Edit report at https://bugs.php.net/bug.php?id=62737&edit=1
ID: 62737
Comment by: reeze dot xia at gmail dot com
Reported by: leight at gmail dot com
Summary: Segfault invoking SplFileInfo->openFile
Status: Analyzed
Type: Bug
Package: Reproducible crash
Operating System: Linux / OSX
PHP Version: master-Git-2012-08-03 (Git)
Block user comment: N
Private report: N
New Comment:
Hi,
by replace create_object function pointer and free function table
isn't enough, after apply the patch, I got this,
maybe more handlers need to be replaced and cleanup.
Fatal error: Uncaught exception 'RuntimeException' with message
'get_class_vars() expects exactly 1 parameter, 2 given' in
/Users/reeze/Opensource/php-test/php-src-5.3-dev/xx.php:6
Stack trace:
#0 [internal function]: SplFileObject->get_class_vars('/bin/ls', 'r')
#1 /Users/reeze/Opensource/php-test/php-src-5.3-dev/xx.php(6): SplFileInfo-
>openFile('r')
#2 {main}
thrown in /Users/reeze/Opensource/php-test/php-src-5.3-dev/xx.php on line 6
Previous Comments:
------------------------------------------------------------------------
[2012-08-03 15:03:17] [email protected]
I have made a patch for this.
------------------------------------------------------------------------
[2012-08-03 15:02:48] [email protected]
The following patch has been added/updated:
Patch Name: ChangeDisableClassHandler.patch
Revision: 1344006168
URL:
https://bugs.php.net/patch-display.php?bug=62737&patch=ChangeDisableClassHandler.patch&revision=1344006168
------------------------------------------------------------------------
[2012-08-03 14:25:19] [email protected]
this is a very badly bug.
but I think it's not a spl issues, we should change the behavior of
zend_disable_class,
since for now, it will delete the class entry, which will make the class entry
pointer (preserved by extension) become a wild pointer..
dereference it is a undefined behavior, in this sense, segfault is lucky.
------------------------------------------------------------------------
[2012-08-03 14:12:33] [email protected]
I think this is not only splFileObject, many classes may has such issues.
(especially those who preserves their own class entry).
------------------------------------------------------------------------
[2012-08-03 11:06:18] leight at gmail dot com
Description:
------------
When SplFileObject is on the disable_classes list, and SplFileInfo->openFile is
called, PHP crashes because there is no check on whether the SplFileObject
object
was actually created or not, before trying to use it.
The offending code is in ext/spl/spl_directory.c in
spl_filesystem_object_create_type
Test script:
---------------
<?php
// Run with -d disable_classes=SplFileObject
$a = new SplFileInfo('/bin/ls');
$a->openFile('r');
Expected result:
----------------
A message stating SplFileObject is disabled.
Actual result:
--------------
Segmentation fault
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=62737&edit=1
