#48591 [NEW]: Internal classes registered in extensions can cause PHP crash

Wed, 17 Jun 2009 19:32:32 -0700 

From:             pforsub at gmail dot com
Operating system: Windows 2008
PHP version:      5.2.9
PHP Bug Type:     Reproducible crash
Bug description:  Internal classes registered in extensions can cause PHP crash

Description:
------------
Custom PHP extension compiled in Visual Studio 2005. (which means it is
compiled with CRT library msvcr80.dll)
Extension declares internal class for exception. PHP cause crash
(0xc0000005 Access denied) during shutdown of execution.
Problem is that extension allocates string in its own CRT. This string
used then by php5ts without copying content of string (just using pointer).
During shutdown procedure extension is already unloaded, but php5ts tries
to free memory allocated in extension and cause crash.

Reproduce code:
---------------
Declaring exception in ZEND_MINIT_FUNCTION(myownextension):

zend_class_entry ce, *pce;
INIT_CLASS_ENTRY(ce, "MyOwnException", NULL);
pce = zend_register_internal_class_ex(&ce,
zend_exception_get_default(TSRMLS_C), NULL TSRMLS_CC);



Expected result:
----------------
Expected: No crash.

Proposed fix is:
--- Zend/zend_API.c     Fri Mar 07 00:28:47 2008
+++ Zend/zend_API.c     Thu Jun 18 08:40:53 2009
@@ -1992,6 +1992,7 @@
        zend_class_entry *class_entry = malloc(sizeof(zend_class_entry));
        char *lowercase_name = malloc(orig_class_entry->name_length + 1);
        *class_entry = *orig_class_entry;
+       class_entry->name = strdup(orig_class_entry->name);
 
        class_entry->type = ZEND_INTERNAL_CLASS;
        zend_initialize_class_data(class_entry, 0 TSRMLS_CC);

Probably you should change also logic of INIT_CLASS_ENTRY macros to avoid
memory leak.


Actual result:
--------------
Crash occurs at the following call stack:

# ZEND_API void destroy_zend_class(zend_class_entry **pce)
# zend_hash_destroy(compiler_globals->class_table);
# static void compiler_globals_dtor(zend_compiler_globals
*compiler_globals TSRMLS_DC)

Line that cause exception is zend_opcode.c (200):
free(ce->name);

-- 
Edit bug report at http://bugs.php.net/?id=48591&edit=1
-- 
Try a CVS snapshot (PHP 5.2):        
http://bugs.php.net/fix.php?id=48591&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):        
http://bugs.php.net/fix.php?id=48591&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):        
http://bugs.php.net/fix.php?id=48591&r=trysnapshot60
Fixed in CVS:                        
http://bugs.php.net/fix.php?id=48591&r=fixedcvs
Fixed in CVS and need be documented: 
http://bugs.php.net/fix.php?id=48591&r=needdocs
Fixed in release:                    
http://bugs.php.net/fix.php?id=48591&r=alreadyfixed
Need backtrace:                      
http://bugs.php.net/fix.php?id=48591&r=needtrace
Need Reproduce Script:               
http://bugs.php.net/fix.php?id=48591&r=needscript
Try newer version:                   
http://bugs.php.net/fix.php?id=48591&r=oldversion
Not developer issue:                 
http://bugs.php.net/fix.php?id=48591&r=support
Expected behavior:                   
http://bugs.php.net/fix.php?id=48591&r=notwrong
Not enough info:                     
http://bugs.php.net/fix.php?id=48591&r=notenoughinfo
Submitted twice:                     
http://bugs.php.net/fix.php?id=48591&r=submittedtwice
register_globals:                    
http://bugs.php.net/fix.php?id=48591&r=globals
PHP 4 support discontinued:          http://bugs.php.net/fix.php?id=48591&r=php4
Daylight Savings:                    http://bugs.php.net/fix.php?id=48591&r=dst
IIS Stability:                       
http://bugs.php.net/fix.php?id=48591&r=isapi
Install GNU Sed:                     
http://bugs.php.net/fix.php?id=48591&r=gnused
Floating point limitations:          
http://bugs.php.net/fix.php?id=48591&r=float
No Zend Extensions:                  
http://bugs.php.net/fix.php?id=48591&r=nozend
MySQL Configuration Error:           
http://bugs.php.net/fix.php?id=48591&r=mysqlcfg

Reply via email to