|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2011-03-16 03:08 UTC] stas@php.net
[2011-03-16 06:05 UTC] stas@php.net
-Type: Bug
+Type: Security
-Private report: N
+Private report: Y
[2011-03-16 12:15 UTC] dmitry@php.net
-Status: Open
+Status: Closed
-Assigned To:
+Assigned To: dmitry
[2011-03-16 12:15 UTC] dmitry@php.net
[2019-09-26 09:34 UTC] nikic@php.net
-Type: Security
+Type: Bug
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Fri Oct 31 10:00:02 2025 UTC |
Description: ------------ Reported by Christian Holler on mailing list, test named 'crashMemCorruptionZvalDtorFunc', produces the following on valgrind: ==71892== Invalid read of size 4 ==71892== at 0x51D7EA: zend_hash_destroy (in /Users/smalyshev/mphp) ==71892== by 0x50DFCC: _zval_dtor_func (in /Users/smalyshev/mphp) ==71892== by 0x4FFB62: _zval_dtor (in /Users/smalyshev/mphp) ==71892== by 0x4FFEB6: _zval_ptr_dtor (in /Users/smalyshev/mphp) ==71892== by 0x5B0982: ZEND_ASSIGN_DIM_SPEC_CV_CONST_HANDLER (in /Users/smalyshev/mphp) ==71892== by 0x53AB23: execute (in /Users/smalyshev/mphp) ==71892== by 0x510794: zend_execute_scripts (in /Users/smalyshev/mphp) ==71892== by 0x49D228: php_execute_script (in /Users/smalyshev/mphp) ==71892== by 0x5D2CDD: main (in /Users/smalyshev/mphp) ==71892== Address 0x5c is not stack'd, malloc'd or (recently) free'd The bug seems to be because in ZEND_ASSIGN_DIM_SPEC_CV_CONST_HANDLER, error_zval_ptr is used to assign to it as if it were array, which seems to lead to unexpected consequences. Test script: --------------- $a = '0'; var_dump(isset($a['b'])); $simpleString = preg_match('//', '', $a->a); $simpleString["wrong"] = "f";