Edit report at https://bugs.php.net/bug.php?id=64911&edit=1
ID: 64911 Updated by: s...@php.net Reported by: jutaky at ee dot oulu dot fi Summary: Looped forward_static_call causes segfault Status: Open -Type: Security +Type: Bug Package: Reproducible crash Operating System: ArchLinux PHP Version: 5.4.15 Block user comment: N Private report: Y New Comment: Does not seem to be a security issue. Previous Comments: ------------------------------------------------------------------------ [2013-05-23 17:13:45] jutaky at ee dot oulu dot fi Description: ------------ Looped forward_static_call causes segfault on PHP 5.4.15, 5.5.0RC2 and on trunk (20130523). Configure for PHP 5.5.0RC2 and trunk: ./configure --enable-debug Worth noting: xdebug extension prevented crash and exited PHP cleanly. Backtrace is extremely long, here are ten first entries: #0 0x00000000007896d1 in _zend_mm_alloc_int (heap=<error reading variable: Cannot access memory at address 0x7fffff7fefe8>, size=<error reading variable: Cannot access memory at address 0x7fffff7fefe0>, __zend_filename=<error reading variable: Cannot access memory at address 0x7fffff7fefd8>, __zend_lineno=<error reading variable: Cannot access memory at address 0x7fffff7fefd4>, __zend_orig_filename=<error reading variable: Cannot access memory at address 0x7fffff7fefc8>, __zend_orig_lineno=<error reading variable: Cannot access memory at address 0x7fffff7fefd0>) at <removed>/Zend/zend_alloc.c:1881 #1 0x000000000078b3f3 in _emalloc (size=4, __zend_filename=0xbd7e38 " <removed>/Zend/zend_operators.c", __zend_lineno=1979, __zend_orig_filename=0x0, __zend_orig_lineno=0) at <removed>/Zend/zend_alloc.c:2429 #2 0x00000000007bec56 in zend_str_tolower_dup (source=0x7ffff7e95ac0 "foo::bar", length=3) at <removed>/Zend/zend_operators.c:1979 #3 0x00000000007ce357 in zend_is_callable_check_class (name=0x7ffff7e95ac0 "foo::bar", name_len=3, fcc=0x7fffff7ff720, strict_class=0x7fffff7ff168, error=0x7fffff7ff368) at <removed>/Zend/zend_API.c:2673 #4 0x00000000007cea6e in zend_is_callable_check_func (check_flags=0, callable=0x7ffff5b4dbc8, fcc=0x7fffff7ff720, strict_class=0, error=0x7fffff7ff368) at <removed>/Zend/zend_API.c:2795 #5 0x00000000007cfc75 in zend_is_callable_ex (callable=0x7ffff5b4dbc8, object_ptr=0x0, check_flags=0, callable_name=0x0, callable_name_len=0x7fffff7ff294, fcc=0x7fffff7ff720, error=0x7fffff7ff368) at <removed>/Zend/zend_API.c:3059 #6 0x00000000007d0710 in zend_fcall_info_init (callable=0x7ffff5b4dbc8, check_flags=0, fci=0x7fffff7ff750, fcc=0x7fffff7ff720, callable_name=0x0, error=0x7fffff7ff368) at <removed>/Zend/zend_API.c:3235 #7 0x00000000007c6d89 in zend_parse_arg_impl (arg_num=1, arg=0x7ffff5bab758, va=0x7fffff7ff610, spec=0x7fffff7ff540, error=0x7fffff7ff4e8, severity=0x7fffff7ff4e4) at <removed>/Zend/zend_API.c:632 #8 0x00000000007c7061 in zend_parse_arg (arg_num=1, arg=0x7ffff5bab758, va=0x7fffff7ff610, spec=0x7fffff7ff540, quiet=0) at <removed>/Zend/zend_API.c:691 #9 0x00000000007c787c in zend_parse_va_args (num_args=0, type_spec=0xbaabcb "f*", va=0x7fffff7ff610, flags=0) at <removed>/Zend/zend_API.c:873 #10 0x00000000007c7b4f in zend_parse_parameters (num_args=1, type_spec=0xbaabcb "f*") at <removed>/Zend/zend_API.c:924 Test script: --------------- Example case: http://jutaky.com/fuzzing/loopz.html Expected result: ---------------- Possibly looping until killed, reaching max_execution_time or other PHP set limit is reached? Actual result: -------------- Segmentation fault. ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=64911&edit=1