|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
Patches0001-Fix-77359-spl_autoload-causes-segfault.txt (last revision 2018-12-27 14:03 UTC by lauri dot kentta at gmail dot com)Pull RequestsHistoryAllCommentsChangesGit/SVN commits
[2018-12-27 14:22 UTC] nikic@php.net
-Status: Open
+Status: Assigned
-Assigned To:
+Assigned To: nikic
[2018-12-27 14:30 UTC] nikic@php.net
[2018-12-27 14:30 UTC] nikic@php.net
-Status: Assigned
+Status: Closed
[2019-01-07 12:05 UTC] cmb@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Mon Oct 27 02:00:01 2025 UTC |
Description: ------------ The function spl_autoload converts class name to lower case and later tries to free this string. However, if it's already in lower case, it's not copied, but the reference count is incremented instead. Then zend_string_free is called, but this function can only be used if the reference count is 1 (or 0) and otherwise leads to use-after-free (or failed assertion). Looks like blame goes to commit 084c17fe0b68d391467fd48a14433443d4fcba81 (Dmitry Stogov <dmitry@zend.com>). Cases of zend_str_tolower_copy were converted to zend_string_tolower to avoid reallocations, but at least in this case, freeing was not fixed accordingly. Test script: --------------- <?php $a = md5(""); # Create a non-interned string. spl_autoload($a); # Invalid free. spl_autoload($a); # Use after free. echo "{$a} + foo\n"; # Use after free. # Notice how "foo" is not printed even if the code does not crash. # Run it a few times to get a crash. ?> Expected result: ---------------- No crash, full output. Actual result: -------------- Crash or truncated output.