[PHP-BUG] Bug #61115 [NEW]: Stream related segfault on fatal error in php_stream_context_del_link

[ni...@php.net]

From:             nikic
Operating system: 
PHP version:      5.4.0RC7
Package:          Reproducible crash
Bug Type:         Bug
Bug description:Stream related segfault on fatal error in 
php_stream_context_del_link

Description:
------------
<?php

$arrayLarge = array_fill(0, 113663, '*');

$resourceFileTemp = fopen('php://temp', 'wr');
stream_context_set_params($resourceFileTemp, array());
preg_replace('', function () { }, $resourceFileTemp);

The above script produces a segfault. The array_fill line is irrelevant for
the 
bug itself, but I needed it to get a segfault on non-debug builds too
(without 
it it only segfaulted on debug builds.)

The type of the file resource is irrelevant, it is not restricted to
php://temp.

The preg_replace + function() { } only serves the purpose to create a fatal

error with the file argument, but apart from that should be irrelevant (it
also 
occurs in lots of other situations that create a fatal error in a function

call.)

This segfault basically occurs in situations where:
1. A file resource is opened
2. Some stream operation is performed on it
3. A fatal error is issued from a function which the file resource was
passed to

Here is the backtrace:


(gdb) run workingFile5_segfault.php 
Starting program: /usr/local/bin/php workingFile5_segfault.php
[Thread debugging using libthread_db enabled]

Catchable fatal error: Object of class Closure could not be converted to
string 
in /home/nikic/dev/my-fuzzer/results/workingFile5_segfault.php on line 8

Program received signal SIGSEGV, Segmentation fault.
0x084c95cb in php_stream_context_del_link (context=0xb73cbddc, 
    stream=0xb73cba00) at
/home/nikic/dev/php-src/main/streams/streams.c:2256
2256            for(zend_hash_internal_pointer_reset(Z_ARRVAL_P(context-
>links));
(gdb) bt
#0  0x084c95cb in php_stream_context_del_link (context=0xb73cbddc, 
    stream=0xb73cba00) at
/home/nikic/dev/php-src/main/streams/streams.c:2256
#1  0x084c4953 in _php_stream_free (stream=0xb73cba00, close_options=3, 
    tsrm_ls=0x8b26050) at
/home/nikic/dev/php-src/main/streams/streams.c:449
#2  0x084c48a4 in _php_stream_free (stream=0xb73cbb90, close_options=11, 
    tsrm_ls=0x8b26050) at
/home/nikic/dev/php-src/main/streams/streams.c:406
#3  0x084c7059 in stream_resource_regular_dtor (rsrc=0xb73cbca0, 
    tsrm_ls=0x8b26050) at
/home/nikic/dev/php-src/main/streams/streams.c:1578
#4  0x085587f3 in list_entry_destructor (ptr=0xb73cbca0)
    at /home/nikic/dev/php-src/Zend/zend_list.c:183
#5  0x08555fc6 in zend_hash_apply_deleter (ht=0x8b280ac, p=0xb73cbc4c)
    at /home/nikic/dev/php-src/Zend/zend_hash.c:650
#6  0x08556154 in zend_hash_graceful_reverse_destroy (ht=0x8b280ac)
    at /home/nikic/dev/php-src/Zend/zend_hash.c:687
#7  0x085589d5 in zend_destroy_rsrc_list (ht=0x8b280ac, tsrm_ls=0x8b26050)
    at /home/nikic/dev/php-src/Zend/zend_list.c:239
#8  0x0854474a in zend_deactivate (tsrm_ls=0x8b26050)
    at /home/nikic/dev/php-src/Zend/zend.c:940
#9  0x084a6b4d in php_request_shutdown (dummy=0x0)
    at /home/nikic/dev/php-src/main/main.c:1781
#10 0x086907c5 in do_cli (argc=2, argv=0xbffff3d4, tsrm_ls=0x8b26050)
    at /home/nikic/dev/php-src/sapi/cli/php_cli.c:1169
#11 0x08691058 in main (argc=2, argv=0xbffff3d4)
    at /home/nikic/dev/php-src/sapi/cli/php_cli.c:1356

I was not yet able to understand the source of the segfault; would be nice
if 
someone who knows the stream stuff better could give a hand :)


-- 
Edit bug report at https://bugs.php.net/bug.php?id=61115&edit=1
-- 
Try a snapshot (PHP 5.4):            
https://bugs.php.net/fix.php?id=61115&r=trysnapshot54
Try a snapshot (PHP 5.3):            
https://bugs.php.net/fix.php?id=61115&r=trysnapshot53
Try a snapshot (trunk):              
https://bugs.php.net/fix.php?id=61115&r=trysnapshottrunk
Fixed in SVN:                        
https://bugs.php.net/fix.php?id=61115&r=fixed
Fixed in SVN and need be documented: 
https://bugs.php.net/fix.php?id=61115&r=needdocs
Fixed in release:                    
https://bugs.php.net/fix.php?id=61115&r=alreadyfixed
Need backtrace:                      
https://bugs.php.net/fix.php?id=61115&r=needtrace
Need Reproduce Script:               
https://bugs.php.net/fix.php?id=61115&r=needscript
Try newer version:                   
https://bugs.php.net/fix.php?id=61115&r=oldversion
Not developer issue:                 
https://bugs.php.net/fix.php?id=61115&r=support
Expected behavior:                   
https://bugs.php.net/fix.php?id=61115&r=notwrong
Not enough info:                     
https://bugs.php.net/fix.php?id=61115&r=notenoughinfo
Submitted twice:                     
https://bugs.php.net/fix.php?id=61115&r=submittedtwice
register_globals:                    
https://bugs.php.net/fix.php?id=61115&r=globals
PHP 4 support discontinued:          
https://bugs.php.net/fix.php?id=61115&r=php4
Daylight Savings:                    https://bugs.php.net/fix.php?id=61115&r=dst
IIS Stability:                       
https://bugs.php.net/fix.php?id=61115&r=isapi
Install GNU Sed:                     
https://bugs.php.net/fix.php?id=61115&r=gnused
Floating point limitations:          
https://bugs.php.net/fix.php?id=61115&r=float
No Zend Extensions:                  
https://bugs.php.net/fix.php?id=61115&r=nozend
MySQL Configuration Error:           
https://bugs.php.net/fix.php?id=61115&r=mysqlcfg