php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #39304 Segmentation fault with list unpacking of string offset
Submitted: 2006-10-30 08:03 UTC Modified: 2006-10-30 11:05 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: dave at ramenlabs dot com Assigned: dmitry (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5CVS-2006-10-30 (CVS) OS: Linux
Private report: No CVE-ID: None
 [2006-10-30 08:03 UTC] dave at ramenlabs dot com
Description:
------------
In a function expecting an array parameter, I accidentally passed in a string instead. For some reason related to the particular way I used list unpacking of an array offset, it caused PHP to crash with a segmentation fault.

I have observed this problem in PHP 4.4.2 as well as PHP 5, freshly downloaded and compiled from CVS.

Reproduce code:
---------------
<?php $s = ""; list($a, $b) = $s[0]; ?>

Expected result:
----------------
Fatal error: Cannot use string offset as an array

Actual result:
--------------
Segmentation fault

ramen@pedro:~/tmp/php5/sapi/cli$ echo '<?php $s = ""; list($a, $b) = $s[0]; ?>' | php
Segmentation fault (core dumped)
ramen@pedro:~/tmp/php5/sapi/cli$ gdb ./php core
GNU gdb 6.4.90-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...Using host libthread_db library "/lib/tls/libthread_db.so.1".

Core was generated by `php'.
Program terminated with signal 11, Segmentation fault.
#0  0x082b8429 in ZEND_SR_SPEC_VAR_VAR_HANDLER (execute_data=0xbfcf925c)
    at /home/ramen/tmp/php5/Zend/zend_vm_execute.h:11516
11516           shift_right_function(&EX_T(opline->result.u.var).tmp_var,
(gdb) bt
#0  0x082b8429 in ZEND_SR_SPEC_VAR_VAR_HANDLER (execute_data=0xbfcf925c)
    at /home/ramen/tmp/php5/Zend/zend_vm_execute.h:11516
#1  0x082a1a98 in zif_each (ht=140604596, return_value=0x851b960,
    return_value_ptr=0x20, this_ptr=0xbfcf9370, return_value_used=4)
    at /home/ramen/tmp/php5/Zend/zend_builtin_functions.c:417
#2  0x082821ee in zend_u_str_tolower_dup (type=0 '\0', source=
      {s = 0xbfcfb674 "\002", u = 0xbfcfb674, v = 0xbfcfb674},
    length=139127824) at /home/ramen/tmp/php5/Zend/zend_operators.c:2384
#3  0x08240352 in php_module_startup (sf=0xbfcfb674,
    additional_modules=0x83112d0, num_additional_modules=139120832)
    at /home/ramen/tmp/php5/main/main.c:1554
#4  0x08311219 in ZEND_SL_SPEC_CONST_VAR_HANDLER (execute_data=0x0)
    at /home/ramen/tmp/php5/Zend/zend_execute.c:78
#5  0xb79ceea8 in ?? ()
#6  0x00000000 in ?? ()
(gdb)


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-10-30 08:09 UTC] dave at ramenlabs dot com
I accidentally generated that backtrace using my system-installed version of PHP. Here's a correct backtrace:

ramen@pedro:~/tmp/php5/sapi/cli$ echo '<?php $s = ""; list($a, $b) = $s[0]; ?>' | ./php
Segmentation fault (core dumped)
ramen@pedro:~/tmp/php5/sapi/cli$ gdb ./php ./core
GNU gdb 6.4.90-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...Using host libthread_db library "/lib/tls/libthread_db.so.1".


warning: Can't read pathname for load map: Input/output error.
Reading symbols from /lib/tls/libcrypt.so.1...done.
Loaded symbols for /lib/tls/libcrypt.so.1
Reading symbols from /lib/tls/librt.so.1...done.
Loaded symbols for /lib/tls/librt.so.1
Reading symbols from /lib/tls/libresolv.so.2...done.
Loaded symbols for /lib/tls/libresolv.so.2
Reading symbols from /lib/tls/libm.so.6...done.
Loaded symbols for /lib/tls/libm.so.6
Reading symbols from /lib/tls/libdl.so.2...done.
Loaded symbols for /lib/tls/libdl.so.2
Reading symbols from /lib/tls/libnsl.so.1...done.
Loaded symbols for /lib/tls/libnsl.so.1
Reading symbols from /usr/lib/libicui18n.so.34...done.
Loaded symbols for /usr/lib/libicui18n.so.34
Reading symbols from /usr/lib/libicuuc.so.34...done.
Loaded symbols for /usr/lib/libicuuc.so.34
Reading symbols from /usr/lib/libicudata.so.34...
warning: Lowest section in /usr/lib/libicudata.so.34 is .hash at 00000094
done.
Loaded symbols for /usr/lib/libicudata.so.34
Reading symbols from /usr/lib/libicuio.so.34...done.
Loaded symbols for /usr/lib/libicuio.so.34
Reading symbols from /usr/lib/libxml2.so.2...done.
Loaded symbols for /usr/lib/libxml2.so.2
Reading symbols from /lib/tls/libc.so.6...done.
Loaded symbols for /lib/tls/libc.so.6
Reading symbols from /lib/tls/libpthread.so.0...done.
Loaded symbols for /lib/tls/libpthread.so.0
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /usr/lib/libstdc++.so.6...done.
Loaded symbols for /usr/lib/libstdc++.so.6
Reading symbols from /lib/libgcc_s.so.1...done.
Loaded symbols for /lib/libgcc_s.so.1
Reading symbols from /usr/lib/libz.so.1...done.
Loaded symbols for /usr/lib/libz.so.1
Core was generated by `./php'.
Program terminated with signal 11, Segmentation fault.
#0  0x082c6839 in ZEND_FETCH_DIM_R_SPEC_VAR_CONST_HANDLER (
    execute_data=0xbfb6e090)
    at /home/ramen/tmp/php5/Zend/zend_vm_execute.h:9034
9034                    PZVAL_LOCK(*EX_T(opline->op1.u.var).var.ptr_ptr);
(gdb) bt
#0  0x082c6839 in ZEND_FETCH_DIM_R_SPEC_VAR_CONST_HANDLER (
    execute_data=0xbfb6e090)
    at /home/ramen/tmp/php5/Zend/zend_vm_execute.h:9034
#1  0x082b0308 in execute (op_array=0xb70904fc)
    at /home/ramen/tmp/php5/Zend/zend_vm_execute.h:92
#2  0x0828b5dc in zend_execute_scripts (type=8, retval=<value optimized out>,
    file_count=3) at /home/ramen/tmp/php5/Zend/zend.c:1616
#3  0x0823f4c0 in php_execute_script (primary_file=0xbfb704d0)
    at /home/ramen/tmp/php5/main/main.c:1922
#4  0x08312a95 in main (argc=1, argv=0xbfb705d4)
    at /home/ramen/tmp/php5/sapi/cli/php_cli.c:1119
(gdb)
 [2006-10-30 11:05 UTC] dmitry@php.net
Fixed in CVS HEAD and PHP_5_0
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 12:01:31 2024 UTC