PHP :: Bug #23872 :: reference to same variable(array) crash web server

Bug #23872

reference to same variable(array) crash web server

Submitted:

2003-05-29 07:37 UTC

Modified:

2003-05-29 07:51 UTC

Votes:	3
Avg. Score:	4.0 ± 1.4
Reproduced:	1 of 2 (50.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

Xuefer at 21cn dot com

Assigned:

Status:

Wont fix

Package:

Scripting Engine problem

PHP Version:

4.3.2

OS:

win2k apache2

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	Xuefer at 21cn dot com
New email:
PHP Version:		OS:

New Comment:

[2003-05-29 07:37 UTC] Xuefer at 21cn dot com

php4.3.2-rc3
<?php
$times = 65536; // 65535 works fine
$t = array(1);
for ($i = 0; $i < $times; $i ++)
{
	$a[] = &$t;
}
?>
crash

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-05-29 07:51 UTC] wez@php.net

That breaks - don't do it :)
It won't be fixed in 4.x; PHP 5 will (and does) handle it though.

[2003-06-06 14:24 UTC] php at codewhore dot org

According to zend.h, the refcount for zvals is an unsigned short, which would roll over to zero on the 65536th increment, causing shutdown_memory_manager to free the zval while references to it still remain.

I'm guessing it'd be too costly to check every refcount increment.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Apr 19 17:01:26 2025 UTC