Skip to content

Segmentation fault when resizing hash table iterator list while adding #16054

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
YuanchengJiang opened this issue Sep 25, 2024 · 4 comments
Closed

Segmentation fault when resizing hash table iterator list while adding #16054

YuanchengJiang opened this issue Sep 25, 2024 · 4 comments
Assignees
@nielsdos
Labels
Bug Category: Engine Extension: spl Status: Verified

Comments

@YuanchengJiang
Copy link

Description

The following code:

<?php
$multi_array = array ('zero', array (1, 2, 3), 'two');
next($multi_array);
end($multi_array);
$multi_array[] = &$multi_array;
$fusion = $multi_array;
$v1=$definedVars[array_rand($definedVars = get_defined_vars())];
$ary = array(
    0 => array(
        (binary) "binary",
        "abc2",
        1,
    ),
    (binary) "binary" => array(
        2,
        "b",
        3 => array(
            4,
            "c",
        ),
        "4abc" => array(
            4,
            "c",
        ),
    ),
);
$it = new RecursiveTreeIterator(new RecursiveArrayIterator($fusion), 0);
foreach($it as $k => $v) {
}
?>

PHP Version

PHP 8.4.0-dev

Operating System

ubuntu 22.04
@cmb69
Copy link
Member

cmb69 commented Sep 25, 2024

Not sure if that's an engine issue, or some misuse by Spl. Anyhow, PHP-8.3 (and possibly older branches are affected as well).

@nielsdos
Copy link
Member

Not sure if that's an engine issue, or some misuse by Spl.

Let's be honest, we all know which one of the two it is ;)
I can have a look at both these SPL issues if you're not already working on it.

@nielsdos
Copy link
Member

This already corrupts the heap:

<?php
$multi_array = ['zero'];
$multi_array[] =& $multi_array;
$it = new RecursiveTreeIterator(new RecursiveArrayIterator($multi_array), 0);
foreach($it as $k => $v) {
}

@nielsdos
Copy link
Member

Oh actually, this may be engine related for once...

@nielsdos nielsdos self-assigned this Sep 25, 2024
@nielsdos nielsdos changed the title Segmentation fault in Zend/zend_hash.c Segmentation fault when resizing hash table iterator while adding Sep 25, 2024
@nielsdos nielsdos changed the title Segmentation fault when resizing hash table iterator while adding Segmentation fault when resizing hash table iterator list while adding Sep 25, 2024
nielsdos added a commit to nielsdos/php-src that referenced this issue Sep 25, 2024
@nielsdos
Fix phpGH-16054: Segmentation fault when resizing hash table iterator…
c860ae0 
… list while adding

zend_array_dup_ht_iterators() loops over the hash table iterators and
can call zend_hash_iterator_add(). zend_hash_iterator_add() can resize
the array causing a crash in zend_array_dup_ht_iterators().

We solve this by refetching the iter pointer after an add happened.
nielsdos added a commit to nielsdos/php-src that referenced this issue Sep 25, 2024
@nielsdos
Fix phpGH-16054: Segmentation fault when resizing hash table iterator…
c5e584d 
… list while adding

zend_array_dup_ht_iterators() loops over the hash table iterators and
can call zend_hash_iterator_add(). zend_hash_iterator_add() can resize
the array causing a crash in zend_array_dup_ht_iterators().

We solve this by refetching the iter pointer after an add happened.
nielsdos added a commit to nielsdos/php-src that referenced this issue Sep 25, 2024
@nielsdos
Fix phpGH-16054: Segmentation fault when resizing hash table iterator…
a72c87b 
… list while adding

zend_array_dup_ht_iterators() loops over the hash table iterators and
can call zend_hash_iterator_add(). zend_hash_iterator_add() can resize
the array causing a crash in zend_array_dup_ht_iterators().

We solve this by refetching the iter pointer after an add happened.
@nielsdos nielsdos linked a pull request Sep 25, 2024 that will close this issue
Fix GH-16054: Segmentation fault when resizing hash table iterator list while adding #16060
Closed
nielsdos added a commit that referenced this issue Sep 25, 2024
@nielsdos
Merge branch 'PHP-8.3' into PHP-8.4
4b8a12d 
* PHP-8.3:
  Fix GH-16054: Segmentation fault when resizing hash table iterator list while adding
nielsdos added a commit that referenced this issue Sep 25, 2024
@nielsdos
Merge branch 'PHP-8.4'
e035a95 
* PHP-8.4:
  Fix GH-16054: Segmentation fault when resizing hash table iterator list while adding
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nielsdos nielsdos

Labels
Bug Category: Engine Extension: spl Status: Verified
Projects
None yet
Milestone
No milestone
3 participants
@cmb69 @nielsdos @YuanchengJiang