php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #26148 fixe for crash in PHP-4.3.4 / _convert_to_string()
Submitted: 2003-11-06 05:57 UTC Modified: 2003-11-06 15:33 UTC
From: morten-bugs dot php dot net at afdelingp dot dk Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 4CVS OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: morten-bugs dot php dot net at afdelingp dot dk
New email:
PHP Version: OS:

 

 [2003-11-06 05:57 UTC] morten-bugs dot php dot net at afdelingp dot dk
Description:
------------
One of my co-workers, Brian Fl?e, found that PHP could be crashed by passing an array to strip_tags() and other native functions expecting a string.

I debugged the issue, and it turns out that the problem is in the way _convert_to_string() calls zend_error() to emit a notice about the conversion of an array or an object. It destructs op and sets the value to "Array" or "Object", calls zend_error() with the argument stack borked, and THEN sets op->type to IS_STRING.

The problem is that any error handler looking at the output of debug_backtrace() will get wrong results, and in some situations crash PHP. This is a problem, because many sites run strip_tags() and other functions on variables from $_GET and $_POST, without explicitly casting them to strings - which should be safe.

The problem can be solved by calling zend_error() before messing with op. See attached patch.

The following code will show the (wrong) contents of ['args'] to the strip_tags() call, and crash at foreach without the patch.


Reproduce code:
---------------
function myErrorHandler()
{
  $backtrace = debug_backtrace();
  print_r($backtrace[1]['args']);
  foreach ($backtrace[1]['args'] as $arg) {
    print("# $arg #\n");
  }
}

set_error_handler('myErrorHandler');

$tmp = array('a', 'b', 'c');
strip_tags($tmp);


Expected result:
----------------
--- with the patch ---
[mopo@flimmer cli]$ ./php st.php
Array
(
    [0] => Array
        (
            [0] => a
            [1] => b
            [2] => c
        )

)
# Array #


Actual result:
--------------
--- without the patch ---
[mopo@flimmer cli]$ ./php st.php
Array
(
    [0] => Array
 *RECURSION*
)
Segmentation fault


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-11-06 05:59 UTC] morten-bugs dot php dot net at afdelingp dot dk
--- php-4.3.4-orig/Zend/zend_operators.c        Wed Nov  5 14:20:38 2003
+++ php-4.3.4/Zend/zend_operators.c     Wed Nov  5 14:15:32 2003
@@ -460,16 +460,16 @@
                        break;
                }
                case IS_ARRAY:
+                       zend_error(E_NOTICE, "Array to string conversion");
                        zval_dtor(op);
                        op->value.str.val = estrndup_rel("Array", sizeof("Array")-1);
                        op->value.str.len = sizeof("Array")-1;
-                       zend_error(E_NOTICE, "Array to string conversion");
                        break;
                case IS_OBJECT:
+                       zend_error(E_NOTICE, "Object to string conversion");
                        zval_dtor(op);
                        op->value.str.val = estrndup_rel("Object", sizeof("Object")-1);
                        op->value.str.len = sizeof("Object")-1;
-                       zend_error(E_NOTICE, "Object to string conversion");
                        break;
                default:
                        zval_dtor(op);
 [2003-11-06 15:15 UTC] sniper@php.net
Works fine with PHP 5b2, crashes with latest CVS of PHP 4.

 [2003-11-06 15:33 UTC] iliaa@php.net
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 14:01:29 2024 UTC