PHP :: Bug #26148 :: fixe for crash in PHP-4.3.4 / _convert_to

Bug #26148	fixe for crash in PHP-4.3.4 / _convert_to_string()
Submitted:	2003-11-06 05:57 UTC	Modified:	2003-11-06 15:33 UTC
From:	morten-bugs dot php dot net at afdelingp dot dk	Assigned:
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	4CVS	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	morten-bugs dot php dot net at afdelingp dot dk
New email:
PHP Version:		OS:

New Comment:

[2003-11-06 05:57 UTC] morten-bugs dot php dot net at afdelingp dot dk

Description:
------------
One of my co-workers, Brian Fl?e, found that PHP could be crashed by passing an array to strip_tags() and other native functions expecting a string.

I debugged the issue, and it turns out that the problem is in the way _convert_to_string() calls zend_error() to emit a notice about the conversion of an array or an object. It destructs op and sets the value to "Array" or "Object", calls zend_error() with the argument stack borked, and THEN sets op->type to IS_STRING.

The problem is that any error handler looking at the output of debug_backtrace() will get wrong results, and in some situations crash PHP. This is a problem, because many sites run strip_tags() and other functions on variables from $_GET and $_POST, without explicitly casting them to strings - which should be safe.

The problem can be solved by calling zend_error() before messing with op. See attached patch.

The following code will show the (wrong) contents of ['args'] to the strip_tags() call, and crash at foreach without the patch.


Reproduce code:
---------------
function myErrorHandler()
{
  $backtrace = debug_backtrace();
  print_r($backtrace[1]['args']);
  foreach ($backtrace[1]['args'] as $arg) {
    print("# $arg #\n");
  }
}

set_error_handler('myErrorHandler');

$tmp = array('a', 'b', 'c');
strip_tags($tmp);


Expected result:
----------------
--- with the patch ---
[mopo@flimmer cli]$ ./php st.php
Array
(
    [0] => Array
        (
            [0] => a
            [1] => b
            [2] => c
        )

)
# Array #


Actual result:
--------------
--- without the patch ---
[mopo@flimmer cli]$ ./php st.php
Array
(
    [0] => Array
 *RECURSION*
)
Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-11-06 05:59 UTC] morten-bugs dot php dot net at afdelingp dot dk

--- php-4.3.4-orig/Zend/zend_operators.c        Wed Nov  5 14:20:38 2003
+++ php-4.3.4/Zend/zend_operators.c     Wed Nov  5 14:15:32 2003
@@ -460,16 +460,16 @@
                        break;
                }
                case IS_ARRAY:
+                       zend_error(E_NOTICE, "Array to string conversion");
                        zval_dtor(op);
                        op->value.str.val = estrndup_rel("Array", sizeof("Array")-1);
                        op->value.str.len = sizeof("Array")-1;
-                       zend_error(E_NOTICE, "Array to string conversion");
                        break;
                case IS_OBJECT:
+                       zend_error(E_NOTICE, "Object to string conversion");
                        zval_dtor(op);
                        op->value.str.val = estrndup_rel("Object", sizeof("Object")-1);
                        op->value.str.len = sizeof("Object")-1;
-                       zend_error(E_NOTICE, "Object to string conversion");
                        break;
                default:
                        zval_dtor(op);

[2003-11-06 15:15 UTC] sniper@php.net

Works fine with PHP 5b2, crashes with latest CVS of PHP 4.

[2003-11-06 15:33 UTC] iliaa@php.net

This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Oct 30 22:00:01 2025 UTC