php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80186 Segfault when iterating over FFI object
Submitted: 2020-10-04 20:40 UTC Modified: 2020-10-04 20:56 UTC
From: as@php.net Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 8.0Git-2020-10-04 (Git) OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: as@php.net
New email:
PHP Version: OS:

 

 [2020-10-04 20:40 UTC] as@php.net
Description:
------------
Currently `zend_fake_get_properties` in `ext/ffi/ffi.c` returns a pointer to const HashTable `zend_empty_array`. Attempting to iterate over this array in userland leads to a segfault because PHP tries to increment `zend_empty_array`'s `nIteratorsCount` which is const memory.

The proposed patch allows objects to return NULL for the `get_properties` handler. In this case, the VM skips the foreach block.

If this approach is acceptable, there are other extensions and call sites[1][2] to fix where `zend_empty_array` leaks into userland.

[1] https://github.com/php/php-src/blob/107962208a19d8b6dc1a190cb25fc37614411e71/ext/com_dotnet/com_handlers.c#L221-L229
[2] https://github.com/protocolbuffers/protobuf/issues/7319


Test script:
---------------
<?php

$ffi = FFI::cdef('');

foreach ($ffi as $_) {
}


Expected result:
----------------
no segfault

Actual result:
--------------
segfault

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-10-04 20:56 UTC] as@php.net
The following pull request has been associated:

Patch Name: Fix #80186: Prevent segfault when iterating FFI obj props
On GitHub:  https://github.com/php/php-src/pull/6270
Patch:      https://github.com/php/php-src/pull/6270.patch
 [2020-10-04 20:56 UTC] nikic@php.net
zend_empty_array is also used for normal empty arrays [], so it should be possible to make this work...
 [2020-10-09 15:03 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=15443f8af4783ce6ea5362ec5a38a62b69ff8447
Log: Fixed bug #80186
 [2020-10-09 15:03 UTC] nikic@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Oct 08 11:01:27 2024 UTC