|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2004-12-17 20:41 UTC] postings-php-bug at hans-spath dot de
Description:
------------
PHP doesn't handle an attempt of clearing $GLOBALS correctly.
Reproduce code:
---------------
function __(){array_splice($GLOBALS,0,count($GLOBALS));}__();
Expected result:
----------------
$GLOBALS should be empty or an error message should be printed.
Actual result:
--------------
My tests:
PHP 4.3.8 cli/cgi, 4.3.10 cli, Linux 2.6:
segmentation fault
PHP 4.3.8 apache2sapi, Windows XP SP2:
Apache2 log: Parent: child process exited with status 3221225477 -- Restarting.
PHP 5.0.1 cli, Windows XP SP2:
array_splice works, but then crashes on script end (probably during cleanups) or on phpinfo();
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sun Oct 26 02:00:01 2025 UTC |
<0>stob@netbrake:~/compile/php-4.3.10/sapi/cli% cat ~/test/killer.php <? function __(){array_splice($GLOBALS,0,count($GLOBALS));}__(); <0>stob@netbrake:~/compile/php-4.3.10/sapi/cli% gdb php [...] This GDB was configured as "i386-linux"...Using host libthread_db library "/lib/libthread_db.so.1". (gdb) run ~/test/killer.php Starting program: /home/stob/compile/php-4.3.10/sapi/cli/php ~/test/killer.php [Sat Dec 18 17:28:35 2004] Script: '/home/stob/test/killer.php' --------------------------------------- /home/stob/compile/php-4.3.10/ext/standard/array.c(1897) : Block 0x081C2B28 status: Beginning: Overrun (magic=0x00000000, expected=0x7312F8DC) Program received signal SIGSEGV, Segmentation fault. 0xb7ec81c3 in memcpy () from /lib/libc.so.6 (gdb) bt #0 0xb7ec81c3 in memcpy () from /lib/libc.so.6 #1 0x0814ace4 in _mem_block_check (ptr=0x81c2b4c, silent=0, __zend_filename=0x817ef80 "/home/stob/compile/php-4.3.10/ext/standard/array.c", __zend_lineno=1897, __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/stob/compile/php-4.3.10/Zend/zend_alloc.c:675 #2 0x0814aca5 in _mem_block_check (ptr=0x81c2b4c, silent=1, __zend_filename=0x817ef80 "/home/stob/compile/php-4.3.10/ext/standard/array.c", __zend_lineno=1897, __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/stob/compile/php-4.3.10/Zend/zend_alloc.c:667 #3 0x08149feb in _efree (ptr=0x81c2b4c, __zend_filename=0x817ef80 "/home/stob/compile/php-4.3.10/ext/standard/array.c", __zend_lineno=1897, __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/stob/compile/php-4.3.10/Zend/zend_alloc.c:243 #4 0x080a2b90 in zif_array_splice (ht=3, return_value=0x81f6af4, this_ptr=0x0, return_value_used=0) at /home/stob/compile/php-4.3.10/ext/standard/array.c:1897 #5 0x0816eeb3 in execute (op_array=0x81f69b8) at /home/stob/compile/php-4.3.10/Zend/zend_execute.c:1642 #6 0x0816f0b1 in execute (op_array=0x81f15bc) at /home/stob/compile/php-4.3.10/Zend/zend_execute.c:1686 #7 0x0815be29 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/stob/compile/php-4.3.10/Zend/zend.c:900 #8 0x08127f54 in php_execute_script (primary_file=0xbffffa60) at /home/stob/compile/php-4.3.10/main/main.c:1736 #9 0x0817507b in main (argc=2, argv=0xbffffae4) at /home/stob/compile/php-4.3.10/sapi/cli/php_cli.c:822