php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #44184 Double free of loop-variable on exception
Submitted: 2008-02-20 11:51 UTC Modified: 2008-02-20 12:07 UTC
From: dmitry at dot php dot net Assigned: dmitry (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5.2.5 OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: dmitry at dot php dot net
New email:
PHP Version: OS:

 

 [2008-02-20 11:51 UTC] dmitry at dot php dot net 
Description:
------------
See the following code

Reproduce code:
---------------
<?php
function foo() {
        $x = array(1,2,3);
        foreach ($x as $a) {
                while (1) {
                        throw new Exception();
                }
            return;
        }
}
try {
        foo();
} catch (Exception $ex) {
        echo "ok\n";
}


Expected result:
----------------
ok

Actual result:
--------------
==31644== Invalid read of size 4
==31644==    at 0x83A0310: _zval_ptr_dtor (zend_execute_API.c:412)
==31644==    by 0x83D7383: zend_switch_free (zend_execute.c:372)
==31644==    by 0x83D712A: ZEND_HANDLE_EXCEPTION_SPEC_HANDLER (zend_vm_execute.h:580)
==31644==    by 0x83D4EA4: execute (zend_vm_execute.h:92)
==31644==    by 0x83D54BD: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==31644==    by 0x83DABD2: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1681)
==31644==    by 0x83D4EA4: execute (zend_vm_execute.h:92)
==31644==    by 0x83AFD6A: zend_execute_scripts (zend.c:1134)
==31644==    by 0x835D8B6: php_execute_script (main.c:2006)
==31644==    by 0x842CB94: main (php_cli.c:1140)
==31644==  Address 0x4557F30 is 8 bytes inside a block of size 16 free'd
==31644==    at 0x400513F: free (vg_replace_malloc.c:233)
==31644==    by 0x8392725: _efree (zend_alloc.c:2290)
==31644==    by 0x83A03D7: safe_free_zval_ptr_rel (zend_execute.h:70)
==31644==    by 0x83A036C: _zval_ptr_dtor (zend_execute_API.c:415)
==31644==    by 0x83D734D: zend_switch_free (zend_execute.c:370)
==31644==    by 0x83D712A: ZEND_HANDLE_EXCEPTION_SPEC_HANDLER (zend_vm_execute.h:580)
==31644==    by 0x83D4EA4: execute (zend_vm_execute.h:92)
==31644==    by 0x83D54BD: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==31644==    by 0x83DABD2: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1681)
==31644==    by 0x83D4EA4: execute (zend_vm_execute.h:92)
==31644==    by 0x83AFD6A: zend_execute_scripts (zend.c:1134)
==31644==    by 0x835D8B6: php_execute_script (main.c:2006)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-02-20 12:07 UTC] dmitry@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 15:01:30 2024 UTC