Fixed bug #43128 (Very long class name causes segfault)

Author: dstogov

NEWS

@@ -62,6 +62,7 @@ PHP                                                                        NEWS
 - Fixed bug #43136 (possible crash on script execution timeout.
   The EG(function_state_ptr) is completely removed,
   EG(current_execute_data)->function_state must be used instead). (Dmitry)
+- Fixed bug #43128 (Very long class name causes segfault). (Dmitry)
 - Fixed bug #42848 (Status: header incorrect under FastCGI). (Dmitry)
 - Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry)
 - Fixed bug #42737 (preg_split('//u') triggers a E_NOTICE with newlines). (Nuno)

TSRM/tsrm_config_common.h

@@ -52,9 +52,17 @@ char *alloca ();
 #endif
 
 #if (HAVE_ALLOCA || (defined (__GNUC__) && __GNUC__ >= 2))
-# define tsrm_do_alloca(p) alloca(p)
-# define tsrm_free_alloca(p)
+# define TSRM_ALLOCA_MAX_SIZE 4096
+# define TSRM_ALLOCA_FLAG(name) \
+	int name;
+# define tsrm_do_alloca_ex(size, limit, use_heap) \
+	((use_heap = ((size) > (limit))) ? malloc(size) : alloca(size))
+# define tsrm_do_alloca(size, use_heap) \
+	tsrm_do_alloca_ex(size, TSRM_ALLOCA_MAX_SIZE, use_heap)
+# define tsrm_free_alloca(p, use_heap) \
+	do { if (use_heap) free(p); } while (0)
 #else
+# define TSRM_ALLOCA_FLAG(name)
 # define tsrm_do_alloca(p)   malloc(p)
 # define tsrm_free_alloca(p) free(p)
 #endif

TSRM/tsrm_virtual_cwd.c

@@ -777,6 +777,7 @@ CWD_API int virtual_chdir_file(const char *path, int (*p_chdir)(const char *path
 	int length = strlen(path);
 	char *temp;
 	int retval;
+	TSRM_ALLOCA_FLAG(use_heap)
 
 	if (length == 0) {
 		return 1; /* Can't cd to empty string */
@@ -793,14 +794,14 @@ CWD_API int virtual_chdir_file(const char *path, int (*p_chdir)(const char *path
 	if (length == COPY_WHEN_ABSOLUTE(path) && IS_ABSOLUTE_PATH(path, length+1)) { /* Also use trailing slash if this is absolute */
 		length++;
 	}
-	temp = (char *) tsrm_do_alloca(length+1);
+	temp = (char *) tsrm_do_alloca(length+1, use_heap);
 	memcpy(temp, path, length);
 	temp[length] = 0;
 #if VIRTUAL_CWD_DEBUG
 	fprintf (stderr, "Changing directory to %s\n", temp);
 #endif
 	retval = p_chdir(temp TSRMLS_CC);
-	tsrm_free_alloca(temp);
+	tsrm_free_alloca(temp, use_heap);
 	return retval;
 }
 /* }}} */

Zend/tests/bug43128.phpt

@@ -0,0 +1,15 @@
+--TEST--
+Bug #43128 Very long class name causes segfault 
+--FILE--
+<?php
+
+$a = str_repeat("a", 10 * 1024 * 1024);
+
+# call_user_func($a); // Warning
+# $a->$a();           // Fatal error
+
+if ($a instanceof $a); // Segmentation fault
+new $a;                // Segmentation fault
+echo "ok\n";
+--EXPECT--
+ok

Zend/zend.h

@@ -177,9 +177,17 @@ char *alloca ();
 #endif
 
 #if (HAVE_ALLOCA || (defined (__GNUC__) && __GNUC__ >= 2)) && !(defined(ZTS) && defined(ZEND_WIN32)) && !(defined(ZTS) && defined(NETWARE)) && !(defined(ZTS) && defined(HPUX)) && !defined(DARWIN)
-# define do_alloca(p) alloca(p)
-# define free_alloca(p)
+# define ZEND_ALLOCA_MAX_SIZE (32 * 1024)
+# define ALLOCA_FLAG(name) \
+	zend_bool name;
+# define do_alloca_ex(size, limit, use_heap) \
+	((use_heap = (UNEXPECTED((size) > (limit)))) ? emalloc(size) : alloca(size))
+# define do_alloca(size, use_heap) \
+	do_alloca_ex(size, ZEND_ALLOCA_MAX_SIZE, use_heap)
+# define free_alloca(p, use_heap) \
+	do { if (UNEXPECTED(use_heap)) efree(p); } while (0)
 #else
+# define ALLOCA_FLAG(name)
 # define do_alloca(p)		emalloc(p)
 # define free_alloca(p)	efree(p)
 #endif

