From: cataphract Operating system: Windows PHP version: trunk-SVN-2010-09-04 (snap) Package: Variables related Bug Type: Bug Bug description:var_dump() doesn't check for the existence of get_class_name before calling it
Description: ------------ php_var_dump has a NULL pointer dereference in var.c:136 Z_OBJ_HANDLER(**struc, get_class_name)(*struc, &class_name, &class_name_len, 0 TSRMLS_CC); It doesn't check the existence of the handler get_class_name before calling. In particular, it will crash when given a proxy object. The engine always checks for the existence of this handler before calling. See e.g. the definitions of ZEND_FUNCTION(get_parent_class) and zend_print_flat_zval_r: http://lxr.php.net/search?q=%22ZEND_FUNCTION%28get_parent_class%29%22&project=PHP_TRUNK&defs=&refs=&path=&hist= http://lxr.php.net/search?q=zend_print_flat_zval_r&project=PHP_TRUNK&defs=&refs=&path=&hist= Test script: --------------- /* Extension */ typedef struct _proxy_test { zend_object std; long value; } proxy_test; static zend_class_entry *pt_ce_ptr; static zend_object_handlers p_obj_handlers; static zend_object_value p_ce_create_object(zend_class_entry *class_type TSRMLS_DC) { zend_object_value zov; proxy_test *pobj; pobj = emalloc(sizeof *pobj); zend_object_std_init((zend_object *) pobj, class_type TSRMLS_CC); pobj->value = 7; object_properties_init(&pobj->std, class_type); zov.handle = zend_objects_store_put(pobj, (zend_objects_store_dtor_t) zend_objects_destroy_object, (zend_objects_free_object_storage_t) zend_objects_free_object_storage, NULL TSRMLS_CC); zov.handlers = &p_obj_handlers; return zov; } zval *p_read_property(zval *object, zval *member, int type, const struct _zend_literal *key TSRMLS_DC) { proxy_test *iobj = zend_object_store_get_object(object TSRMLS_CC); if (type == BP_VAR_W || type == BP_VAR_RW || type == BP_VAR_UNSET) { zval *ret = zend_object_create_proxy(object, member TSRMLS_CC); Z_DELREF_P(ret); return ret; } else { zval *ret; MAKE_STD_ZVAL(ret); ZVAL_LONG(ret, iobj->value); Z_DELREF_P(ret); return ret; } } void p_write_property(zval *object, zval *member, zval *value, const struct _zend_literal *key TSRMLS_DC) { proxy_test *iobj = zend_object_store_get_object(object TSRMLS_CC); if (Z_TYPE_P(value) == IS_LONG) { iobj->value = Z_LVAL_P(value); } } zval **p_get_property_ptr_ptr(zval *object, zval *member, const struct _zend_literal *key TSRMLS_DC) { return NULL; } /*static zend_function_entry proxy_test_methods[] = { {NULL, NULL, NULL, 0, 0} };*/ ZEND_MODULE_STARTUP_D(testext) { zend_class_entry ce; INIT_CLASS_ENTRY(ce, "ProxyTestClass", NULL); pt_ce_ptr = zend_register_internal_class(&ce TSRMLS_CC); pt_ce_ptr->create_object = p_ce_create_object; memcpy(&p_obj_handlers, zend_get_std_object_handlers(), sizeof p_obj_handlers); /* could be NULL, but an empty impl is better (see bug #51768) */ p_obj_handlers.get_property_ptr_ptr = p_get_property_ptr_ptr; p_obj_handlers.read_property = p_read_property; p_obj_handlers.write_property = p_write_property; } /* Script */ <?php $n = new ProxyTestClass(); $h =& $n->whatever; var_dump($h); NULL-pointer dereference on handler get_class_name Expected result: ---------------- No crash. Possibly, var_dump could show "proxy object" and show the zval returned by the get handler or it could just fail. Actual result: -------------- 00000000() > php5ts_debug.dll!php_var_dump(_zval_struct * * struc=0x010a22a8, int level=1, void * * * tsrm_ls=0x00fc4bf8) Line 136 + 0x23 bytes C php5ts_debug.dll!zif_var_dump(int ht=1, _zval_struct * return_value=0x010bf3f0, _zval_struct * * return_value_ptr=0x00000000, _zval_struct * this_ptr=0x00000000, int return_value_used=0, void * * * tsrm_ls=0x00fc4bf8) Line 181 + 0x15 bytes C php5ts_debug.dll!zend_do_fcall_common_helper_SPEC(_zend_execute_data * execute_data=0x010a20d8, void * * * tsrm_ls=0x00fc4bf8) Line 638 + 0x5f bytes C php5ts_debug.dll!ZEND_DO_FCALL_SPEC_CONST_HANDLER(_zend_execute_data * execute_data=0x010a20d8, void * * * tsrm_ls=0x00fc4bf8) Line 2018 C php5ts_debug.dll!execute(_zend_op_array * op_array=0x010c0dc8, void * * * tsrm_ls=0x00fc4bf8) Line 410 + 0x11 bytes C php5ts_debug.dll!zend_execute_scripts(int type=8, void * * * tsrm_ls=0x00fc4bf8, _zval_struct * * retval=0x00000000, int file_count=3, ...) Line 1193 + 0x21 bytes C php5ts_debug.dll!php_execute_script(_zend_file_handle * primary_file=0x0095fb48, void * * * tsrm_ls=0x00fc4bf8) Line 2330 + 0x1b bytes C php.exe!main(int argc=2, char * * argv=0x00fc4af8) Line 1252 + 0x13 bytes C php.exe!__tmainCRTStartup() Line 555 + 0x19 bytes C php.exe!mainCRTStartup() Line 371 C -- Edit bug report at http://bugs.php.net/bug.php?id=52772&edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=52772&r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=52772&r=trysnapshot53 Try a snapshot (trunk): http://bugs.php.net/fix.php?id=52772&r=trysnapshottrunk Fixed in SVN: http://bugs.php.net/fix.php?id=52772&r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=52772&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=52772&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=52772&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=52772&r=needscript Try newer version: http://bugs.php.net/fix.php?id=52772&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=52772&r=support Expected behavior: http://bugs.php.net/fix.php?id=52772&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=52772&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=52772&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=52772&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=52772&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=52772&r=dst IIS Stability: http://bugs.php.net/fix.php?id=52772&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=52772&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=52772&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=52772&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=52772&r=mysqlcfg
