php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78973 Destructor during CV freeing causes segfault if opline never saved
Submitted: 2019-12-16 17:45 UTC Modified: -
From: nikic@php.net Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 7.4Git-2019-12-16 (Git) OS:
Private report: No CVE-ID: None
 [2019-12-16 17:45 UTC] nikic@php.net
Description:
------------
If global regs are used, and during the execution of a function the opline is never stored, then a destructor call during CV freeing may result in a segfault when attempting to read the current opline in zend_call_function.

==20975== Use of uninitialised value of size 8
==20975==    at 0x91F333: zend_call_function (zend_execute_API.c:678)
==20975==    by 0x9895DE: zend_objects_destroy_object (zend_objects.c:179)
==20975==    by 0x990A30: zend_objects_store_del (zend_objects_API.c:178)
==20975==    by 0x93489B: rc_dtor_func (zend_variables.c:57)
==20975==    by 0x9A6C9C: i_free_compiled_variables (zend_execute.c:3407)
==20975==    by 0xA10528: execute_ex (zend_vm_execute.h:53450)
==20975==    by 0xA14ACB: zend_execute (zend_vm_execute.h:57669)
==20975==    by 0x938F4A: zend_execute_scripts (zend.c:1665)
==20975==    by 0x89B078: php_execute_script (main.c:2619)
==20975==    by 0xA1769D: do_cli (php_cli.c:961)
==20975==    by 0xA18807: main (php_cli.c:1352)

In PHP 7.3 this did not happen, because EX(opline) was always written during execute_data initialization. However, the behavior may not have been exactly right, as the opline might still have been stale.

Test script:
---------------
<?php

function test($x) {
}
test(new class {
    public function __destruct() {
    }
});


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-12-16 17:54 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=11b041d3c6f65ba7539c61edcf9587618af1ed43
Log: Fixed bug #78973
 [2019-12-16 17:54 UTC] nikic@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Thu Feb 20 09:01:25 2020 UTC