ID: 43128 Updated by: [EMAIL PROTECTED] Reported By: felipensp at gmail dot com -Status: Analyzed +Status: Assigned Bug Type: Reproducible crash Operating System: Linux PHP Version: 5.3CVS-2007-10-29 (snap) -Assigned To: +Assigned To: dmitry
Previous Comments: ------------------------------------------------------------------------ [2007-10-30 11:42:10] crrodriguez at suse dot de Yes, an smaller limit like 1024 looks OK and is still high enough to avoid annoying insane coders ;-) ------------------------------------------------------------------------ [2007-10-30 10:48:14] [EMAIL PROTECTED] That would already allocate 64kb on the stack, I doubt that will work on all systems. I would suggest a somewhat smaller limit, say 1024? ------------------------------------------------------------------------ [2007-10-30 10:37:39] crrodriguez at suse dot de Index: Zend/zend_execute_API.c =================================================================== RCS file: /repository/ZendEngine2/zend_execute_API.c,v retrieving revision 1.331.2.20.2.24.2.8 diff -u -p -r1.331.2.20.2.24.2.8 zend_execute_API.c --- Zend/zend_execute_API.c 7 Oct 2007 05:22:03 -0000 1.331.2.20.2.24.2.8 +++ Zend/zend_execute_API.c 30 Oct 2007 10:14:29 -0000 @@ -1073,6 +1073,10 @@ ZEND_API int zend_lookup_class_ex(const if (name == NULL || !name_length) { return FAILURE; } + + if(name_length >= ZEND_MAX_CLASSNAME_LEN) { + zend_error(E_ERROR, "Class name cannot be longer than %d", ZEND_MAX_CLASSNAME_LEN); + } lc_free = lc_name = do_alloca(name_length + 1); zend_str_tolower_copy(lc_name, name, name_length); Index: Zend/zend.h =================================================================== RCS file: /repository/ZendEngine2/zend.h,v retrieving revision 1.293.2.11.2.9.2.7 diff -u -p -r1.293.2.11.2.9.2.7 zend.h --- Zend/zend.h 7 Oct 2007 05:22:02 -0000 1.293.2.11.2.9.2.7 +++ Zend/zend.h 30 Oct 2007 10:14:29 -0000 @@ -712,7 +712,7 @@ END_EXTERN_C() #define ZEND_MAX_RESERVED_RESOURCES 4 - +#define ZEND_MAX_CLASSNAME_LEN 65535 #include "zend_operators.h" #include "zend_variables.h" ZEND_MAX_CLASSNAME_LEN being the same as java, not to mention that I dont see any reason why such insane long naming will be useful :-) HTH. ------------------------------------------------------------------------ [2007-10-30 08:21:08] [EMAIL PROTECTED] Segfaults for me too, looks like a stack smash with valgrind: ==7344== Warning: client switching stacks? SP change: 0x7FEFFD9A0 --> 0x7FE674310 ==7344== to suppress, use: --max-stackframe=10000016 or greater ==7344== Invalid write of size 8 ==7344== at 0x85D4D3: zend_lookup_class_ex (zend_execute_API.c:1046) ==7344== Address 0x7FE674308 is on thread 1's stack ==7344== ==7344== Process terminating with default action of signal 11 (SIGSEGV) ==7344== Access not within mapped region at address 0x7FE674308 ==7344== at 0x85D4D3: zend_lookup_class_ex (zend_execute_API.c:1046) ==7344== ==7344== Invalid write of size 8 ==7344== at 0x4A1E310: _vgnU_freeres (vg_preloaded.c:56) ==7344== Address 0x7FE674300 is on thread 1's stack ==7344== ==7344== Process terminating with default action of signal 11 (SIGSEGV) ==7344== Access not within mapped region at address 0x7FE674300 Which makes sense, as lc_name in zend_lookup_class_ex() is allocated on line 1045 with: lc_name = do_alloca(name_length + 1); zend_str_tolower_copy(lc_name, name, name_length); SPL and Reflection have the same problem in the files: ext/spl/php_spl.c ext/reflection/php_reflection.c A possible fix would be to set an arbitrary limit on the name of classes here... ------------------------------------------------------------------------ [2007-10-30 00:14:09] crrodriguez at suse dot de Always reproducible on linux64 bit hosts. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/43128 -- Edit this bug report at http://bugs.php.net/?id=43128&edit=1