Zend/zend_API.c

@@ -1863,11 +1863,10 @@ ZEND_API int zend_register_functions(zend_class_entry *scope, const zend_functio
 			}
 		}
 		fname_len = strlen(ptr->fname);
-		lowercase_name = do_alloca(fname_len+1);
-		zend_str_tolower_copy(lowercase_name, ptr->fname, fname_len);
+		lowercase_name = zend_str_tolower_dup(ptr->fname, fname_len);
 		if (zend_hash_add(target_function_table, lowercase_name, fname_len+1, &function, sizeof(zend_function), (void**)&reg_function) == FAILURE) {
 			unload=1;
-			free_alloca(lowercase_name);
+			efree(lowercase_name);
 			break;
 		}
 		if (scope) {
@@ -1909,7 +1908,7 @@ ZEND_API int zend_register_functions(zend_class_entry *scope, const zend_functio
 		}
 		ptr++;
 		count++;
-		free_alloca(lowercase_name);
+		efree(lowercase_name);
 	}
 	if (unload) { /* before unloading, display all remaining bad function in the module */
 		if (scope) {

Zend/zend_builtin_functions.c

@@ -1034,19 +1034,20 @@ ZEND_FUNCTION(class_exists)
 	char *class_name, *lc_name;
 	zend_class_entry **ce;
 	int class_name_len;
-	zend_bool autoload = 1;
 	int found;
+	zend_bool autoload = 1;
+	ALLOCA_FLAG(use_heap)
 
 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|b", &class_name, &class_name_len, &autoload) == FAILURE) {
 		return;
 	}
 
 	if (!autoload) {
-		lc_name = do_alloca(class_name_len + 1);
+		lc_name = do_alloca(class_name_len + 1, use_heap);
 		zend_str_tolower_copy(lc_name, class_name, class_name_len);
 
 		found = zend_hash_find(EG(class_table), lc_name, class_name_len+1, (void **) &ce);
-		free_alloca(lc_name);
+		free_alloca(lc_name, use_heap);
 		RETURN_BOOL(found == SUCCESS && !((*ce)->ce_flags & ZEND_ACC_INTERFACE));
 	}
 
@@ -1065,19 +1066,20 @@ ZEND_FUNCTION(interface_exists)
 	char *iface_name, *lc_name;
 	zend_class_entry **ce;
 	int iface_name_len;
-	zend_bool autoload = 1;
 	int found;
+	zend_bool autoload = 1;
+	ALLOCA_FLAG(use_heap)
 
 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|b", &iface_name, &iface_name_len, &autoload) == FAILURE) {
 		return;
 	}
 
 	if (!autoload) {
-		lc_name = do_alloca(iface_name_len + 1);
+		lc_name = do_alloca(iface_name_len + 1, use_heap);
 		zend_str_tolower_copy(lc_name, iface_name, iface_name_len);
 
 		found = zend_hash_find(EG(class_table), lc_name, iface_name_len+1, (void **) &ce);
-		free_alloca(lc_name);
+		free_alloca(lc_name, use_heap);
 		RETURN_BOOL(found == SUCCESS && (*ce)->ce_flags & ZEND_ACC_INTERFACE);
 	}
 

Zend/zend_compile.c

@@ -1088,6 +1088,7 @@ void zend_do_begin_function_declaration(znode *function_token, znode *function_n
 	zend_uint fn_flags;
 	char *lcname;
 	zend_bool orig_interactive;
+	ALLOCA_FLAG(use_heap)
 
 	if (is_method) {
 		if (CG(active_class_entry)->ce_flags & ZEND_ACC_INTERFACE) {
@@ -1148,7 +1149,7 @@ void zend_do_begin_function_declaration(znode *function_token, znode *function_n
 		}
 
 		if (!(CG(active_class_entry)->ce_flags & ZEND_ACC_INTERFACE)) {
-			short_class_name = do_alloca(short_class_name_length + 1);
+			short_class_name = do_alloca(short_class_name_length + 1, use_heap);
 			zend_str_tolower_copy(short_class_name, CG(active_class_entry)->name, short_class_name_length);
 			/* Improve after RC: cache the lowercase class name */
 
@@ -1184,7 +1185,7 @@ void zend_do_begin_function_declaration(znode *function_token, znode *function_n
 			} else if (!(fn_flags & ZEND_ACC_STATIC)) {
 				CG(active_op_array)->fn_flags |= ZEND_ACC_ALLOW_STATIC;
 			}
-			free_alloca(short_class_name);
+			free_alloca(short_class_name, use_heap);
 		}
 
 		efree(lcname);

