PHP :: Bug #25547 :: error_handler and array index with function call

Bug #25547

error_handler and array index with function call

Submitted:

2003-09-15 13:37 UTC

Modified:

2004-03-31 18:18 UTC

Votes:	18
Avg. Score:	3.8 ± 1.0
Reproduced:	16 of 16 (100.0%)
Same Version:	7 (43.8%)
Same OS:	7 (43.8%)

From:

cschneid at cschneid dot com

Assigned:

Status:

Closed

Package:

Scripting Engine problem

PHP Version:

4CVS

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	cschneid at cschneid dot com
New email:
PHP Version:		OS:

New Comment:

[2003-09-15 13:37 UTC] cschneid at cschneid dot com

Description:
------------
Error handler seems to destroy array indices if called due
to a undefined array index generated by a function.

Reproduce code:
---------------
function handler($errno, $errstr, $errfile, $errline)
{
        $test = "aaa";
}

set_error_handler('handler');

$output[trim("bbbbbbb")]++;
print_r($output);


Expected result:
----------------
Array
(
    [bbbbbbb] => 1
)


Actual result:
--------------
Array
(
    [aaa] => 1
)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-10-15 08:19 UTC] cschneid at cschneid dot com

The problem seems to be that dim->value is overwritten, copying the value solves this. I don't have enough insight in Zend to know if this is a memory leak and the values should be freed at some point or if this is ok.

Hope this helps:

diff -u -u -r1.316.2.21 zend_execute.c
--- Zend/zend_execute.c 30 Jul 2003 16:33:54 -0000      1.316.2.21
+++ Zend/zend_execute.c 15 Oct 2003 12:17:10 -0000
@@ -626,7 +626,7 @@
                        offset_key_length = 0;
                        goto fetch_string_dim;
                case IS_STRING:
-                       offset_key = dim->value.str.val;
+                       offset_key = estrndup(dim->value.str.val, dim->value.str.len);
                        offset_key_length = dim->value.str.len;

 fetch_string_dim:

[2003-10-16 04:09 UTC] helly@php.net

You now have a memory leak. I tried something similar too. But we decided to look for a better solution where we don't gc the variable we still need.

[2003-12-31 03:17 UTC] dmitry@php.net

The bug is fixed in PHP5 CVS (zend.c,v 1.260).

[2004-01-04 17:49 UTC] cschneid at cschneid dot com

Problem still exists in PHP4 branch

[2004-01-04 17:53 UTC] cschneid at cschneid dot com

A workaround patch (without memory leak ;-)) can be found at http://cschneid.com/php/php4/bug25547.patch

[2004-01-04 22:45 UTC] cvianna at stech dot net dot br

The patch applied perfectly, and the make test didnt find any error after this.

Altough, my problem ([Mon Jan  5 01:48:52 2004] [notice] child pid 3965 exit signal Segmentation fault (11)
) every time I access an php page, persists. Not associated :) Back to google.

[2004-01-11 02:59 UTC] jclift at digitaldistribution dot com

That patch fixed my 4.3.4 release tarball, running on Sun's JDS, compiled in CLI mode.

Look like we'll be waiting for the 4.3.5 release now.

;-)

Regards and best wishes,

Justin Clift

[2004-01-16 22:50 UTC] jclift at digitaldistribution dot com

Just experienced this when doing a "make test" with PHP 4.3.5RC1, on a newly installed Sun Java Desktop System (a stripped down version of SuSE Linux).

[2004-02-15 18:41 UTC] bart at atsence dot nl

I am afraid the patch did not have the desired effect for me. I am still faced with the error (when making a make test) after compiling php with sablotron, see below.

I patched the php-4.3.4 tarball with:

patch -p1 < bug25547.patch

Result is an error

File to patch: php-4.3.4.tar.gz
patching file php-4.3.4.tar.gz
Hunk #1 FAILED at 638.
1 out of 1 hunk FAILED -- saving rejects to file php-4.3.4.tar.gz.rej


FAILED TEST SUMMARY
---------------------------------------------------------------------
Bug #25547 (error_handler and array index with function call) [tests/lang/bug25547.phpt]
xslt_set_object function [ext/xslt/tests/xslt_set_object.phpt]


Ideas anyone?

[2004-03-09 09:09 UTC] sm at netxcalibur dot com

This bug is still present in 4.3.4 and 4.3.5RC4 (aka php4-STABLE-200403091230), on both Linux Slackware 9.0 and 9.1. If patched as described, the bug disappears from both Linux/php versions.

[2004-03-31 18:18 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Nov 23 02:01:31 2024 UTC