php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #44184 Double free of loop-variable on exception
Submitted: 2008-02-20 11:51 UTC Modified: 2008-02-20 12:07 UTC
From: dmitry at dot php dot net Assigned: dmitry (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5.2.5 OS: *
Private report: No CVE-ID: None
 [2008-02-20 11:51 UTC] dmitry at dot php dot net
Description:
------------
See the following code

Reproduce code:
---------------
<?php
function foo() {
        $x = array(1,2,3);
        foreach ($x as $a) {
                while (1) {
                        throw new Exception();
                }
            return;
        }
}
try {
        foo();
} catch (Exception $ex) {
        echo "ok\n";
}


Expected result:
----------------
ok

Actual result:
--------------
==31644== Invalid read of size 4
==31644==    at 0x83A0310: _zval_ptr_dtor (zend_execute_API.c:412)
==31644==    by 0x83D7383: zend_switch_free (zend_execute.c:372)
==31644==    by 0x83D712A: ZEND_HANDLE_EXCEPTION_SPEC_HANDLER (zend_vm_execute.h:580)
==31644==    by 0x83D4EA4: execute (zend_vm_execute.h:92)
==31644==    by 0x83D54BD: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==31644==    by 0x83DABD2: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1681)
==31644==    by 0x83D4EA4: execute (zend_vm_execute.h:92)
==31644==    by 0x83AFD6A: zend_execute_scripts (zend.c:1134)
==31644==    by 0x835D8B6: php_execute_script (main.c:2006)
==31644==    by 0x842CB94: main (php_cli.c:1140)
==31644==  Address 0x4557F30 is 8 bytes inside a block of size 16 free'd
==31644==    at 0x400513F: free (vg_replace_malloc.c:233)
==31644==    by 0x8392725: _efree (zend_alloc.c:2290)
==31644==    by 0x83A03D7: safe_free_zval_ptr_rel (zend_execute.h:70)
==31644==    by 0x83A036C: _zval_ptr_dtor (zend_execute_API.c:415)
==31644==    by 0x83D734D: zend_switch_free (zend_execute.c:370)
==31644==    by 0x83D712A: ZEND_HANDLE_EXCEPTION_SPEC_HANDLER (zend_vm_execute.h:580)
==31644==    by 0x83D4EA4: execute (zend_vm_execute.h:92)
==31644==    by 0x83D54BD: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==31644==    by 0x83DABD2: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1681)
==31644==    by 0x83D4EA4: execute (zend_vm_execute.h:92)
==31644==    by 0x83AFD6A: zend_execute_scripts (zend.c:1134)
==31644==    by 0x835D8B6: php_execute_script (main.c:2006)


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-02-20 12:07 UTC] dmitry@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 09:01:32 2024 UTC