PHP :: Bug #45255 :: Memory allocation errors on typecast of array to object

Bug #45255	Memory allocation errors on typecast of array to object
Submitted:	2008-06-12 23:19 UTC	Modified:	2008-07-14 01:00 UTC
From:	porwig at uci dot edu	Assigned:
Status:	No Feedback	Package:	Reproducible crash
PHP Version:	5.2.5	OS:	RHEL 4
Private report:	No	CVE-ID:	None

View Developer Edit

[2008-06-12 23:19 UTC] porwig at uci dot edu

Description:
------------
Reproducible crashes occur in zend_assign_to_variable on typecast from array to object.  Refer to bug #44323 for code example of issue.

Reproduce code:
---------------
See bug #44323 -- this occurs in a large Moodle installation, which is hard to isolate.

Expected result:
----------------
PHP should not crash.

Actual result:
--------------
Backtrace of code:

GNU gdb Red Hat Linux (6.3.0.0-1.153.el4_6.2rh)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu"...Using host libthread_db library "/lib64/tls/libthread_db.so.1".

Core was generated by `/local/www/bin/httpd'.
Program terminated with signal 6, Aborted.
Reading symbols from /lib64/tls/libm.so.6...done.
Loaded symbols for /lib64/tls/libm.so.6
Reading symbols from /var/local/www/lib/libaprutil-1.so.0...done.
Loaded symbols for /var/local/www/lib/libaprutil-1.so.0
Reading symbols from /usr/lib64/libexpat.so.0...done.
Loaded symbols for /usr/lib64/libexpat.so.0
Reading symbols from /var/local/www/lib/libapr-1.so.0...done.
Loaded symbols for /var/local/www/lib/libapr-1.so.0
Reading symbols from /lib64/libuuid.so.1...done.
Loaded symbols for /lib64/libuuid.so.1
Reading symbols from /lib64/tls/librt.so.1...done.
Loaded symbols for /lib64/tls/librt.so.1
Reading symbols from /lib64/libcrypt.so.1...done.
Loaded symbols for /lib64/libcrypt.so.1
Reading symbols from /lib64/tls/libpthread.so.0...done.
Loaded symbols for /lib64/tls/libpthread.so.0
Reading symbols from /lib64/libdl.so.2...done.
Loaded symbols for /lib64/libdl.so.2
Reading symbols from /lib64/tls/libc.so.6...done.
Loaded symbols for /lib64/tls/libc.so.6
Reading symbols from /lib64/ld-linux-x86-64.so.2...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /lib64/libnsl.so.1...done.
Loaded symbols for /lib64/libnsl.so.1
Reading symbols from /lib64/libnss_files.so.2...done.
Loaded symbols for /lib64/libnss_files.so.2
Reading symbols from /lib64/libnss_nis.so.2...done.
Loaded symbols for /lib64/libnss_nis.so.2
Reading symbols from /var/local/www/modules/libphp5.so...done.
Loaded symbols for /var/local/www/modules/libphp5.so
Reading symbols from /usr/lib64/libmysqlclient.so.15...done.
Loaded symbols for /opt/lib/libmysqlclient.so.15
Reading symbols from /usr/lib64/libldap-2.2.so.7...done.
Loaded symbols for /opt/lib/libldap-2.2.so.7
Reading symbols from /usr/lib64/liblber-2.2.so.7...done.
Loaded symbols for /opt/lib/liblber-2.2.so.7
Reading symbols from /usr/lib64/libttf.so.2...done.
Loaded symbols for /opt/lib/libttf.so.2
Reading symbols from /usr/lib64/libpng12.so.0...done.
Loaded symbols for /opt/lib/libpng12.so.0
Reading symbols from /usr/lib64/libz.so.1...done.
Loaded symbols for /opt/lib/libz.so.1
Reading symbols from /usr/lib64/libjpeg.so.62...done.
Loaded symbols for /opt/lib/libjpeg.so.62
Reading symbols from /usr/lib64/libbz2.so.1...done.
Loaded symbols for /opt/lib/libbz2.so.1
Reading symbols from /lib64/libresolv.so.2...done.
Loaded symbols for /lib64/libresolv.so.2
Reading symbols from /lib64/libssl.so.4...done.
Loaded symbols for /lib64/libssl.so.4
Reading symbols from /lib64/libcrypto.so.4...done.
Loaded symbols for /lib64/libcrypto.so.4
Reading symbols from /usr/lib64/libgssapi_krb5.so.2...done.
Loaded symbols for /opt/lib/libgssapi_krb5.so.2
Reading symbols from /usr/lib64/libkrb5.so.3...done.
Loaded symbols for /opt/lib/libkrb5.so.3
Reading symbols from /lib64/libcom_err.so.2...done.
