-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Segmentation fault in Zend/zend_types.h #14741
Comments
Reproducible since 8.3 |
Bisect points me to 1e1ea4f which I already suspected. EDIT: actually the bug exists on 8.2 too but is not triggerable because the standard free_obj is called on 8.2. |
Not related to dom. Minimal reproducer: <?php
$subject = new \ZendTest\Iterators\TraversableTest();
$it = $subject->getIterator();
clone $it; |
The bug is this: For example, actually using the clone always used to crash anyway: https://3v4l.org/QR1NS#v8.2.20 (also reproducible with zend-test) The following patch would fix this issue: https://gist.github.com/nielsdos/4860d3cf9761cd4fa57f2f154b670b9e cc @iluuu1994 Can you please check this out? |
@nielsdos Sorry for the late response. My work capacity is currently reduced and I was a little busy with property hooks. I'll look at this later tonight. |
@nielsdos Thank you for your analysis! I agree that tying the iterators together is not the way to go. I don't think we can create a new iterator either, because we cannot move it to the same position without potential side effects. I think what we'd need is a new, optional |
@iluuu1994 Thanks. I also thought about the optional clone handler a few days ago. However, given that this issue has existed for years and only now this comes up (artificially), it doesn't seem like there's a real need for this. So I'll go ahead and disallow cloning. |
The create_obj handler of InternalIterator is overwritten, but not the clone_obj handler. This is not allowed. In PHP 8.2 this didn't cause a segfault because the standard object handler was used for the clone instead of the internal handler. So then it allocates and frees the object using the standard object handlers. In 8.3 however, the object is created using the standard object handler and freed using the custom handler, resulting in the buffer overflow. Even though bisect points to 1e1ea4f this only reveals the bug.
* PHP-8.2: Fix GH-14741: Segmentation fault in Zend/zend_types.h
* PHP-8.3: Fix GH-14741: Segmentation fault in Zend/zend_types.h
Description
The following code:
Resulted in this output:
Valgrind:
PHP Version
PHP 8.4.0-dev
Operating System
ubuntu 22.04
The text was updated successfully, but these errors were encountered: