php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70662 Duplicate array key via undefined index error handler
Submitted: 2015-10-07 20:40 UTC Modified: -
From: nikic@php.net Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 7.0.0RC4 OS:
Private report: No CVE-ID: None
 [2015-10-07 20:40 UTC] nikic@php.net
Description:
------------
In http://lxr.php.net/xref/PHP_TRUNK/Zend/zend_execute.c#1548 and multiple related places we use find+add_new. However in RW mode a notice is emitted between both operation, which can be used to modify the array and violate add_new preconditions.

Test script:
---------------
<?php

$a = [];
set_error_handler(function() use(&$a) {
    $a['b'] = 2;
});
$a['b'] += 1;
var_dump($a);


Expected result:
----------------
// One of
array(1) {
  ["b"]=>
  int(1)
}
// or
array(1) {
  ["b"]=>
  int(2)
}



Actual result:
--------------
array(2) {
  ["b"]=>
  int(2)
  ["b"]=>
  int(1)
}


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-10-08 09:05 UTC] nikic@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cc3c425af8c6a56a1b295ab335d0758f48dad284
Log: Fix bug #70662
 [2015-10-08 09:05 UTC] nikic@php.net
-Status: Open +Status: Closed
 [2015-10-13 10:12 UTC] ab@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cc3c425af8c6a56a1b295ab335d0758f48dad284
Log: Fix bug #70662
 [2016-07-20 11:36 UTC] davey@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cc3c425af8c6a56a1b295ab335d0758f48dad284
Log: Fix bug #70662
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 30 17:01:29 2024 UTC