Edit report at https://bugs.php.net/bug.php?id=62737&edit=1
ID: 62737 Comment by: reeze dot xia at gmail dot com Reported by: leight at gmail dot com Summary: Segfault invoking SplFileInfo->openFile Status: Analyzed Type: Bug Package: Reproducible crash Operating System: Linux / OSX PHP Version: master-Git-2012-08-03 (Git) Block user comment: N Private report: N New Comment: Hi, by replace create_object function pointer and free function table isn't enough, after apply the patch, I got this, maybe more handlers need to be replaced and cleanup. Fatal error: Uncaught exception 'RuntimeException' with message 'get_class_vars() expects exactly 1 parameter, 2 given' in /Users/reeze/Opensource/php-test/php-src-5.3-dev/xx.php:6 Stack trace: #0 [internal function]: SplFileObject->get_class_vars('/bin/ls', 'r') #1 /Users/reeze/Opensource/php-test/php-src-5.3-dev/xx.php(6): SplFileInfo- >openFile('r') #2 {main} thrown in /Users/reeze/Opensource/php-test/php-src-5.3-dev/xx.php on line 6 Previous Comments: ------------------------------------------------------------------------ [2012-08-03 15:03:17] larue...@php.net I have made a patch for this. ------------------------------------------------------------------------ [2012-08-03 15:02:48] larue...@php.net The following patch has been added/updated: Patch Name: ChangeDisableClassHandler.patch Revision: 1344006168 URL: https://bugs.php.net/patch-display.php?bug=62737&patch=ChangeDisableClassHandler.patch&revision=1344006168 ------------------------------------------------------------------------ [2012-08-03 14:25:19] larue...@php.net this is a very badly bug. but I think it's not a spl issues, we should change the behavior of zend_disable_class, since for now, it will delete the class entry, which will make the class entry pointer (preserved by extension) become a wild pointer.. dereference it is a undefined behavior, in this sense, segfault is lucky. ------------------------------------------------------------------------ [2012-08-03 14:12:33] larue...@php.net I think this is not only splFileObject, many classes may has such issues. (especially those who preserves their own class entry). ------------------------------------------------------------------------ [2012-08-03 11:06:18] leight at gmail dot com Description: ------------ When SplFileObject is on the disable_classes list, and SplFileInfo->openFile is called, PHP crashes because there is no check on whether the SplFileObject object was actually created or not, before trying to use it. The offending code is in ext/spl/spl_directory.c in spl_filesystem_object_create_type Test script: --------------- <?php // Run with -d disable_classes=SplFileObject $a = new SplFileInfo('/bin/ls'); $a->openFile('r'); Expected result: ---------------- A message stating SplFileObject is disabled. Actual result: -------------- Segmentation fault ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=62737&edit=1