php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77664 Segmentation fault when using undefined constant in custom wrapper
Submitted: 2019-02-25 01:16 UTC Modified: -
From: lucas dot nodari at gmail dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: master-Git-2019-02-25 (Git) OS: any
Private report: No CVE-ID: None
 [2019-02-25 01:16 UTC] lucas dot nodari at gmail dot com
Description:
------------
Segmentation fault happens when trying to access a custom wrapper that was registered with a class that uses an undefined class constant.

A class is declared with a field that uses an undefined class constant.
This class is registered as a stream wrapper.
When using the wrapper with any filesystem function, php will crash.
This happens in all php 7 versions: https://3v4l.org/KKqGn

If the class is instantiated directly with the operator new, it will throw an undefined constant error.

If the undefined constant is used in a constructor instead, it works correctly, meaning, it fails to open and throws an error. 

Test script:
---------------
class ErrorWrapper { 
	public $context;
	public $var = self::INVALID;
}
stream_wrapper_register('error',ErrorWrapper::class);
file_get_contents('error://test');

Expected result:
----------------
Expected that it would throw an error, and fail to open the stream. The error should be the same that is thrown when creating a new instance of that class with the operator new.

Uncaught Error: Undefined class constant 'self::INVALID'

Actual result:
--------------
Backtrace:
#0  0x00000000086d6cde in add_property_zval_ex (arg=0x9745958, key=0x8f098fd "context", key_len=7, value=0x7ffffffe9f80) at php-src/Zend/zend_API.c:1734
#1  0x00000000086d6a06 in add_property_resource_ex (arg=0x9745958, key=0x8f098fd "context", key_len=7, r=0x9745930) at php-src/Zend/zend_API.c:1681
#2  0x0000000008660143 in user_stream_create_object (uwrap=0x97455d0, context=0x9745400, object=0x9745958) at php-src/main/streams/userspace.c:293
#3  0x0000000008660428 in user_wrapper_opener (wrapper=0x97455e8, filename=0x9745528 "error://test", mode=0x8ed7fbb "rb", options=0, opened_path=0x0, context=0x9745400, __php_stream_call_depth=1,
    __zend_filename=0x8f08708 "php-src/main/streams/streams.c", __zend_lineno=2032, __zend_orig_filename=0x8ed7f00 "php-src/ext/standard/file.c", __zend_orig_lineno=553) at php-src/main/streams/userspace.c:358
#4  0x00000000086576d1 in _php_stream_open_wrapper_ex (path=0x9745528 "error://test", mode=0x8ed7fbb "rb", options=8, opened_path=0x0, context=0x9745400, __php_stream_call_depth=0, __zend_filename=0x8ed7f00 "php-src/ext/standard/file.c",
    __zend_lineno=553, __zend_orig_filename=0x0, __zend_orig_lineno=0) at php-src/main/streams/streams.c:2030
#5  0x0000000008505811 in zif_file_get_contents (execute_data=0x7fffff6300a0, return_value=0x7ffffffea550) at php-src/ext/standard/file.c:551
#6  0x00000000083d512a in phar_file_get_contents (execute_data=0x7fffff6300a0, return_value=0x7ffffffea550) at php-src/ext/phar/func_interceptors.c:222
#7  0x000000000873c26f in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER () at php-src/Zend/zend_vm_execute.h:930
#8  0x00000000087ad141 in execute_ex (ex=0x7fffff630030) at php-src/Zend/zend_vm_execute.h:59868
#9  0x00000000087b33a0 in zend_execute (op_array=0x9745610, return_value=0x0) at php-src/Zend/zend_vm_execute.h:66092
#10 0x00000000086cee83 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at php-src/Zend/zend.c:1633
#11 0x0000000008634815 in php_execute_script (primary_file=0x7ffffffecd40) at php-src/main/main.c:2609
#12 0x00000000087b6163 in do_cli (argc=3, argv=0x9505ea0) at php-src/sapi/cli/php_cli.c:992
#13 0x00000000087b72da in main (argc=3, argv=0x9505ea0) at php-src/sapi/cli/php_cli.c:1384

