php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #41813 segmentation fault in string to array conversion
Submitted: 2007-06-26 15:23 UTC Modified: 2007-06-27 08:56 UTC
From: jontsa at amigaone dot cc Assigned: dmitry (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5.2.4-dev OS: Gentoo Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: jontsa at amigaone dot cc
New email:
PHP Version: OS:

 

 [2007-06-26 15:23 UTC] jontsa at amigaone dot cc 
Description:
------------
If you convert a non-empty string to an array with object as value, you get a segmentation fault. Tested on Gentoo Linux and Solaris with Apache 2 and PHP 5.2.3. Theres no segmentation fault when converting for example a scalar variable but an error message as expected.

Also tested from shell using:

 # echo '<?php $foo="50";$foo[0]->bar="xyz"; ?>' | /opt/php5/bin/php
 Segmentation fault

Reproduce code:
---------------
$foo="50";
$foo[0]->bar="xyz";

Expected result:
----------------
An error message of some sort.

Actual result:
--------------
From apache logs:

[Tue Jun 26 18:03:23 2007] [notice] child pid 16155 exit signal Segmentation fault (11)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-06-26 15:53 UTC] sniper@php.net 
Verified.
 [2007-06-27 08:15 UTC] judas dot iscariote at gmail dot com 
Index: Zend/zend_execute.c
===================================================================
RCS file: /repository/ZendEngine2/zend_execute.c,v
retrieving revision 1.716.2.12.2.20
diff -u -r1.716.2.12.2.20 zend_execute.c
--- Zend/zend_execute.c 6 Jun 2007 08:35:23 -0000       1.716.2.12.2.20
+++ Zend/zend_execute.c 27 Jun 2007 08:14:40 -0000
@@ -530,6 +530,10 @@
        zval *value = get_zval_ptr(value_op, Ts, &free_value, BP_VAR_R);
        zval **retval = &T(result->u.var).var.ptr;

+       if (!object_ptr) {
+               zend_error_noreturn(E_ERROR, "Cannot use string offset as an array");
+       }
+
        if (*object_ptr == EG(error_zval_ptr)) {
                FREE_OP(free_op2);
                if (!RETURN_VALUE_UNUSED(result)) {
 [2007-06-27 08:56 UTC] tony2001@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 16:01:29 2024 UTC