Loaded symbols for /lib64/libcom_err.so.2
Reading symbols from /usr/lib64/libk5crypto.so.3...done.
Loaded symbols for /opt/lib/libk5crypto.so.3
Reading symbols from /usr/lib64/libxml2.so.2...done.
Loaded symbols for /opt/lib/libxml2.so.2
Reading symbols from /usr/lib64/libsasl2.so.2...done.
Loaded symbols for /opt/lib/libsasl2.so.2
Reading symbols from /var/local/www/lib/php/extensions/no-debug-non-zts-20060613/memcache.so...done.
Loaded symbols for /var/local/www/lib/php/extensions/no-debug-non-zts-20060613/memcache.so
Reading symbols from /var/local/www/lib/php/extensions/no-debug-non-zts-20060613/fileinfo.so...done.
Loaded symbols for /var/local/www/lib/php/extensions/no-debug-non-zts-20060613/fileinfo.so
Reading symbols from /usr/lib64/libmagic.so.1...done.
Loaded symbols for /usr/lib64/libmagic.so.1
Reading symbols from /var/local/www/lib/php/extensions/no-debug-non-zts-20060613/apc.so...done.
Loaded symbols for /var/local/www/lib/php/extensions/no-debug-non-zts-20060613/apc.so
Reading symbols from /lib64/libnss_dns.so.2...done.
Loaded symbols for /lib64/libnss_dns.so.2
#0  0x00000034e322e25d in raise () from /lib64/tls/libc.so.6
(gdb) bt
#0  0x00000034e322e25d in raise () from /lib64/tls/libc.so.6
#1  0x00000034e322fa5e in abort () from /lib64/tls/libc.so.6
#2  0x00000034e32635e1 in __libc_message () from /lib64/tls/libc.so.6
#3  0x00000034e32691ee in _int_free () from /lib64/tls/libc.so.6
#4  0x00000034e3269586 in free () from /lib64/tls/libc.so.6
#5  0x0000002a95c38e86 in zend_assign_to_variable (result=0x2a9beea568, op1=Variable "op1" is not available.
)
    at /local/src/php-5.2.5/Zend/zend_execute.c:767
#6  0x0000002a95c7666a in ZEND_ASSIGN_DIM_SPEC_VAR_CV_HANDLER (execute_data=0x7fbfff3e80)
    at /local/src/php-5.2.5/Zend/zend_vm_execute.h:14215
#7  0x0000002a95c39f01 in execute (op_array=0x1aa80f0) at /local/src/php-5.2.5/Zend/zend_vm_execute.h:92
#8  0x0000002a95c3a203 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fbfffac50)
    at /local/src/php-5.2.5/Zend/zend_vm_execute.h:234
#9  0x0000002a95c39f01 in execute (op_array=0x1ad4700) at /local/src/php-5.2.5/Zend/zend_vm_execute.h:92
#10 0x0000002a95c3a203 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fbfffc390)
    at /local/src/php-5.2.5/Zend/zend_vm_execute.h:234
#11 0x0000002a95c39f01 in execute (op_array=0x1ac4d50) at /local/src/php-5.2.5/Zend/zend_vm_execute.h:92
#12 0x0000002a95c3a203 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fbfffcf60)
    at /local/src/php-5.2.5/Zend/zend_vm_execute.h:234
#13 0x0000002a95c39f01 in execute (op_array=0x11b0530) at /local/src/php-5.2.5/Zend/zend_vm_execute.h:92
#14 0x0000002a95c1b194 in zend_execute_scripts (type=8, retval=Variable "retval" is not available.
) at /local/src/php-5.2.5/Zend/zend.c:1134
#15 0x0000002a95bd897d in php_execute_script (primary_file=0x7fbffff430) at /local/src/php-5.2.5/main/main.c:2004
#16 0x0000002a95ca9ff6 in php_handler (r=0x893098) at /local/src/php-5.2.5/sapi/apache2handler/sapi_apache2.c:631
#17 0x0000000000434923 in ap_run_handler (r=0x893098) at config.c:157
#18 0x0000000000434dc1 in ap_invoke_handler (r=0x893098) at config.c:372
#19 0x0000000000462380 in ap_process_request (r=0x893098) at http_request.c:258
#20 0x000000000045fb6d in ap_process_http_connection (c=0x882f68) at http_core.c:190
#21 0x000000000043b2e3 in ap_run_process_connection (c=0x882f68) at connection.c:43
#22 0x000000000047c0e0 in child_main (child_num_arg=Variable "child_num_arg" is not available.
) at prefork.c:640
#23 0x000000000047c434 in make_child (s=0x5c7938, slot=6) at prefork.c:736
#24 0x000000000047cfb9 in ap_mpm_run (_pconf=Variable "_pconf" is not available.
) at prefork.c:871
#25 0x00000000004225c5 in main (argc=Variable "argc" is not available.
) at main.c:730


