PHP :: Bug #44046 :: array_slice(&$offset, $offset) crash

Bug #44046	array_slice(&$offset, $offset) crash
Submitted:	2008-02-04 22:31 UTC	Modified:	2008-02-05 16:02 UTC
From:	victor dot stinner at haypocalc dot com	Assigned:
Status:	Closed	Package:	Arrays related
PHP Version:	5.2.5	OS:	Linux (Ubuntu Gutsy) on i386
Private report:	No	CVE-ID:	None

View Developer Edit

[2008-02-04 22:31 UTC] victor dot stinner at haypocalc dot com

Description:
------------
Code to crash PHP5 :
* ? $input = Array("array"); array_slice(&$input, &$input); ?
* ? $input = Array("array"); array_slice(&$input, 0, &$input); ?
* ? $input = Array("array"); array_slice(&$input, 0, 0, &$input); ?

array_slice() first checks first argument ($input) and then converts other arguments ($offset to long, $length to long, $preverse_keys to boolean). If arguments are shared as reference, $input type can change (to long or boolean).

Crash occurs in instruction ? num_in = zend_hash_num_elements(Z_ARRVAL_PP(input)) ? : it reads ((HashTable*)input)->inconsistent. If input is 0 or 1, input read does crash with segmentation fault.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-02-04 22:53 UTC] victor dot stinner at haypocalc dot com

gdb session:

* $input type in array_slice() entry:
(gdb) print (**input).type
$1 = 4 '\004'    # IS_ARRAY

* $input type after execution of convert_to_long_ex() or convert_to_boolean_ex() :
(gdb) print (**input).type
$4 = 1 '\001'    # IS_LONG

* Execution of ? num_in = zend_hash_num_elements(Z_ARRVAL_PP(input)) ? :

Program received signal SIGSEGV, Segmentation fault.
(gdb) where
#0  0x083281ad in _zend_is_inconsistent (ht=0x1, file=0x8451248 "/home/haypo/php-5.2.5/Zend/zend_hash.c", 
    line=1015) at /home/haypo/php-5.2.5/Zend/zend_hash.c:53
#1  0x0832ae37 in zend_hash_num_elements (ht=0x1) at /home/haypo/php-5.2.5/Zend/zend_hash.c:1015
#2  0x08226ff2 in zif_array_slice (ht=3, return_value=0x853e928, return_value_ptr=0x0, this_ptr=0x0, 
    return_value_used=0) at /home/haypo/php-5.2.5/ext/standard/array.c:2253
(...)
(gdb) frame 2
#2  0x08226ff2 in zif_array_slice (ht=3, return_value=0x853e928, return_value_ptr=0x0, this_ptr=0x0, 
    return_value_used=0) at /home/haypo/php-5.2.5/ext/standard/array.c:2253
2253            num_in = zend_hash_num_elements(Z_ARRVAL_PP(input));
(gdb) print (**input).type
$2 = 1 '\001'

[2008-02-05 00:45 UTC] felipe@php.net

My suggestion:
http://ecl.mediain.com.br/diff/bug44046.diff

In .phpt for array_slice, the expected result treats 0 as NULL. Then, i guess that using long rather than zval could be used...

[2008-02-05 16:02 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 31 04:00:01 2025 UTC