Zend/zend_compile.h

@@ -299,6 +299,7 @@ struct _zend_execute_data {
 	union _temp_variable *Ts;
 	zval ***CVs;
 	zend_bool original_in_execution;
+	ALLOCA_FLAG(use_heap)
 	HashTable *symbol_table;
 	struct _zend_execute_data *prev_execute_data;
 	zval *old_error_reporting;

Zend/zend_execute.c

@@ -1427,12 +1427,7 @@ ZEND_API void execute_internal(zend_execute_data *execute_data_ptr, int return_v
 	}
 
 #define ZEND_VM_EXIT_FROM_EXECUTE_LOOP() \
-	free_alloca(EX(CVs)); \
-	if (EX(op_array)->T < TEMP_VAR_STACK_LIMIT) { \
-		free_alloca(EX(Ts)); \
-	} else { \
-		efree(EX(Ts)); \
-	} \
+	free_alloca(EX(CVs), EX(use_heap)); \
 	EG(in_execution) = EX(original_in_execution); \
 	EG(current_execute_data) = EX(prev_execute_data); \
 	EG(opline_ptr) = NULL;

Zend/zend_execute_API.c

@@ -1082,15 +1082,16 @@ ZEND_API int zend_lookup_class_ex(const char *name, int name_length, int use_aut
 	char *lc_name;
 	char *lc_free;
 	zval *exception;
-	char dummy = 1;
 	zend_fcall_info fcall_info;
 	zend_fcall_info_cache fcall_cache;
+	char dummy = 1;
+	ALLOCA_FLAG(use_heap)
 
 	if (name == NULL || !name_length) {
 		return FAILURE;
 	}
 
-	lc_free = lc_name = do_alloca(name_length + 1);
+	lc_free = lc_name = do_alloca(name_length + 1, use_heap);
 	zend_str_tolower_copy(lc_name, name, name_length);
 
 	if (lc_name[0] == ':' && lc_name[1] == ':') {
@@ -1099,15 +1100,15 @@ ZEND_API int zend_lookup_class_ex(const char *name, int name_length, int use_aut
 	}
 
 	if (zend_hash_find(EG(class_table), lc_name, name_length + 1, (void **) ce) == SUCCESS) {
-		free_alloca(lc_free);
+		free_alloca(lc_free, use_heap);
 		return SUCCESS;
 	}
 
 	/* The compiler is not-reentrant. Make sure we __autoload() only during run-time
 	 * (doesn't impact fuctionality of __autoload()
 	*/
 	if (!use_autoload || zend_is_compiling(TSRMLS_C)) {
-		free_alloca(lc_free);
+		free_alloca(lc_free, use_heap);
 		return FAILURE;
 	}
 
@@ -1117,7 +1118,7 @@ ZEND_API int zend_lookup_class_ex(const char *name, int name_length, int use_aut
 	}
 
 	if (zend_hash_add(EG(in_autoload), lc_name, name_length + 1, (void**)&dummy, sizeof(char), NULL) == FAILURE) {
-		free_alloca(lc_free);
+		free_alloca(lc_free, use_heap);
 		return FAILURE;
 	}
 
@@ -1155,12 +1156,12 @@ ZEND_API int zend_lookup_class_ex(const char *name, int name_length, int use_aut
 
 	if (retval == FAILURE) {
 		EG(exception) = exception;
-		free_alloca(lc_free);
+		free_alloca(lc_free, use_heap);
 		return FAILURE;
 	}
 
 	if (EG(exception) && exception) {
-		free_alloca(lc_free);
+		free_alloca(lc_free, use_heap);
 		zend_error(E_ERROR, "Function %s(%s) threw an exception of type '%s'", ZEND_AUTOLOAD_FUNC_NAME, name, Z_OBJCE_P(EG(exception))->name);
 		return FAILURE;
 	}
@@ -1172,7 +1173,7 @@ ZEND_API int zend_lookup_class_ex(const char *name, int name_length, int use_aut
 	}
 
 	retval = zend_hash_find(EG(class_table), lc_name, name_length + 1, (void **) ce);
-	free_alloca(lc_free);
+	free_alloca(lc_free, use_heap);
 	return retval;
 }
 /* }}} */

Zend/zend_object_handlers.c

@@ -776,14 +776,15 @@ static union _zend_function *zend_std_get_method(zval **object_ptr, char *method
 	zend_function *fbc;
 	char *lc_method_name;
 	zval *object = *object_ptr;
+	ALLOCA_FLAG(use_heap)
 
