed27e89f in collator_sort_internal (renumber=1, execute_data=<optimized out>, return_value=<optimized out>)
    at /usr/src/debug/php-7.1.9/ext/intl/collator/collator_sort.c:325
#9  0x00005555558972d4 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER () at /usr/src/debug/php-7.1.9/Zend/zend_vm_execute.h:1097
#10 0x000055555583e0eb in execute_ex (ex=<optimized out>) at /usr/src/debug/php-7.1.9/Zend/zend_vm_execute.h:429
#11 0x0000555555899738 in zend_execute (op_array=op_array@entry=0x7ffff3a83000, return_value=return_value@entry=0x7ffff3a641c0)
    at /usr/src/debug/php-7.1.9/Zend/zend_vm_execute.h:474
#12 0x00005555557f43a3 in zend_execute_scripts (type=-207540176, type@entry=8, retval=0x7ffff3a641c0, retval@entry=0x0, file_count=file_count@entry=3)
    at /usr/src/debug/php-7.1.9/Zend/zend.c:1480
#13 0x0000555555790270 in php_execute_script (primary_file=primary_file@entry=0x7fffffffcf60) at /usr/src/debug/php-7.1.9/main/main.c:2552
#14 0x000055555589b99c in do_cli (argc=5, argv=0x555555c1ee10) at /usr/src/debug/php-7.1.9/sapi/cli/php_cli.c:993
#15 0x0000555555621cca in main (argc=5, argv=0x555555c1ee10) at /usr/src/debug/php-7.1.9/sapi/cli/php_cli.c:1381

Patches

Add a Patch

Pull Requests

Pull requests:

Fixed bug #75193 segfault in collator_convert_object_to_string (php-src/2750)

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-09-12 07:00 UTC] remi@php.net

This segfault is erratic (ex reproduced with 7.1, 7.2 not 7.0 on RHEL-6, but reproduced with 7.0, 7.1 not 7.2 on RHEL-7)

First check:

			/* cast_object failed => bail out. */
			zval_ptr_dtor( zstr );
			COLLATOR_CONVERT_RETURN_FAILED( obj );

But zstr is stack allocated, not initialized, so may contain random data

[2017-09-12 07:18 UTC] remi@php.net

https://github.com/php/php-src/pull/2750

[2017-09-12 10:15 UTC] ab@php.net

Automatic comment on behalf of remi@remirepo.net
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b09497c0e2b923efef5c6c30789bc82687af9e26
Log: Fixed bug #75193 segfault in collator_convert_object_to_string

[2017-09-12 10:15 UTC] ab@php.net

-Status: Open +Status: Closed

[2017-09-12 10:23 UTC] ab@php.net

Automatic comment on behalf of remi@remirepo.net
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7305432d9a9f7e26a06314b701fb83ad981fb8f0
Log: Fixed bug #75193 segfault in collator_convert_object_to_string

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 08:01:28 2024 UTC