Segmentation fault in spl_array_it_get_current_data (PHP 8.1.18) #11178

nradchenko · 2023-05-02T15:23:26Z

Description

No PoC at the moment. 8.1.15, 8.1.17, 8.0.28 work fine.

(gdb) bt
#0  spl_array_it_get_current_data (iter=0x7fcf3ecb3500) at /build/tmp-build/php-src-tag-beget-version-8.1.18-1/ext/spl/spl_array.c:1040
#1  0x00007fd01b53ba02 in ZEND_FE_FETCH_RW_SPEC_VAR_HANDLER () at /build/tmp-build/php-src-tag-beget-version-8.1.18-1/Zend/zend_vm_execute.h:22090
#2  0x00007fd01b54334c in execute_ex (ex=0x55b790d1b930) at /build/tmp-build/php-src-tag-beget-version-8.1.18-1/Zend/zend_vm_execute.h:58016
#3  0x00007fd01b54b54f in zend_execute (op_array=0x7fd010875000, return_value=0x0) at /build/tmp-build/php-src-tag-beget-version-8.1.18-1/Zend/zend_vm_execute.h:60151
#4  0x00007fd01b4d8e14 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /build/tmp-build/php-src-tag-beget-version-8.1.18-1/Zend/zend.c:1845
#5  0x00007fd01b474851 in php_execute_script (primary_file=primary_file@entry=0x7fff32c98bc0) at /build/tmp-build/php-src-tag-beget-version-8.1.18-1/main/main.c:2542
#6  0x00007fd01b5c14a0 in php_handler (r=<optimized out>) at /build/tmp-build/php-src-tag-beget-version-8.1.18-1/sapi/apache2handler/sapi_apache2.c:710
#7  0x000055b78a46e880 in ap_run_handler (r=r@entry=0x55b7a72d5160) at config.c:169
#8  0x000055b78a46edfd in ap_invoke_handler (r=r@entry=0x55b7a72d5160) at config.c:443
#9  0x000055b78a4a2a2b in ap_process_async_request (r=0x55b7a72d5160) at http_request.c:452
#10 0x000055b78a4a2c0e in ap_process_request (r=r@entry=0x55b7a72d5160) at http_request.c:487
#11 0x000055b78a49ee24 in ap_process_http_sync_connection (c=0x55b7a7299200) at http_core.c:208
#12 ap_process_http_connection (c=0x55b7a7299200) at http_core.c:249
#13 0x000055b78a4783c0 in ap_run_process_connection (c=c@entry=0x55b7a7299200) at connection.c:42
#14 0x00007fd01c191087 in itk_fork_process (c=0x55b7a7299200) at mpm_itk.c:213
#15 0x000055b78a4783c0 in ap_run_process_connection (c=c@entry=0x55b7a7299200) at connection.c:42
#16 0x000055b78a47891e in ap_process_connection (c=c@entry=0x55b7a7299200, csd=<optimized out>) at connection.c:217
#17 0x000055b78a504b76 in child_main (child_num_arg=child_num_arg@entry=9, child_bucket=child_bucket@entry=0) at prefork.c:667
#18 0x000055b78a504ec4 in make_child (s=0x55b78b6324f8, slot=9) at prefork.c:773
#19 0x000055b78a50592a in perform_idle_server_maintenance (p=<optimized out>) at prefork.c:877
#20 prefork_run (_pconf=<optimized out>, plog=<optimized out>, s=<optimized out>) at prefork.c:1070
#21 0x000055b78a44f93e in ap_run_mpm (pconf=0x55b78b5f9388, plog=0x55b78b6393d8, s=0x55b78b6324f8) at mpm_common.c:95
#22 0x000055b78a4472d9 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at main.c:916
(gdb) zbacktrace 
[0x7fd010812b80] NRFramework\SmartTags\SmartTags->replace(object[0x7fd010812bd0]) /xxxx/x/xxxxxxxx/xxxxxxxxxxxxxxxxx/public_html/plugins/system/nrframework/NRFramework/SmartTags/SmartTags.php:274 
[0x7fd010812ae0] NRFramework\SmartTags\SmartTags->replace(reference) /xxxx/x/xxxxxxxx/xxxxxxxxxxxxxxxxx/public_html/plugins/system/nrframework/NRFramework/SmartTags/SmartTags.php:276 
[0x7fd010812a30] EngageBox\Box->replaceSmartTags(object[0x7fd010812a80], object[0x7fd010812a90]) /xxxx/x/xxxxxxxx/xxxxxxxxxxxxxxxxx/public_html/administrator/components/com_rstbox/EngageBox/Box.php:217 
[0x7fd0108129b0] plgEngageBoxSmartTags->onEngageBoxBeforeRender(reference) /xxxx/x/xxxxxxxx/xxxxxxxxxxxxxxxxx/public_html/plugins/engagebox/smarttags/smarttags.php:30 
[0x7fd010812900] Joomla\CMS\Plugin\CMSPlugin->Joomla\CMS\Plugin\{closure}(object[0x7fd010812950]) /xxxx/x/xxxxxxxx/xxxxxxxxxxxxxxxxx/public_html/libraries/src/Plugin/CMSPlugin.php:284 
[0x7fd010812850] Joomla\Event\Dispatcher->dispatch("onEngageBoxBeforeRender", object[0x7fd0108128b0]) /xxxx/x/xxxxxxxx/xxxxxxxxxxxxxxxxx/public_html/libraries/vendor/joomla/event/src/Dispatcher.php:486 
[0x7fd010812770] Joomla\CMS\Application\WebApplication->triggerEvent("onEngageBoxBeforeRender", array(1)[0x7fd0108127d0]) /xxxx/x/xxxxxxxx/xxxxxxxxxxxxxxxxx/public_html/libraries/src/Application/EventAware.php:111 
[0x7fd0108126d0] EngageBox\Box->render(reference) /xxxx/x/xxxxxxxx/xxxxxxxxxxxxxxxxx/public_html/administrator/components/com_rstbox/EngageBox/Box.php:33 
[0x7fd010812600] EngageBox\Boxes->render() /xxxx/x/xxxxxxxx/xxxxxxxxxxxxxxxxx/public_html/administrator/components/com_rstbox/EngageBox/Boxes.php:54 
[0x7fd010812560] PlgSystemRstBox->onAfterDispatch() /xxxx/x/xxxxxxxx/xxxxxxxxxxxxxxxxx/public_html/plugins/system/rstbox/rstbox.php:76 
[0x7fd0108124b0] Joomla\CMS\Plugin\CMSPlugin->Joomla\CMS\Plugin\{closure}(object[0x7fd010812500]) /xxxx/x/xxxxxxxx/xxxxxxxxxxxxxxxxx/public_html/libraries/src/Plugin/CMSPlugin.php:284 
[0x7fd010812400] Joomla\Event\Dispatcher->dispatch("onAfterDispatch", object[0x7fd010812460]) /xxxx/x/xxxxxxxx/xxxxxxxxxxxxxxxxx/public_html/libraries/vendor/joomla/event/src/Dispatcher.php:486 
[0x7fd010812320] Joomla\CMS\Application\WebApplication->triggerEvent("onAfterDispatch") /xxxx/x/xxxxxxxx/xxxxxxxxxxxxxxxxx/public_html/libraries/src/Application/EventAware.php:111 
[0x7fd010812250] Joomla\CMS\Application\SiteApplication->dispatch() /xxxx/x/xxxxxxxx/xxxxxxxxxxxxxxxxx/public_html/libraries/src/Application/SiteApplication.php:213 
[0x7fd0108121e0] Joomla\CMS\Application\SiteApplication->doExecute() /xxxx/x/xxxxxxxx/xxxxxxxxxxxxxxxxx/public_html/libraries/src/Application/SiteApplication.php:249 
[0x7fd010812150] Joomla\CMS\Application\CMSApplication->execute() /xxxx/x/xxxxxxxx/xxxxxxxxxxxxxxxxx/public_html/libraries/src/Application/CMSApplication.php:293 
[0x7fd0108120a0] (main) /xxxx/x/xxxxxxxx/xxxxxxxxxxxxxxxxx/public_html/includes/app.php:61 
[0x7fd010812020] (main) /xxxx/x/xxxxxxxx/xxxxxxxxxxxxxxxxx/public_html/index.php:33 
(gdb)

