PHP :: Bug #28086 :: overload() segfaults

Bug #28086

overload() segfaults

Submitted:

2004-04-21 09:34 UTC

Modified:

2005-01-21 01:32 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	1 (100.0%)

From:

tony2001 at phpclub dot net

Assigned:

andi (profile)

Status:

Closed

Package:

Scripting Engine problem

PHP Version:

4CVS-2005-01-18

OS:

Private report:

CVE-ID:

None

View Developer Edit

[2004-04-21 09:34 UTC] tony2001 at phpclub dot net

Description:
------------
Segfault in overload extension.
Backtrace:
----
0x4037bb1d in fetch_overloaded_element (result=0x8146c4c, op1=0x8146c5c, op2=0x8146c6c, Ts=0xbfffbe9c, type=1,
    retval=0xbfffbf60, overloaded_element_type=1) at /home/tony/CVS/php_src_PHP_4_3_debug/Zend/zend_execute.c:735
735             overloaded_element.element = *get_zval_ptr(op2, Ts, &EG(free_op2), type);
(gdb) bt
#0  0x4037bb1d in fetch_overloaded_element (result=0x8146c4c, op1=0x8146c5c, op2=0x8146c6c, Ts=0xbfffbe9c, type=1,
    retval=0xbfffbf60, overloaded_element_type=1) at /home/tony/CVS/php_src_PHP_4_3_debug/Zend/zend_execute.c:735
#1  0x4037bc98 in zend_fetch_dimension_address (result=0x8146c4c, op1=0x8146c5c, op2=0x8146c6c, Ts=0xbfffbe9c, type=1)
    at /home/tony/CVS/php_src_PHP_4_3_debug/Zend/zend_execute.c:758
#2  0x4037e052 in execute (op_array=0x813ab5c) at /home/tony/CVS/php_src_PHP_4_3_debug/Zend/zend_execute.c:1301
#3  0x4036c520 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/tony/CVS/php_src_PHP_4_3_debug/Zend/zend.c:886
#4  0x4033162e in php_execute_script (primary_file=0xbffff310) at /home/tony/CVS/php_src_PHP_4_3_debug/main/main.c:1731
#5  0x4038527a in apache_php_module_main (r=0x81309f4, display_source_mode=0)
    at /home/tony/CVS/php_src_PHP_4_3_debug/sapi/apache/sapi_apache.c:54
#6  0x40386309 in send_php (r=0x81309f4, display_source_mode=0, filename=0x8130f5c "/www/index.php")
    at /home/tony/CVS/php_src_PHP_4_3_debug/sapi/apache/mod_php4.c:620
#7  0x4038639a in send_parsed_php (r=0x81309f4) at /home/tony/CVS/php_src_PHP_4_3_debug/sapi/apache/mod_php4.c:635
#8  0x08074542 in ap_invoke_handler ()
#9  0x0808a56a in process_request_internal ()
#10 0x0808a9d4 in ap_internal_redirect ()
#11 0x0806024a in handle_dir ()
#12 0x08074542 in ap_invoke_handler ()
#13 0x0808a56a in process_request_internal ()
#14 0x0808a5c7 in ap_process_request ()
#15 0x08080f80 in child_main ()
#16 0x08081132 in make_child ()
#17 0x080812b1 in startup_children ()
#18 0x0808199b in standalone_main ()
#19 0x08082235 in main ()
#20 0x4010eaf7 in __libc_start_main () from /lib/i686/libc.so.6



Reproduce code:
---------------
<?

class Foo { 

    var $arr; 
    var $bar; 

    function __set($prop_name, $prop_value) 
    { 
        $this->bar[$prop_name] = $prop_value; 
    } 
} 

overload('Foo'); 

$foo = new Foo; 

$foo->blabla[] = '123'; 

?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-01-08 23:06 UTC] tony2001@php.net

Patch:

Index: zend_execute.c
===================================================================
RCS file: /repository/Zend/Attic/zend_execute.c,v
retrieving revision 1.316.2.43
diff -u -r1.316.2.43 zend_execute.c
--- zend_execute.c      21 Dec 2004 10:37:49 -0000      1.316.2.43
+++ zend_execute.c      8 Jan 2005 19:49:13 -0000
@@ -715,6 +715,7 @@
 static void fetch_overloaded_element(znode *result, znode *op1, znode *op2, temp_variable *Ts, int type, zval ***retval, int overloaded_element_type TSRMLS_DC)
 {
        zend_overloaded_element overloaded_element;
+       zval *tmp;

        if (Ts[op1->u.var].EA.type == IS_STRING_OFFSET) {
                get_zval_ptr(op2, Ts, &EG(free_op2), BP_VAR_R);
@@ -733,7 +734,11 @@
                return;
        }

-       overloaded_element.element = *get_zval_ptr(op2, Ts, &EG(free_op2), type);
+       tmp = get_zval_ptr(op2, Ts, &EG(free_op2), type);
+       if (!tmp) {
+               MAKE_STD_ZVAL(tmp);
+       }
+       overloaded_element.element = *tmp;
        overloaded_element.type = overloaded_element_type;
        if (!EG(free_op2)) {
                zval_copy_ctor(&overloaded_element.element);

[2005-01-21 01:32 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Feb 21 02:01:30 2025 UTC