-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Member access within null pointer in ext/spl/spl_observer.c #14639
Comments
Can you try and reduce the reproducible? |
@Girgias I have reduced the case by delta debugging (might not be the minimal one). It still requires lots of junk code to be reproduced, which also confuses me. |
Okay, I will have a look at this at one point, but I am busy with some other stuff. Does this only reproduce on master or also on PHP 8.2? |
Not sure. I do not have 8.2 in my hands now. It reproduced in PHP 8.4.0-dev. Hope valgrind output helps:
|
I can't reproduce this yet, but because it's a NULL deref and there's a memory limit involved, I'm gonna take an educated guess and say this is a classic "publish before initialize" bug. Probably we're allocating some memory and already putting an object somewhere, allocating some more during initialization which fails. Then it bails out and we're hitting a semi-initialized object. |
With a bit of fiddling, reduced to
So yeah, indeed what I thought: |
…erver.c `spl_object_storage_attach_handle` creates an entry already, but only fills it in at the end with `spl_object_storage_create_element` which allocates memory. In this case the allocation fails and we're left with a NULL slot. Doing the allocation first isn't an option because we want to check whether the slot is occupied before allocating memory. The simplest solution is to set the entry to NULL and check for a NULL pointer upon destruction.
* PHP-8.2: Fix GH-14639: Member access within null pointer in ext/spl/spl_observer.c
* PHP-8.3: Fix GH-14639: Member access within null pointer in ext/spl/spl_observer.c
Description
The following code:
Resulted in this output:
To reproduce:
PHP Version
PHP 8.4.0-dev
Operating System
ubuntu 22.04
The text was updated successfully, but these errors were encountered: