From: nikic
Operating system:
PHP version: 5.4.0RC7
Package: Reproducible crash
Bug Type: Bug
Bug description:Stream related segfault on fatal error in
php_stream_context_del_link
Description:
------------
<?php
$arrayLarge = array_fill(0, 113663, '*');
$resourceFileTemp = fopen('php://temp', 'wr');
stream_context_set_params($resourceFileTemp, array());
preg_replace('', function () { }, $resourceFileTemp);
The above script produces a segfault. The array_fill line is irrelevant for
the
bug itself, but I needed it to get a segfault on non-debug builds too
(without
it it only segfaulted on debug builds.)
The type of the file resource is irrelevant, it is not restricted to
php://temp.
The preg_replace + function() { } only serves the purpose to create a fatal
error with the file argument, but apart from that should be irrelevant (it
also
occurs in lots of other situations that create a fatal error in a function
call.)
This segfault basically occurs in situations where:
1. A file resource is opened
2. Some stream operation is performed on it
3. A fatal error is issued from a function which the file resource was
passed to
Here is the backtrace:
(gdb) run workingFile5_segfault.php
Starting program: /usr/local/bin/php workingFile5_segfault.php
[Thread debugging using libthread_db enabled]
Catchable fatal error: Object of class Closure could not be converted to
string
in /home/nikic/dev/my-fuzzer/results/workingFile5_segfault.php on line 8
Program received signal SIGSEGV, Segmentation fault.
0x084c95cb in php_stream_context_del_link (context=0xb73cbddc,
stream=0xb73cba00) at
/home/nikic/dev/php-src/main/streams/streams.c:2256
2256 for(zend_hash_internal_pointer_reset(Z_ARRVAL_P(context-
>links));
(gdb) bt
#0 0x084c95cb in php_stream_context_del_link (context=0xb73cbddc,
stream=0xb73cba00) at
/home/nikic/dev/php-src/main/streams/streams.c:2256
#1 0x084c4953 in _php_stream_free (stream=0xb73cba00, close_options=3,
tsrm_ls=0x8b26050) at
/home/nikic/dev/php-src/main/streams/streams.c:449
#2 0x084c48a4 in _php_stream_free (stream=0xb73cbb90, close_options=11,
tsrm_ls=0x8b26050) at
/home/nikic/dev/php-src/main/streams/streams.c:406
#3 0x084c7059 in stream_resource_regular_dtor (rsrc=0xb73cbca0,
tsrm_ls=0x8b26050) at
/home/nikic/dev/php-src/main/streams/streams.c:1578
#4 0x085587f3 in list_entry_destructor (ptr=0xb73cbca0)
at /home/nikic/dev/php-src/Zend/zend_list.c:183
#5 0x08555fc6 in zend_hash_apply_deleter (ht=0x8b280ac, p=0xb73cbc4c)
at /home/nikic/dev/php-src/Zend/zend_hash.c:650
#6 0x08556154 in zend_hash_graceful_reverse_destroy (ht=0x8b280ac)
at /home/nikic/dev/php-src/Zend/zend_hash.c:687
#7 0x085589d5 in zend_destroy_rsrc_list (ht=0x8b280ac, tsrm_ls=0x8b26050)
at /home/nikic/dev/php-src/Zend/zend_list.c:239
#8 0x0854474a in zend_deactivate (tsrm_ls=0x8b26050)
at /home/nikic/dev/php-src/Zend/zend.c:940
#9 0x084a6b4d in php_request_shutdown (dummy=0x0)
at /home/nikic/dev/php-src/main/main.c:1781
#10 0x086907c5 in do_cli (argc=2, argv=0xbffff3d4, tsrm_ls=0x8b26050)
at /home/nikic/dev/php-src/sapi/cli/php_cli.c:1169
#11 0x08691058 in main (argc=2, argv=0xbffff3d4)
at /home/nikic/dev/php-src/sapi/cli/php_cli.c:1356
I was not yet able to understand the source of the segfault; would be nice
if
someone who knows the stream stuff better could give a hand :)
--
Edit bug report at https://bugs.php.net/bug.php?id=61115&edit=1
--
Try a snapshot (PHP 5.4):
https://bugs.php.net/fix.php?id=61115&r=trysnapshot54
Try a snapshot (PHP 5.3):
https://bugs.php.net/fix.php?id=61115&r=trysnapshot53
Try a snapshot (trunk):
https://bugs.php.net/fix.php?id=61115&r=trysnapshottrunk
Fixed in SVN:
https://bugs.php.net/fix.php?id=61115&r=fixed
Fixed in SVN and need be documented:
https://bugs.php.net/fix.php?id=61115&r=needdocs
Fixed in release:
https://bugs.php.net/fix.php?id=61115&r=alreadyfixed
Need backtrace:
https://bugs.php.net/fix.php?id=61115&r=needtrace
Need Reproduce Script:
https://bugs.php.net/fix.php?id=61115&r=needscript
Try newer version:
https://bugs.php.net/fix.php?id=61115&r=oldversion
Not developer issue:
https://bugs.php.net/fix.php?id=61115&r=support
Expected behavior:
https://bugs.php.net/fix.php?id=61115&r=notwrong
Not enough info:
https://bugs.php.net/fix.php?id=61115&r=notenoughinfo
Submitted twice:
https://bugs.php.net/fix.php?id=61115&r=submittedtwice
register_globals:
https://bugs.php.net/fix.php?id=61115&r=globals
PHP 4 support discontinued:
https://bugs.php.net/fix.php?id=61115&r=php4
Daylight Savings: https://bugs.php.net/fix.php?id=61115&r=dst
IIS Stability:
https://bugs.php.net/fix.php?id=61115&r=isapi
Install GNU Sed:
https://bugs.php.net/fix.php?id=61115&r=gnused
Floating point limitations:
https://bugs.php.net/fix.php?id=61115&r=float
No Zend Extensions:
https://bugs.php.net/fix.php?id=61115&r=nozend
MySQL Configuration Error:
https://bugs.php.net/fix.php?id=61115&r=mysqlcfg
