Bug #54291 [Asn->Csd]: Crash in spl_filesystem_object_get_path

Sat, 19 Mar 2011 16:15:52 -0700 

Edit report at http://bugs.php.net/bug.php?id=54291&edit=1

 ID:                 54291
 Updated by:         cataphr...@php.net
 Reported by:        decoder-php at own-hero dot net
 Summary:            Crash in spl_filesystem_object_get_path
-Status:             Assigned
+Status:             Closed
 Type:               Bug
 Package:            Reproducible crash
 Operating System:   Linux x86-64
 PHP Version:        5.3SVN-2011-03-17 (SVN)
 Assigned To:        cataphract
 Block user comment: N
 Private report:     N



Previous Comments:
------------------------------------------------------------------------
[2011-03-20 00:15:06] cataphr...@php.net

Automatic comment from SVN on behalf of cataphract
Revision: http://svn.php.net/viewvc/?view=revision&revision=309456
Log: - Fixed bug #54291 (Crash iterating DirectoryIterator for dir name
starting
  with \0).

------------------------------------------------------------------------
[2011-03-17 11:23:52] decoder-php at own-hero dot net

Description:
------------
The attached code crashes on PHP5.3 SVN. Since this is pretty sure only
a null-pointer deref, reporting this as public (non-security related).

Test script:
---------------
<?php

   $targetDir =
chr(0).DIRECTORY_SEPARATOR.md5('directoryIterator::getbasename');

   $dir = new DirectoryIterator($targetDir.DIRECTORY_SEPARATOR);

   while(!$dir->isFile()) {

   }

?>

Actual result:
--------------
==2043== Invalid read of size 8

==2043==    at 0x6586DB: spl_filesystem_object_get_path
(spl_directory.c:168)

==2043==    by 0x6587B0: spl_filesystem_object_get_file_name
(spl_directory.c:190)

==2043==    by 0x65BF85: zim_spl_SplFileInfo_isFile
(spl_directory.c:1163)

==2043==    by 0x7ED61F: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:638)

==2043==    by 0x7EE50E: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(zend_vm_execute.h:748)

==2043==    by 0x7EC0F3: execute (zend_vm_execute.h:410)

==2043==    by 0x7B0314: zend_execute_scripts (zend.c:1212)

==2043==    by 0x726A37: php_execute_script (main.c:2344)

==2043==    by 0x8EC455: main (php_cli.c:1136)

==2043==  Address 0x0 is not stack'd, malloc'd or (recently) free'd

==2043== 

==2043== 

==2043== Process terminating with default action of signal 11 (SIGSEGV)


------------------------------------------------------------------------



-- 
Edit this bug report at http://bugs.php.net/bug.php?id=54291&edit=1

Reply via email to