PHP :: Bug #14582 :: Array key -1 can crash PHP

Bug #14582

Array key -1 can crash PHP

Submitted:

2001-12-18 11:11 UTC

Modified:

2002-09-09 09:42 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

zork at clan dot pl

Assigned:

Status:

Closed

Package:

Scripting Engine problem

PHP Version:

4.3.0-dev

OS:

Linux

Private report:

CVE-ID:

None

View Add Comment Developer Edit

[2001-12-18 11:11 UTC] zork at clan dot pl

I've encountered stack problem. Here is simplest code, that reproduces this:

<?php
class CForm {
	var $inputs;
	
	function Cform() {
		$this -> inputs = array();
	}

	function &get_input($name) {
		return($this -> inputs[$name]);
	}
};

class Cinput_select {
  var $values;
  var $name;

  function Cinput_select($t) {
		$this -> name = $t;
		$this -> options = array();
  }

  function add_value($value) {
    $this -> values[] = $value;
  }
};

$form = new CForm();
	//coment next two lines and new returns NULL
	$sel = new CInput_select("b");
	$sel -> add_value("a");

	$a =& $form -> get_input("a");
	var_dump($a);
	$sel = new CInput_select("test");
	var_dump($sel);
	$sel -> add_value("a");
?>

After call to CForm::get_input() $a is not a registered variable. Later new returns corrupted structure.

If you comment out first two lines of program new returns NULL.

In my original source code even when I created object using diffrient name after assigning NULL reference to variable new still corupts some of my variables. I think its becouse $a doesn't have storage on stack but interpreter thinks that it has.

I think that returning NULL reference should initialize variable to false. This is code is not good programming pracitce and could be easily ommited, but taht doesn't change the fact that this is a bug.

regards
Lukasz Michalski

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-12-18 11:21 UTC] mfischer@php.net

Seems we've a leak here:

$ php -f 14582.php 
NULL
object(cinput_select)(3) {
  ["values"]=>
  array(0) {
  }
  ["name"]=>
  &array(0) {
  }
  ["options"]=>
  &array(0) {
  }
}

./zend_execute.c(425) :  Freeing 0x082FC964 (2 bytes), script=14582.php
zend_variables.c(107) : Actual location (location was relayed)

I remember seeing another BR leeking at the same place when trying to access arrays with constants but can't find it right now.

[2002-09-09 09:42 UTC] stas@php.net

This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.

Though the leak is still there, but the bug itself (new returning NULL) is gone.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Wed Jun 26 17:01:31 2024 UTC