SIGSEGV when access to private property via &_

SIGSEGV when access to private property via &__get

Bug #48248	SIGSEGV when access to private property via &__get
Submitted:	2009-05-12 17:09 UTC	Modified:	2009-05-12 23:39 UTC
From:	ladislav at marek dot su	Assigned:	felipe (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	5.2CVS-2009-05-12	OS:	* 64bit
Private report:	No	CVE-ID:	None

[2009-05-12 17:09 UTC] ladislav at marek dot su

Description:
------------
Attempt to access private property of extended class when the parent class has method '__get' which returns reference, causing segmentation fault.

Compiled only with --enable-debug.

Reproduce code:
---------------
class A
{
    public function & __get($name)
    {
        return $this->test;
    }
}

class B extends A
{
    private $test;
}


$b = new B;
var_dump($b->test);

Expected result:
----------------
NULL

Actual result:
--------------
#0  0x00000000007b4859 in zend_std_get_property_ptr_ptr (object=0x29d83c8, member=0x29dbca8) at /root/php/php5.3-200905121430/Zend/zend_object_handlers.c:588
#1  0x00000000007b9b2e in zend_fetch_property_address (result=0x7f0590a24350, container_ptr=0xdd73c0, prop_ptr=0x29dbca8, type=1)
    at /root/php/php5.3-200905121430/Zend/zend_execute.c:1156
#2  0x000000000082e580 in ZEND_FETCH_OBJ_W_SPEC_UNUSED_CONST_HANDLER (execute_data=0x7f0590a242a8)
    at /root/php/php5.3-200905121430/Zend/zend_vm_execute.h:17494
#3  0x00000000007ba081 in execute (op_array=0x29ddae0) at /root/php/php5.3-200905121430/Zend/zend_vm_execute.h:104
#4  0x000000000077bcd3 in zend_call_function (fci=0x7fff98bb4d10, fci_cache=0x7fff98bb4ca0) at /root/php/php5.3-200905121430/Zend/zend_execute_API.c:936
#5  0x00000000007a684b in zend_call_method (object_pp=0x7fff98bb4db8, obj_ce=0x29dbe18, fn_proxy=0x29dbfd8, function_name=0xb4dd62 "__get",
    function_name_len=5, retval_ptr_ptr=0x7fff98bb4dc8, param_count=1, arg1=0x29dca60, arg2=0x0) at /root/php/php5.3-200905121430/Zend/zend_interfaces.c:97
#6  0x00000000007b29e9 in zend_std_call_getter (object=0x29d83c8, member=0x29dca60) at /root/php/php5.3-200905121430/Zend/zend_object_handlers.c:81
#7  0x00000000007b383a in zend_std_read_property (object=0x29d83c8, member=0x29d98c0, type=0)
    at /root/php/php5.3-200905121430/Zend/zend_object_handlers.c:350
#8  0x000000000084944b in zend_fetch_property_address_read_helper_SPEC_CV_CONST (type=0, execute_data=0x7f0590a24090)
    at /root/php/php5.3-200905121430/Zend/zend_vm_execute.h:23769
#9  0x0000000000849574 in ZEND_FETCH_OBJ_R_SPEC_CV_CONST_HANDLER (execute_data=0x7f0590a24090) at /root/php/php5.3-200905121430/Zend/zend_vm_execute.h:23794
#10 0x00000000007ba081 in execute (op_array=0x29d8f90) at /root/php/php5.3-200905121430/Zend/zend_vm_execute.h:104
#11 0x000000000078b381 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/php/php5.3-200905121430/Zend/zend.c:1188
#12 0x0000000000719fad in php_execute_script (primary_file=0x7fff98bb7620) at /root/php/php5.3-200905121430/main/main.c:2182
#13 0x000000000086fd03 in main (argc=2, argv=0x7fff98bb7868) at /root/php/php5.3-200905121430/sapi/cli/php_cli.c:1188

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-05-12 23:21 UTC] felipe@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Fixed in 5.2, 5.3 and HEAD.