ID: 43128
Updated by: [EMAIL PROTECTED]
Reported By: felipensp at gmail dot com
-Status: Analyzed
+Status: Assigned
Bug Type: Reproducible crash
Operating System: Linux
PHP Version: 5.3CVS-2007-10-29 (snap)
-Assigned To:
+Assigned To: dmitry
Previous Comments:
------------------------------------------------------------------------
[2007-10-30 11:42:10] crrodriguez at suse dot de
Yes, an smaller limit like 1024 looks OK and is still high enough to
avoid annoying insane coders ;-)
------------------------------------------------------------------------
[2007-10-30 10:48:14] [EMAIL PROTECTED]
That would already allocate 64kb on the stack, I doubt that will work
on all systems. I would suggest a somewhat smaller limit, say 1024?
------------------------------------------------------------------------
[2007-10-30 10:37:39] crrodriguez at suse dot de
Index: Zend/zend_execute_API.c
===================================================================
RCS file: /repository/ZendEngine2/zend_execute_API.c,v
retrieving revision 1.331.2.20.2.24.2.8
diff -u -p -r1.331.2.20.2.24.2.8 zend_execute_API.c
--- Zend/zend_execute_API.c 7 Oct 2007 05:22:03 -0000
1.331.2.20.2.24.2.8
+++ Zend/zend_execute_API.c 30 Oct 2007 10:14:29 -0000
@@ -1073,6 +1073,10 @@ ZEND_API int zend_lookup_class_ex(const
if (name == NULL || !name_length) {
return FAILURE;
}
+
+ if(name_length >= ZEND_MAX_CLASSNAME_LEN) {
+ zend_error(E_ERROR, "Class name cannot be longer than
%d", ZEND_MAX_CLASSNAME_LEN);
+ }
lc_free = lc_name = do_alloca(name_length + 1);
zend_str_tolower_copy(lc_name, name, name_length);
Index: Zend/zend.h
===================================================================
RCS file: /repository/ZendEngine2/zend.h,v
retrieving revision 1.293.2.11.2.9.2.7
diff -u -p -r1.293.2.11.2.9.2.7 zend.h
--- Zend/zend.h 7 Oct 2007 05:22:02 -0000 1.293.2.11.2.9.2.7
+++ Zend/zend.h 30 Oct 2007 10:14:29 -0000
@@ -712,7 +712,7 @@ END_EXTERN_C()
#define ZEND_MAX_RESERVED_RESOURCES 4
-
+#define ZEND_MAX_CLASSNAME_LEN 65535
#include "zend_operators.h"
#include "zend_variables.h"
ZEND_MAX_CLASSNAME_LEN being the same as java, not to mention that I
dont see any reason why such insane long naming will be useful :-)
HTH.
------------------------------------------------------------------------
[2007-10-30 08:21:08] [EMAIL PROTECTED]
Segfaults for me too, looks like a stack smash with valgrind:
==7344== Warning: client switching stacks? SP change: 0x7FEFFD9A0 -->
0x7FE674310
==7344== to suppress, use: --max-stackframe=10000016 or
greater
==7344== Invalid write of size 8
==7344== at 0x85D4D3: zend_lookup_class_ex
(zend_execute_API.c:1046)
==7344== Address 0x7FE674308 is on thread 1's stack
==7344==
==7344== Process terminating with default action of signal 11
(SIGSEGV)
==7344== Access not within mapped region at address 0x7FE674308
==7344== at 0x85D4D3: zend_lookup_class_ex
(zend_execute_API.c:1046)
==7344==
==7344== Invalid write of size 8
==7344== at 0x4A1E310: _vgnU_freeres (vg_preloaded.c:56)
==7344== Address 0x7FE674300 is on thread 1's stack
==7344==
==7344== Process terminating with default action of signal 11
(SIGSEGV)
==7344== Access not within mapped region at address 0x7FE674300
Which makes sense, as lc_name in
zend_lookup_class_ex() is allocated on line 1045 with:
lc_name = do_alloca(name_length + 1);
zend_str_tolower_copy(lc_name, name, name_length);
SPL and Reflection have the same problem in the files:
ext/spl/php_spl.c
ext/reflection/php_reflection.c
A possible fix would be to set an arbitrary limit on the name of
classes here...
------------------------------------------------------------------------
[2007-10-30 00:14:09] crrodriguez at suse dot de
Always reproducible on linux64 bit hosts.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/43128
--
Edit this bug report at http://bugs.php.net/?id=43128&edit=1
