Segmentation fault in ext/spl/spl_directory.c

php / php-src

The PHP Interpreter

https://www.php.net

Other

38.1k stars 7.74k forks source link

Segmentation fault in ext/spl/spl_directory.c #16477

Open YuanchengJiang opened 1 day ago

YuanchengJiang commented 1 day ago

Description

The following code:

<?php
$obj = new SplFileObject(__FILE__);
function test($function) {
try {
@$function();
} catch (Throwable) {
}
}
foreach (get_declared_classes() as $class) {
foreach (get_class_methods($class) as $method) {
test([$obj, $method]);
}
}

Resulted in this output:

/php-src/ext/spl/spl_directory.c:650:3: runtime error: member access within null pointer of type 'zend_string' (aka 'struct _zend_string')

PHP Version

nightly

Operating System

ubuntu 22.04

Girgias commented 1 day ago

Smaller reproducible:

$obj = new SplFileObject(__FILE__);

$class = 'SensitiveParameterValue';

foreach (get_class_methods($class) as $method) {
    echo "Method: $method\n";
    try {
        $obj->$method();
    } catch (Throwable $e) {
        echo $e::class, ': ', $e->getMessage(), PHP_EOL;
    }
}

The issue seems to possibly be with get_class_methods() as if I set $method = '__debugInfo' explicitly it, it works.

Girgias commented 1 day ago

Okay I figured out the issue:

$obj = new SplFileObject(__FILE__);

try {
    $obj->__construct();
} catch (Throwable $e) {
    echo $e::class, ': ', $e->getMessage(), PHP_EOL;
}
$obj->__debugInfo();

The constructor when it fails sets intern->u.file.open_mode = NULL; which causes the null deref afterwards.