Uploaded image for project: 'PHP Driver: Extension'
  1. PHP Driver: Extension
  2. PHPC-531

Segfault due to double free by corrupt BSON visitor

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 1.1.3
    • Affects Version/s: 1.1.1
    • Component/s: None
    • None

      <?php
      $src = MongoDB\BSON\fromPHP(["hello" => "world"]);
      $src[4] = 1;
      $arr = MongoDB\BSON\toPHP($src);
      
      Program received signal SIGSEGV, Segmentation fault.
      0x0000000000929489 in zend_objects_destroy_object (object=0x13c1130, handle=1, tsrm_ls=0x11156e0) at /usr/local/p/src/5.6.16/Zend/zend_objects.c:63
      63		zend_function *destructor = object ? object->ce->destructor : NULL;
      (gdb) bt
      #0  0x0000000000929489 in zend_objects_destroy_object (object=0x13c1130, handle=1, tsrm_ls=0x11156e0) at /usr/local/p/src/5.6.16/Zend/zend_objects.c:63
      #1  0x0000000000931350 in zend_objects_store_call_destructors (objects=0x1119140, tsrm_ls=0x11156e0) at /usr/local/p/src/5.6.16/Zend/zend_objects_API.c:57
      #2  0x00000000008cf67b in shutdown_destructors (tsrm_ls=0x11156e0) at /usr/local/p/src/5.6.16/Zend/zend_execute_API.c:216
      #3  0x00000000008e9416 in zend_call_destructors (tsrm_ls=0x11156e0) at /usr/local/p/src/5.6.16/Zend/zend.c:944
      #4  0x0000000000821e95 in php_request_shutdown (dummy=0x0) at /usr/local/p/src/5.6.16/main/main.c:1824
      #5  0x00000000009bd4f5 in do_cli (argc=4, argv=0x11155a0, tsrm_ls=0x11156e0) at /usr/local/p/src/5.6.16/sapi/cli/php_cli.c:1177
      #6  0x00000000009bde87 in main (argc=4, argv=0x11155a0) at /usr/local/p/src/5.6.16/sapi/cli/php_cli.c:1378
      (gdb) p *object
      $1 = {
        ce = 0x1, 
        properties = 0x10e8400 <std_object_handlers>, 
        properties_table = 0xffffffff, 
        guards = 0x0
      }
      
      

            Assignee:
            jmikola@mongodb.com Jeremy Mikola
            Reporter:
            bjori Hannes Magnusson
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: