Skip to content

PHP protobuf extension crashes after cloning a protobuf object #8233

Closed
#8245
Closed
PHP protobuf extension crashes after cloning a protobuf object#8233
#8245
Labels
php
@tony2001

Description

@tony2001
tony2001
opened on Jan 26, 2021

What version of protobuf and what language are you using?
PHP extension version: 3.14.0
Language: PHP

What operating system (Linux, Windows, ...) and version?
Linux

What runtime / compiler are you using (e.g., python version or gcc version)
GCC 5.3, GCC 7.5

What did you do?

<?php
$t = new \Google\Protobuf\Timestamp();
$tNew = clone $t;
$tNew->serializeToJsonString();

What did you expect to see
No crash

What did you see instead?
Segmentation fault

Thread 1 "php" received signal SIGSEGV, Segmentation fault.
0x00007ffff49aa1c6 in zim_Message_serializeToJsonString (execute_data=0x7ffff4e140f0, return_value=0x7fffffffa2b0)
    at /build/protobuf-3.14.0/message.c:750
750       size = upb_json_encode(intern->msg, intern->desc->msgdef,
(gdb) bt
#0  0x00007ffff49aa1c6 in zim_Message_serializeToJsonString (execute_data=0x7ffff4e140f0, return_value=0x7fffffffa2b0)
    at /build/protobuf-3.14.0/message.c:750
#1  0x0000000000741b62 in execute_ex ()
#2  0x0000000000743f13 in zend_execute ()
#3  0x00000000006ab6fd in zend_execute_scripts ()
#4  0x000000000063f48c in php_execute_script ()
#5  0x0000000000746495 in do_cli ()
#6  0x0000000000441cd5 in main ()
#7  0x00007ffff569aa35 in __libc_start_main () from /lib64/libc.so.6
#8  0x0000000000442442 in _start ()
(gdb) p *intern
$1 = {std = {gc = {refcount = 2, u = {type_info = 24}}, handle = 5, ce = 0x7ffff4e043b0, handlers = 0xbff7c0 <std_object_handlers>, properties = 0x0, 
    properties_table = {{value = {lval = 140737302307656, dval = 6.9533466158586819e-310, counted = 0x7ffff4e92348, str = 0x7ffff4e92348, 
          arr = 0x7ffff4e92348, obj = 0x7ffff4e92348, res = 0x7ffff4e92348, ref = 0x7ffff4e92348, ast = 0x7ffff4e92348, zv = 0x7ffff4e92348, 
          ptr = 0x7ffff4e92348, ce = 0x7ffff4e92348, func = 0x7ffff4e92348, ww = {w1 = 4108919624, w2 = 32767}}, u1 = {v = {type = 222 '\336', 
            type_flags = 56 '8', u = {extra = 29593}}, type_info = 1939421406}, u2 = {next = 2149246759, cache_slot = 2149246759, opline_num = 2149246759, 
          lineno = 2149246759, num_args = 2149246759, fe_pos = 2149246759, fe_iter_idx = 2149246759, access_flags = 2149246759, property_guard = 2149246759, 
          constant_flags = 2149246759, extra = 2149246759}}}}, arena = {value = {lval = 8, dval = 3.9525251667299724e-323, counted = 0x8, str = 0x8, 
      arr = 0x8, obj = 0x8, res = 0x8, ref = 0x8, ast = 0x8, zv = 0x8, ptr = 0x8, ce = 0x8, func = 0x8, ww = {w1 = 8, w2 = 0}}, u1 = {v = {type = 105 'i', 
        type_flags = 110 'n', u = {extra = 29801}}, type_info = 1953066601}, u2 = {next = 1701015151, cache_slot = 1701015151, opline_num = 1701015151, 
      lineno = 1701015151, num_args = 1701015151, fe_pos = 1701015151, fe_iter_idx = 1701015151, access_flags = 1701015151, property_guard = 1701015151, 
      constant_flags = 1701015151, extra = 1701015151}}, desc = 0x66756200610000, msg = 0x7ffff4e92370}
(gdb) p *intern.desc
Cannot access memory at address 0x66756200610000

Metadata

Metadata

Assignees

No one assigned

    Labels

    php

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions