php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #52237 Crash when passing the reference of the property of a non-object
Submitted: 2010-07-02 19:30 UTC Modified: 2010-07-05 11:15 UTC
From: sfera7512 at yahoo dot com Assigned: dmitry (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.2, 5.3, trunk OS: All
Private report: No CVE-ID: None
 [2010-07-02 19:30 UTC] sfera7512 at yahoo dot com
Description:
------------
>	php5ts_debug.dll!zval_addref_p(_zval_struct * pz=0x034e1b73)  Line 381 + 0x3 bytes	C
 	php5ts_debug.dll!zend_fetch_property_address(_temp_variable * result=0x028e3778, _zval_struct * * container_ptr=0x3d767c8c, _zval_struct * prop_ptr=0x3d529e48, int type=1, void * * * tsrm_ls=0x024c1b18)  Line 1150 + 0x18 bytes	C
 	php5ts_debug.dll!ZEND_FETCH_OBJ_W_SPEC_VAR_CONST_HANDLER(_zend_execute_data * execute_data=0x028e3070, void * * * tsrm_ls=0x024c1b18)  Line 10092 + 0x20 bytes	C
 	php5ts_debug.dll!execute(_zend_op_array * op_array=0x03161028, void * * * tsrm_ls=0x024c1b18)  Line 107 + 0x11 bytes	C
 	php5ts_debug.dll!zend_execute_scripts(int type=8, void * * * tsrm_ls=0x024c1b18, _zval_struct * * retval=0x00000000, int file_count=3, ...)  Line 1194 + 0x21 bytes	C
 	php5ts_debug.dll!php_execute_script(_zend_file_handle * primary_file=0x00c1fed8, void * * * tsrm_ls=0x024c1b18)  Line 2260 + 0x1b bytes	C
 	php.exe!main(int argc=2, char * * argv=0x024c3f38)  Line 1192 + 0x13 bytes	C
 	php.exe!__tmainCRTStartup()  Line 586 + 0x19 bytes	C
 	php.exe!mainCRTStartup()  Line 403	C
 	kernel32.dll!763c3677() 	
 	[Frames below may be incorrect and/or missing, no symbols loaded for kernel32.dll]	
 	ntdll.dll!76f39d72() 	
 	ntdll.dll!76f39d45()

Test script:
---------------
while (1)
{
        $data = 'test';
        parse_str($data,$data->info);
}

Expected result:
----------------
should throw Warning: Attempt to modify property of non-object

Actual result:
--------------
crash

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-07-03 00:07 UTC] felipe@php.net
-Summary: GC crash on updating property of nonobject +Summary: Crash when using an inexistent property of a variable converted to object as ref -Status: Open +Status: Assigned -Operating System: Win 7 x64 +Operating System: All -PHP Version: 5.3SVN-2010-07-02 (SVN) +PHP Version: 5.2, 5.3, trunk -Assigned To: +Assigned To: dmitry
 [2010-07-03 00:07 UTC] felipe@php.net
This is a common problem with variable converted internally to object and passing an inexistent property to function that expects reference.
e.g.

<?php

$data = 'test';
preg_match('//', '', $data->info);


Warning: Attempt to modify property of non-object in /home/felipe/dev/bug.php on line 4
[Fri Jul  2 19:06:18 2010]  Script:  '../bug.php'
/home/felipe/dev/php5/ext/pcre/php_pcre.c(543) :  Freeing 0x0891D378 (44 bytes), script=../bug.php
/home/felipe/dev/php5/Zend/zend_API.c(957) : Actual location (location was relayed)
Last leak repeated 1 time
[Fri Jul  2 19:06:18 2010]  Script:  '../bug.php'
/home/felipe/dev/php5/Zend/zend_API.c(1349) :  Freeing 0x0891D51C (20 bytes), script=../bug.php
[Fri Jul  2 19:06:18 2010]  Script:  '../bug.php'
/home/felipe/dev/php5/Zend/zend_API.c(1350) :  Freeing 0x0891D560 (1 bytes), script=../bug.php
[Fri Jul  2 19:06:18 2010]  Script:  '../bug.php'
/home/felipe/dev/php5/Zend/zend_API.c(1352) :  Freeing 0x0891D594 (35 bytes), script=../bug.php
/home/felipe/dev/php5/Zend/zend_hash.c(388) : Actual location (location was relayed)
=== Total 5 memory leaks detected ===
 [2010-07-03 01:34 UTC] felipe@php.net
-Summary: Crash when using an inexistent property of a variable converted to object as ref +Summary: Crash when passing the reference of the property of a non-object
 [2010-07-03 14:15 UTC] felipe@php.net
The issue is that $data->info actually pointers to EG(error_zval_ptr) because $data is not empty, thus no object is created.
 [2010-07-05 11:08 UTC] dmitry@php.net
Automatic comment from SVN on behalf of dmitry
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=300990
Log: Fixed bug #52237 (Crash when passing the reference of the property of a non-object)
 [2010-07-05 11:15 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2010-07-05 11:15 UTC] dmitry@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 08:01:29 2024 UTC