-	lc_method_name = do_alloca(method_len+1);
+	lc_method_name = do_alloca(method_len+1, use_heap);
 	/* Create a zend_copy_str_tolower(dest, src, src_length); */
 	zend_str_tolower_copy(lc_method_name, method_name, method_len);
 
 	zobj = Z_OBJ_P(object);
 	if (zend_hash_find(&zobj->ce->function_table, lc_method_name, method_len+1, (void **)&fbc) == FAILURE) {
-		free_alloca(lc_method_name);
+		free_alloca(lc_method_name, use_heap);
 		if (zobj->ce->__call) {
 			zend_internal_function *call_user_call = emalloc(sizeof(zend_internal_function));
 			call_user_call->type = ZEND_INTERNAL_FUNCTION;
@@ -838,7 +839,7 @@ static union _zend_function *zend_std_get_method(zval **object_ptr, char *method
 		}
 	}
 
-	free_alloca(lc_method_name);
+	free_alloca(lc_method_name, use_heap);
 	return fbc;
 }
 /* }}} */

Zend/zend_vm_execute.h

@@ -45,12 +45,13 @@ ZEND_API void execute(zend_op_array *op_array TSRMLS_DC)
 	EX(called_scope) = NULL;
 	EX(object) = NULL;
 	EX(old_error_reporting) = NULL;
-	if (op_array->T < TEMP_VAR_STACK_LIMIT) {
-		EX(Ts) = (temp_variable *) do_alloca(sizeof(temp_variable) * op_array->T);
+	if (EXPECTED(op_array->T < TEMP_VAR_STACK_LIMIT && op_array->last_var < TEMP_VAR_STACK_LIMIT)) {
+		EX(CVs) = (zval***)do_alloca(sizeof(zval**) * op_array->last_var + sizeof(temp_variable) * op_array->T, EX(use_heap));
 	} else {
-		EX(Ts) = (temp_variable *) safe_emalloc(sizeof(temp_variable), op_array->T, 0);
+		EX(use_heap) = 1;
+		EX(CVs) = (zval***)safe_emalloc(sizeof(temp_variable), op_array->T, sizeof(zval**) * op_array->last_var);
 	}
-	EX(CVs) = (zval***)do_alloca(sizeof(zval**) * op_array->last_var);
+	EX(Ts) = (temp_variable *)(EX(CVs) + op_array->last_var);
 	memset(EX(CVs), 0, sizeof(zval**) * op_array->last_var);
 	EX(op_array) = op_array;
 	EX(original_in_execution) = EG(in_execution);

Zend/zend_vm_execute.skl

@@ -16,12 +16,13 @@ ZEND_API void {%EXECUTOR_NAME%}(zend_op_array *op_array TSRMLS_DC)
 	EX(called_scope) = NULL;
 	EX(object) = NULL;
 	EX(old_error_reporting) = NULL;
-	if (op_array->T < TEMP_VAR_STACK_LIMIT) {
-		EX(Ts) = (temp_variable *) do_alloca(sizeof(temp_variable) * op_array->T);
+	if (EXPECTED(op_array->T < TEMP_VAR_STACK_LIMIT && op_array->last_var < TEMP_VAR_STACK_LIMIT)) {
+		EX(CVs) = (zval***)do_alloca(sizeof(zval**) * op_array->last_var + sizeof(temp_variable) * op_array->T, EX(use_heap));
 	} else {
-		EX(Ts) = (temp_variable *) safe_emalloc(sizeof(temp_variable), op_array->T, 0);
+		EX(use_heap) = 1;
+		EX(CVs) = (zval***)safe_emalloc(sizeof(temp_variable), op_array->T, sizeof(zval**) * op_array->last_var);
 	}
-	EX(CVs) = (zval***)do_alloca(sizeof(zval**) * op_array->last_var);
+	EX(Ts) = (temp_variable *)(EX(CVs) + op_array->last_var);
 	memset(EX(CVs), 0, sizeof(zval**) * op_array->last_var);
 	EX(op_array) = op_array;
 	EX(original_in_execution) = EG(in_execution);

ext/interbase/ibase_query.c

@@ -1843,6 +1843,7 @@ PHP_FUNCTION(ibase_execute)
 	zval *query, ***args = NULL;
 	ibase_query *ib_query;
 	ibase_result *result = NULL;
+	ALLOCA_FLAG(use_heap)
 
 	RESET_ERRMSG;
 
@@ -1866,7 +1867,7 @@ PHP_FUNCTION(ibase_execute)
 			}
 
 		} else if (bind_n > 0) { /* have variables to bind */
-			args = (zval ***) do_alloca(ZEND_NUM_ARGS() * sizeof(zval **));
+			args = (zval ***) do_alloca(ZEND_NUM_ARGS() * sizeof(zval **), use_heap);
 
 			if (FAILURE == zend_get_parameters_array_ex(ZEND_NUM_ARGS(), args)) {
 				break;
@@ -1907,7 +1908,7 @@ PHP_FUNCTION(ibase_execute)
 	} while (0);
 
 	if (args) {
-		free_alloca(args);
+		free_alloca(args, use_heap);
 	}
 }
 /* }}} */