Edit report at https://bugs.php.net/bug.php?id=60042&edit=1
ID: 60042
User updated by: tom at punkave dot com
Reported by: tom at punkave dot com
-Summary: spl_autoload_call may manipulate a dangling poitner
+Summary: spl_autoload_call may manipulate a dangling pointer
Status: Open
Type: Bug
Package: SPL related
Operating System: Any
PHP Version: 5.3.8
Block user comment: N
Private report: N
New Comment:
Fixed typo
Previous Comments:
------------------------------------------------------------------------
[2011-10-11 21:04:15] tom at punkave dot com
Edit: I determined that this was not causing my segmentation faults. However it
still may be a bug. I've read the _zval_ptr_dtor source code and although it is
passed the address of the zval rather than the zval itself it doesn't appear to
use this opportunity to null it out. Can anyone clarify whether
zval_ptr_dtor(&retval) actually nulls out retval before closing this?
------------------------------------------------------------------------
[2011-10-11 17:03:00] tom at punkave dot com
Description:
------------
spl_autoload_call initializes retval to null at the start of the function, but
does not reinitialize it to null after destroying the return value of each
autoloader call. As a result, if a subsequent autoloader call does not have any
return value, then the old dangling pointer is used, resulting in a null
pointer
reference and a segmentation fault, bus error or other entertaining symptom
depending on the time of day.
Many common autoloaders, such as the Symfony autoloaders, always return true or
false depending on whether they load a class, even though the documentation for
spl_autoload_register does not call for this at all. This is probably because
the developers learned the hard way that autoloaders won't play nice together
unless they return something due to this bug.
A good example of an autoloader that does trigger this bug is the one provided
with the Amazon AWS standard library for PHP. Their implementation does not
return a value, so PHP segfaults (or similar) if it is later in the chain of
autoloaders.
This bug can be fixed as follows:
if (retval) {
zval_ptr_dtor(&retval);
}
Becomes:
if (retval) {
zval_ptr_dtor(&retval);
retval = NULL;
}
Patch attached.
Expected result:
----------------
Multiple autoloaders play nice.
Actual result:
--------------
If an autoloader other than the first one has no return value a PHP crash takes
place due to a dangling pointer to a destroyed value.
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=60042&edit=1