Valgrind log:
==19317== Memcheck, a memory error detector
==19317== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==19317== Using Valgrind-3.14.0.SVN and LibVEX; rerun with -h for copyright info
==19317== Command: php -f error_wrapper.php
==19317== Parent PID: 4
==19317== 
==19317== error calling PR_SET_PTRACER, vgdb might block
==19317== Invalid read of size 8
==19317==    at 0x7DECDE: add_property_zval_ex (zend_API.c:1734)
==19317==    by 0x7DEA05: add_property_resource_ex (zend_API.c:1681)
==19317==    by 0x768142: user_stream_create_object (userspace.c:293)
==19317==    by 0x768427: user_wrapper_opener (userspace.c:358)
==19317==    by 0x75F6D0: _php_stream_open_wrapper_ex (streams.c:2030)
==19317==    by 0x60D810: zif_file_get_contents (file.c:551)
==19317==    by 0x4DD129: phar_file_get_contents (func_interceptors.c:222)
==19317==    by 0x84426E: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:930)
==19317==    by 0x8B5140: execute_ex (zend_vm_execute.h:59868)
==19317==    by 0x8BB39F: zend_execute (zend_vm_execute.h:66092)
==19317==    by 0x7D6E82: zend_execute_scripts (zend.c:1633)
==19317==    by 0x73C814: php_execute_script (main.c:2609)
==19317==    by 0x8BE162: do_cli (php_cli.c:992)
==19317==    by 0x8BF2D9: main (php_cli.c:1384)
==19317==  Address 0x18 is not stack'd, malloc'd or (recently) free'd
==19317== 
==19317== 
==19317== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==19317==  Access not within mapped region at address 0x18
==19317==    at 0x7DECDE: add_property_zval_ex (zend_API.c:1734)
==19317==    by 0x7DEA05: add_property_resource_ex (zend_API.c:1681)
==19317==    by 0x768142: user_stream_create_object (userspace.c:293)
==19317==    by 0x768427: user_wrapper_opener (userspace.c:358)
==19317==    by 0x75F6D0: _php_stream_open_wrapper_ex (streams.c:2030)
==19317==    by 0x60D810: zif_file_get_contents (file.c:551)
==19317==    by 0x4DD129: phar_file_get_contents (func_interceptors.c:222)
==19317==    by 0x84426E: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:930)
==19317==    by 0x8B5140: execute_ex (zend_vm_execute.h:59868)
==19317==    by 0x8BB39F: zend_execute (zend_vm_execute.h:66092)
==19317==    by 0x7D6E82: zend_execute_scripts (zend.c:1633)
==19317==    by 0x73C814: php_execute_script (main.c:2609)
==19317==    by 0x8BE162: do_cli (php_cli.c:992)
==19317==    by 0x8BF2D9: main (php_cli.c:1384)
==19317==  If you believe this happened as a result of a stack
==19317==  overflow in your program's main thread (unlikely but
==19317==  possible), you can try to increase the size of the
==19317==  main thread stack using the --main-stacksize= flag.
==19317==  The main thread stack size used in this run was 8388608.
==19317== 
==19317== HEAP SUMMARY:
==19317==     in use at exit: 2,757,432 bytes in 21,500 blocks
==19317==   total heap usage: 25,063 allocs, 3,563 frees, 3,625,903 bytes allocated
==19317== 
==19317== LEAK SUMMARY:
==19317==    definitely lost: 0 bytes in 0 blocks
==19317==    indirectly lost: 0 bytes in 0 blocks
==19317==      possibly lost: 1,857,842 bytes in 16,524 blocks
==19317==    still reachable: 899,590 bytes in 4,976 blocks
==19317==         suppressed: 0 bytes in 0 blocks
==19317== Rerun with --leak-check=full to see details of leaked memory
==19317== 
==19317== For counts of detected and suppressed errors, rerun with: -v
==19317== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-02-25 06:43 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4a72dd782df3089a0d944a7e51eabebdf1f1abc3
Log: Fixed bug #77664 (Segmentation fault when using undefined constant in custom wrapper)
 [2019-02-25 06:43 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2019-02-25 12:03 UTC] nikic@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4a72dd782df3089a0d944a7e51eabebdf1f1abc3
Log: Fixed bug #77664 (Segmentation fault when using undefined constant in custom wrapper)
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Fri Sep 20 12:01:27 2019 UTC