PHP Sadness

(<5.3) Can point a variable into raw memory with array_walk and debug_backtrace

Corrupt a string, point it to raw memory!

This was submitted as a PHP bug to security@php.net on 20090917, but I never got a reply.

Here is an example script which prints the contents of who-knows-where in memory (and certainly not the intended value of $userdata):

$ cat test.php
<?php
$array = array ('backtrace', 'print');
array_walk($array, 'walk_callback', str_repeat("\0",1024));

function walk_callback($value, $key, $userdata)
{
  if ($value == 'print')
  {
    print($userdata);
    exit("\n\n");
  }
  elseif ($value == 'backtrace')
  {
    debug_backtrace();
    if ($userdata !== str_repeat("\0",1024))
    { 
      die("won't get here, \$userdata is still clean until we return");
    }
  }
}

Significance: Implications for Internals

The mere presence of this issue tends to imply some fatal flaw or unnecessary complexity at the most basic levels of the language. For example, an overly complex parser might be trying to compensate for missing functionality in the interpreter by incorrectly (and misleadingly) validating code at the syntax level, or messages without details could indicate that the internal design prohibits access to values where they should be reachable in a sane implementation.