PHP :: Bug #16558 :: String offset reference can be created and segfaults interpreter

Bug #16558	String offset reference can be created and segfaults interpreter
Submitted:	2002-04-11 17:34 UTC	Modified:	2002-08-02 16:29 UTC
From:	dcowgill at mail dot communityconnect dot com	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	4.1.0	OS:	Linux (RH 7.2)
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	dcowgill at mail dot communityconnect dot com
New email:
PHP Version:		OS:

New Comment:

[2002-04-11 17:34 UTC] dcowgill at mail dot communityconnect dot com

It's possible to create a reference to a string offset (which is supposed to be illegal) by returning it from a function:

<?php
function &f() {
    $x = "x";
    return $x{0};
}
$y =& f();
?>

The above code triggers a segfault (tested with versions 4.0.6 and 4.1.0).

Here is the backtrace:

(gdb) bt
#0  0x080dc270 in execute (op_array=0x8141a88) at ./zend_execute.c:1751
#1  0x080dbf00 in execute (op_array=0x813c8bc) at ./zend_execute.c:1703
#2  0x080bf4c4 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at zend.c:814
#3  0x0805bab5 in php_execute_script (primary_file=0xbffff8e0) at main.c:1309
#4  0x08059698 in main (argc=1, argv=0xbffff984) at cgi_main.c:738
#5  0x400d3507 in __libc_start_main (main=0x8058ea8 <main>, argc=1, 
    ubp_av=0xbffff984, init=0x8057d2c <_init>, fini=0x80e1290 <_fini>, 
    rtld_fini=0x4000dc14 <_dl_fini>, stack_end=0xbffff97c)
    at ../sysdeps/generic/libc-start.c:129
(gdb) frame 0
#0  0x080dc270 in execute (op_array=0x8141a88) at ./zend_execute.c:1751
1751                                                    SEPARATE_ZVAL_TO_MAKE_IS_REF(retval_ptr_ptr);

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-04-12 16:14 UTC] dcowgill at mail dot communityconnect dot com

Note: you do not have to do reference-assignment ("= &") to trigger the segfault; the following reproduces the crash as well:

<?php
function &f() {
    $x = "x";
    return $x{0};
}
$y = f();
?>

[2002-08-02 16:29 UTC] iliaa@php.net

This bug has been fixed in CVS. You can grab a snapshot of the
CVS version at http://snaps.php.net/. In case this was a documentation 
problem, the fix will show up soon at http://www.php.net/manual/.
In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites.
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Dec 05 17:00:01 2025 UTC