Edit report at https://bugs.php.net/bug.php?id=64911&edit=1
ID: 64911 Updated by: johan...@php.net Reported by: jutaky at ee dot oulu dot fi Summary: Looped forward_static_call causes segfault -Status: Open +Status: Not a bug Type: Bug Package: Reproducible crash Operating System: ArchLinux PHP Version: 5.4.15 Block user comment: N Private report: N New Comment: Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php Infinite recursion fills up the stack and causes an stackoverflow which the operating system handles by killing the process. We improved this with recent versions of PHP for regular function calls, currently we're not planning on doing this for indirect calls (all forms of call_user_func). Previous Comments: ------------------------------------------------------------------------ [2013-05-23 18:20:08] s...@php.net Does not seem to be a security issue. ------------------------------------------------------------------------ [2013-05-23 17:13:45] jutaky at ee dot oulu dot fi Description: ------------ Looped forward_static_call causes segfault on PHP 5.4.15, 5.5.0RC2 and on trunk (20130523). Configure for PHP 5.5.0RC2 and trunk: ./configure --enable-debug Worth noting: xdebug extension prevented crash and exited PHP cleanly. Backtrace is extremely long, here are ten first entries: #0 0x00000000007896d1 in _zend_mm_alloc_int (heap=<error reading variable: Cannot access memory at address 0x7fffff7fefe8>, size=<error reading variable: Cannot access memory at address 0x7fffff7fefe0>, __zend_filename=<error reading variable: Cannot access memory at address 0x7fffff7fefd8>, __zend_lineno=<error reading variable: Cannot access memory at address 0x7fffff7fefd4>, __zend_orig_filename=<error reading variable: Cannot access memory at address 0x7fffff7fefc8>, __zend_orig_lineno=<error reading variable: Cannot access memory at address 0x7fffff7fefd0>) at <removed>/Zend/zend_alloc.c:1881 #1 0x000000000078b3f3 in _emalloc (size=4, __zend_filename=0xbd7e38 " <removed>/Zend/zend_operators.c", __zend_lineno=1979, __zend_orig_filename=0x0, __zend_orig_lineno=0) at <removed>/Zend/zend_alloc.c:2429 #2 0x00000000007bec56 in zend_str_tolower_dup (source=0x7ffff7e95ac0 "foo::bar", length=3) at <removed>/Zend/zend_operators.c:1979 #3 0x00000000007ce357 in zend_is_callable_check_class (name=0x7ffff7e95ac0 "foo::bar", name_len=3, fcc=0x7fffff7ff720, strict_class=0x7fffff7ff168, error=0x7fffff7ff368) at <removed>/Zend/zend_API.c:2673 #4 0x00000000007cea6e in zend_is_callable_check_func (check_flags=0, callable=0x7ffff5b4dbc8, fcc=0x7fffff7ff720, strict_class=0, error=0x7fffff7ff368) at <removed>/Zend/zend_API.c:2795 #5 0x00000000007cfc75 in zend_is_callable_ex (callable=0x7ffff5b4dbc8, object_ptr=0x0, check_flags=0, callable_name=0x0, callable_name_len=0x7fffff7ff294, fcc=0x7fffff7ff720, error=0x7fffff7ff368) at <removed>/Zend/zend_API.c:3059 #6 0x00000000007d0710 in zend_fcall_info_init (callable=0x7ffff5b4dbc8, check_flags=0, fci=0x7fffff7ff750, fcc=0x7fffff7ff720, callable_name=0x0, error=0x7fffff7ff368) at <removed>/Zend/zend_API.c:3235 #7 0x00000000007c6d89 in zend_parse_arg_impl (arg_num=1, arg=0x7ffff5bab758, va=0x7fffff7ff610, spec=0x7fffff7ff540, error=0x7fffff7ff4e8, severity=0x7fffff7ff4e4) at <removed>/Zend/zend_API.c:632 #8 0x00000000007c7061 in zend_parse_arg (arg_num=1, arg=0x7ffff5bab758, va=0x7fffff7ff610, spec=0x7fffff7ff540, quiet=0) at <removed>/Zend/zend_API.c:691 #9 0x00000000007c787c in zend_parse_va_args (num_args=0, type_spec=0xbaabcb "f*", va=0x7fffff7ff610, flags=0) at <removed>/Zend/zend_API.c:873 #10 0x00000000007c7b4f in zend_parse_parameters (num_args=1, type_spec=0xbaabcb "f*") at <removed>/Zend/zend_API.c:924 Test script: --------------- Example case: http://jutaky.com/fuzzing/loopz.html Expected result: ---------------- Possibly looping until killed, reaching max_execution_time or other PHP set limit is reached? Actual result: -------------- Segmentation fault. ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=64911&edit=1
