PHP :: Bug #41685 :: Missing WARNING in array_push where next index is used.

Bug #41685	Missing WARNING in array_push where next index is used.
Submitted:	2007-06-14 08:22 UTC	Modified:	2007-06-24 17:37 UTC
From:	rob_nicholson at uk dot ibm dot com	Assigned:
Status:	Closed	Package:	Arrays related
PHP Version:	5.2.3	OS:	all
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	rob_nicholson at uk dot ibm dot com
New email:
PHP Version:		OS:

New Comment:

[2007-06-14 08:22 UTC] rob_nicholson at uk dot ibm dot com

Description:
------------
This testcase produces a warning:

<?php

$arr = array();
$arr[0x80000000]=8;
$arr[0x7FFFFFFF]=1;
$arr[]="foo";
?>

Output is:

WARNING: Cannot add element to the array as the next element is already occupied in  g:\foo.php on line 6.

This equivalent testcase produces no warning.

<?php

$arr = array();
$arr[0x80000000]=8;
$arr[0x7FFFFFFF]=1;

array_push ($arr,"foo","bar");
var_dump($arr);
?>







Reproduce code:
---------------
<?php

$arr = array();
$arr[0x80000000]=8;
$arr[0x7FFFFFFF]=1;

array_push ($arr,"foo","bar");
var_dump($arr);
?>


Expected result:
----------------
WARNING: Cannot add element to the array as the next element is already occupied in  g:\foo.php on line 6.
array(2) {
  [-2147483648]=>
  int(8)
  [2147483647]=>
  int(1)
}


Actual result:
--------------
array(2) {
  [-2147483648]=>
  int(8)
  [2147483647]=>
  int(1)
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-06-14 15:51 UTC] zoe@php.net

In case this helps - I think I can see where the problem is in the code:

In zend_fetch_dimension_address in zend_execute.c the following code snippet:


		case IS_ARRAY:
			if ((type==BP_VAR_W || type==BP_VAR_RW) && container->refcount>1 && !PZVAL_IS_REF(container)) {
				SEPARATE_ZVAL(container_ptr);
				container = *container_ptr;
			}
			if (dim == NULL) {
				zval *new_zval = &EG(uninitialized_zval);

				new_zval->refcount++;
				if (zend_hash_next_index_insert(Z_ARRVAL_P(container), &new_zval, sizeof(zval *), (void **) &retval) == FAILURE) {
					zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied");
					retval = &EG(error_zval_ptr);
					new_zval->refcount--;
				}

But in array_push in ext/standard/array.c is the following code:

	/* For each subsequent argument, make it a reference, increase refcount, and add it to the end of the array */
	for (i=1; i<argc; i++) {
		new_var = *args[i];
		new_var->refcount++;
	
		zend_hash_next_index_insert(Z_ARRVAL_P(stack), &new_var, sizeof(zval *), NULL);
	}

It looks as though this code should be checking the return code from zend_hash_next_index_insert and reporting the error.

[2007-06-24 17:37 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Dec 03 17:01:29 2024 UTC