Edit report at https://bugs.php.net/bug.php?id=64911&edit=1
ID: 64911
Updated by: s...@php.net
Reported by: jutaky at ee dot oulu dot fi
Summary: Looped forward_static_call causes segfault
Status: Open
-Type: Security
+Type: Bug
Package: Reproducible crash
Operating System: ArchLinux
PHP Version: 5.4.15
Block user comment: N
Private report: Y
New Comment:
Does not seem to be a security issue.
Previous Comments:
------------------------------------------------------------------------
[2013-05-23 17:13:45] jutaky at ee dot oulu dot fi
Description:
------------
Looped forward_static_call causes segfault on PHP 5.4.15, 5.5.0RC2 and on trunk
(20130523).
Configure for PHP 5.5.0RC2 and trunk: ./configure --enable-debug
Worth noting: xdebug extension prevented crash and exited PHP cleanly.
Backtrace is extremely long, here are ten first entries:
#0 0x00000000007896d1 in _zend_mm_alloc_int (heap=<error reading variable:
Cannot access memory at address
0x7fffff7fefe8>,
size=<error reading variable: Cannot access memory at address
0x7fffff7fefe0>, __zend_filename=<error
reading variable: Cannot access memory at address 0x7fffff7fefd8>,
__zend_lineno=<error reading variable: Cannot access memory at address
0x7fffff7fefd4>,
__zend_orig_filename=<error reading variable: Cannot access memory at
address 0x7fffff7fefc8>,
__zend_orig_lineno=<error reading variable: Cannot access memory at address
0x7fffff7fefd0>)
at <removed>/Zend/zend_alloc.c:1881
#1 0x000000000078b3f3 in _emalloc (size=4, __zend_filename=0xbd7e38 "
<removed>/Zend/zend_operators.c",
__zend_lineno=1979,
__zend_orig_filename=0x0, __zend_orig_lineno=0) at
<removed>/Zend/zend_alloc.c:2429
#2 0x00000000007bec56 in zend_str_tolower_dup (source=0x7ffff7e95ac0
"foo::bar", length=3) at
<removed>/Zend/zend_operators.c:1979
#3 0x00000000007ce357 in zend_is_callable_check_class (name=0x7ffff7e95ac0
"foo::bar", name_len=3,
fcc=0x7fffff7ff720, strict_class=0x7fffff7ff168, error=0x7fffff7ff368)
at <removed>/Zend/zend_API.c:2673
#4 0x00000000007cea6e in zend_is_callable_check_func (check_flags=0,
callable=0x7ffff5b4dbc8,
fcc=0x7fffff7ff720, strict_class=0, error=0x7fffff7ff368)
at <removed>/Zend/zend_API.c:2795
#5 0x00000000007cfc75 in zend_is_callable_ex (callable=0x7ffff5b4dbc8,
object_ptr=0x0, check_flags=0,
callable_name=0x0, callable_name_len=0x7fffff7ff294,
fcc=0x7fffff7ff720, error=0x7fffff7ff368) at <removed>/Zend/zend_API.c:3059
#6 0x00000000007d0710 in zend_fcall_info_init (callable=0x7ffff5b4dbc8,
check_flags=0, fci=0x7fffff7ff750,
fcc=0x7fffff7ff720, callable_name=0x0, error=0x7fffff7ff368)
at <removed>/Zend/zend_API.c:3235
#7 0x00000000007c6d89 in zend_parse_arg_impl (arg_num=1, arg=0x7ffff5bab758,
va=0x7fffff7ff610,
spec=0x7fffff7ff540, error=0x7fffff7ff4e8, severity=0x7fffff7ff4e4)
at <removed>/Zend/zend_API.c:632
#8 0x00000000007c7061 in zend_parse_arg (arg_num=1, arg=0x7ffff5bab758,
va=0x7fffff7ff610,
spec=0x7fffff7ff540, quiet=0)
at <removed>/Zend/zend_API.c:691
#9 0x00000000007c787c in zend_parse_va_args (num_args=0, type_spec=0xbaabcb
"f*", va=0x7fffff7ff610, flags=0)
at <removed>/Zend/zend_API.c:873
#10 0x00000000007c7b4f in zend_parse_parameters (num_args=1, type_spec=0xbaabcb
"f*") at
<removed>/Zend/zend_API.c:924
Test script:
---------------
Example case: http://jutaky.com/fuzzing/loopz.html
Expected result:
----------------
Possibly looping until killed, reaching max_execution_time or other PHP set
limit
is reached?
Actual result:
--------------
Segmentation fault.
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=64911&edit=1
