PHP :: Bug #44046 :: array_slice(&$offset, $offset) crash

Bug #44046	array_slice(&$offset, $offset) crash
Submitted:	2008-02-04 22:31 UTC	Modified:	2008-02-05 16:02 UTC
From:	victor dot stinner at haypocalc dot com	Assigned:
Status:	Closed	Package:	Arrays related
PHP Version:	5.2.5	OS:	Linux (Ubuntu Gutsy) on i386
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	victor dot stinner at haypocalc dot com
New email:
PHP Version:		OS:

New Comment:

[2008-02-04 22:31 UTC] victor dot stinner at haypocalc dot com

Description:
------------
Code to crash PHP5 :
* ? $input = Array("array"); array_slice(&$input, &$input); ?
* ? $input = Array("array"); array_slice(&$input, 0, &$input); ?
* ? $input = Array("array"); array_slice(&$input, 0, 0, &$input); ?

array_slice() first checks first argument ($input) and then converts other arguments ($offset to long, $length to long, $preverse_keys to boolean). If arguments are shared as reference, $input type can change (to long or boolean).

Crash occurs in instruction ? num_in = zend_hash_num_elements(Z_ARRVAL_PP(input)) ? : it reads ((HashTable*)input)->inconsistent. If input is 0 or 1, input read does crash with segmentation fault.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-02-04 22:53 UTC] victor dot stinner at haypocalc dot com

gdb session:

* $input type in array_slice() entry:
(gdb) print (**input).type
$1 = 4 '\004'    # IS_ARRAY

* $input type after execution of convert_to_long_ex() or convert_to_boolean_ex() :
(gdb) print (**input).type
$4 = 1 '\001'    # IS_LONG

* Execution of ? num_in = zend_hash_num_elements(Z_ARRVAL_PP(input)) ? :

Program received signal SIGSEGV, Segmentation fault.
(gdb) where
#0  0x083281ad in _zend_is_inconsistent (ht=0x1, file=0x8451248 "/home/haypo/php-5.2.5/Zend/zend_hash.c", 
    line=1015) at /home/haypo/php-5.2.5/Zend/zend_hash.c:53
#1  0x0832ae37 in zend_hash_num_elements (ht=0x1) at /home/haypo/php-5.2.5/Zend/zend_hash.c:1015
#2  0x08226ff2 in zif_array_slice (ht=3, return_value=0x853e928, return_value_ptr=0x0, this_ptr=0x0, 
    return_value_used=0) at /home/haypo/php-5.2.5/ext/standard/array.c:2253
(...)
(gdb) frame 2
#2  0x08226ff2 in zif_array_slice (ht=3, return_value=0x853e928, return_value_ptr=0x0, this_ptr=0x0, 
    return_value_used=0) at /home/haypo/php-5.2.5/ext/standard/array.c:2253
2253            num_in = zend_hash_num_elements(Z_ARRVAL_PP(input));
(gdb) print (**input).type
$2 = 1 '\001'

[2008-02-05 00:45 UTC] felipe@php.net

My suggestion:
http://ecl.mediain.com.br/diff/bug44046.diff

In .phpt for array_slice, the expected result treats 0 as NULL. Then, i guess that using long rather than zval could be used...

[2008-02-05 16:02 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Jan 30 03:01:31 2025 UTC