Valgrind report (on snippet from other bug)
==3083== Memcheck, a memory error detector.
==3083== Copyright (C) 2002-2005, and GNU GPL'd, by Julian Seward et al.
==3083== Using LibVEX rev 1575, a library for dynamic binary translation.
==3083== Copyright (C) 2004-2005, and GNU GPL'd, by OpenWorks LLP.
==3083== Using valgrind-3.1.1, a dynamic binary instrumentation framework.
==3083== Copyright (C) 2000-2005, and GNU GPL'd, by Julian Seward et al.
==3083== For more details, rerun with: -v
==3083== 
==3083== Conditional jump or move depends on uninitialised value(s)
==3083==    at 0x69BC61: _zval_ptr_dtor (zend_execute_API.c:413)
==3083==    by 0x6C9415: zend_assign_to_variable (zend_execute.c:767)
==3083==    by 0x71F0A7: ZEND_ASSIGN_DIM_SPEC_CV_CONST_HANDLER (zend_vm_execute.h:21203)
==3083==    by 0x6CA490: execute (zend_vm_execute.h:92)
==3083==    by 0x6AB723: zend_execute_scripts (zend.c:1134)
==3083==    by 0x668F0C: php_execute_script (main.c:2004)
==3083==    by 0x73AF4E: main (php_cli.c:1140)
==3083== 
==3083== Conditional jump or move depends on uninitialised value(s)
==3083==    at 0x69BC82: _zval_ptr_dtor (zend_execute_API.c:416)
==3083==    by 0x6C9415: zend_assign_to_variable (zend_execute.c:767)
==3083==    by 0x71F0A7: ZEND_ASSIGN_DIM_SPEC_CV_CONST_HANDLER (zend_vm_execute.h:21203)
==3083==    by 0x6CA490: execute (zend_vm_execute.h:92)
==3083==    by 0x6AB723: zend_execute_scripts (zend.c:1134)
==3083==    by 0x668F0C: php_execute_script (main.c:2004)
==3083==    by 0x73AF4E: main (php_cli.c:1140)

==3083== 
==3083== ERROR SUMMARY: 6 errors from 2 contexts (suppressed: 4 from 1)
==3083== malloc/free: in use at exit: 36,832 bytes in 1,174 blocks.
==3083== malloc/free: 14,183 allocs, 13,009 frees, 2,273,429 bytes allocated.
==3083== For counts of detected errors, rerun with: -v
==3083== searching for pointers to 1,174 not-freed blocks.
==3083== checked 2,430,768 bytes.
==3083== 
==3083== LEAK SUMMARY:
==3083==    definitely lost: 96 bytes in 2 blocks.
==3083==      possibly lost: 0 bytes in 0 blocks.
==3083==    still reachable: 36,736 bytes in 1,172 blocks.
==3083==         suppressed: 0 bytes in 0 blocks.
==3083== Use --leak-check=full to see details of leaked memory.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-06-13 16:43 UTC] porwig at uci dot edu

For reference, this bug happens with all extensions disabled as well.  We've also seen the bug in PHP 5.2.5.

[2008-07-06 11:38 UTC] jani@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows (zip):
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

For Windows (installer):

  http://snaps.php.net/win32/php5.2-win32-installer-latest.msi

[2008-07-14 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Dec 03 23:00:01 2025 UTC