PHP :: Bug #43201 :: Crash on using unitialized vals and __get/_

Bug #43201	Crash on using unitialized vals and __get/__set
Submitted:	2007-11-05 18:15 UTC	Modified:	2007-11-09 09:28 UTC
From:	stas at zend dot com	Assigned:	dmitry (profile)
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	5.2CVS-2007-11-05 (CVS)	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

[2007-11-05 18:15 UTC] stas at zend dot com

Description:
------------
Code modifying the result of __get (erroneously) and using undefined variables crashes, apparently because of unitialized_zval being freed. 

Reproduce code:
---------------
<?php
class Foo {
	function __get($k) {
		return null;
	}
	function __set($k, $v) {
		$this->$k = $v;
	}
}

$c = new Foo();

$c->arr[0]["k"] = 1;
$c->arr[0]["k2"] = $ref;
for($cnt=0;$cnt<6;$cnt++) {
	$ref = chop($undef);	
	$c->arr[$cnt]["k2"] = $ref;
}
?>

Expected result:
----------------
No crash :)

Actual result:
--------------
On windows - crash
On Unix debug - 
php5/Zend/zend_hash.c(517) : ht=0xa533520 is being destroyed

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-11-05 18:20 UTC] stas@php.net

Shorter version:

<?php
class Foo {
	function __get($k) {
		return null;
	}
}

$c = new Foo();

$c->arr[0]["k"] = 1;
$c->arr[0]["k2"] = $undef;
for($cnt=0;$cnt<6;++$cnt) {
	$c->arr[$cnt]["k2"] = chop($undef);
}
?>

[2007-11-09 09:28 UTC] dmitry@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Feb 22 16:01:29 2025 UTC