PHP Version

PHP 8.1.18

Operating System

No response

The text was updated successfully, but these errors were encountered:

nradchenko · 2023-05-02T15:38:18Z

These changes may be related:

nielsdos · 2023-05-02T18:47:33Z

Figured out what the issue is, here's a PoC. I'll look into fixing this now.

<?php

class A implements IteratorAggregate {
    function __construct() {
        $this->{'x'} = 1;
    }

    function getIterator(): Traversable {
        return new ArrayIterator($this);
    }
}

$obj = new A;

foreach ($obj as $k => &$v) {
    $v = 3;
    var_dump($k, $v);
}

…(PHP 8.1.18) Dynamic property case in zend_get_property_info() can return NULL for prop info. This was not handled.

* PHP-8.1: Fix GH-11178: Segmentation fault in spl_array_it_get_current_data (PHP 8.1.18) Fix GH-11175 and GH-11177: Stream socket timeout undefined behaviour Fix GH-9068: Conditional jump or move depends on uninitialised value(s)

* PHP-8.2: Fix GH-11178: Segmentation fault in spl_array_it_get_current_data (PHP 8.1.18) Fix GH-11175 and GH-11177: Stream socket timeout undefined behaviour Fix GH-9068: Conditional jump or move depends on uninitialised value(s)

nradchenko added Bug Status: Needs Triage labels May 2, 2023

nielsdos added Extension: spl Status: Verified and removed Status: Needs Triage labels May 2, 2023

nielsdos added a commit to nielsdos/php-src that referenced this issue May 2, 2023

Fix phpGH-11178: Segmentation fault in spl_array_it_get_current_data …

7bc419f

…(PHP 8.1.18) Dynamic property case in zend_get_property_info() can return NULL for prop info. This was not handled.

nielsdos linked a pull request May 2, 2023 that will close this issue

Fix GH-11178: Segmentation fault in spl_array_it_get_current_data (PHP 8.1.18) #11182

Closed

nradchenko changed the title ~~Segmentaion fault in spl_array_it_get_current_data (PHP 8.1.18)~~ Segmentation fault in spl_array_it_get_current_data (PHP 8.1.18) May 2, 2023

nielsdos closed this as completed in 81e50b4 May 3, 2023

pronskiy mentioned this issue Jun 6, 2023

Add Roundup #13 ThePHPF/thephp.foundation#90

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Segmentation fault in spl_array_it_get_current_data (PHP 8.1.18) #11178

Segmentation fault in spl_array_it_get_current_data (PHP 8.1.18) #11178

nradchenko commented May 2, 2023

nradchenko commented May 2, 2023

nielsdos commented May 2, 2023

Segmentation fault in spl_array_it_get_current_data (PHP 8.1.18) #11178

Segmentation fault in spl_array_it_get_current_data (PHP 8.1.18) #11178

Comments

nradchenko commented May 2, 2023

Description

PHP Version

Operating System

nradchenko commented May 2, 2023

nielsdos commented May 2, 2023