php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77359 spl_autoload causes segfault
Submitted: 2018-12-27 13:55 UTC Modified: 2018-12-27 14:22 UTC
From: lauri dot kentta at gmail dot com Assigned: nikic (profile)
Status: Closed Package: SPL related
PHP Version: 7.3.0 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: lauri dot kentta at gmail dot com
New email:
PHP Version: OS:

 

 [2018-12-27 13:55 UTC] lauri dot kentta at gmail dot com
Description:
------------
The function spl_autoload converts class name to lower case and later tries to free this string. However, if it's already in lower case, it's not copied, but the reference count is incremented instead. Then zend_string_free is called, but this function can only be used if the reference count is 1 (or 0) and otherwise leads to use-after-free (or failed assertion).

Looks like blame goes to commit 084c17fe0b68d391467fd48a14433443d4fcba81 (Dmitry Stogov <dmitry@zend.com>). Cases of zend_str_tolower_copy were converted to zend_string_tolower to avoid reallocations, but at least in this case, freeing was not fixed accordingly.

Test script:
---------------
<?php
$a = md5(""); # Create a non-interned string.
spl_autoload($a); # Invalid free.
spl_autoload($a); # Use after free.
echo "{$a} + foo\n"; # Use after free.
# Notice how "foo" is not printed even if the code does not crash.
# Run it a few times to get a crash.
?>

Expected result:
----------------
No crash, full output.

Actual result:
--------------
Crash or truncated output.

Patches

0001-Fix-77359-spl_autoload-causes-segfault.txt (last revision 2018-12-27 14:03 UTC by lauri dot kentta at gmail dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-12-27 14:22 UTC] nikic@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: nikic
 [2018-12-27 14:30 UTC] nikic@php.net
Automatic comment on behalf of lauri.kentta@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=89bf3df67d0f0ba3090b273d1b1b9fba9514a62d
Log: Fix #77359: spl_autoload causes segfault
 [2018-12-27 14:30 UTC] nikic@php.net
-Status: Assigned +Status: Closed
 [2019-01-07 12:05 UTC] cmb@php.net
Automatic comment on behalf of lauri.kentta@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7d638d0880b6f759706ca46da8e6f7a5d8728959
Log: Fix #77359: spl_autoload causes segfault
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Wed Jun 19 00:01:28 2019 UTC