PHP :: Bug #46893 :: extract($foo) crashes if $foo['foo'] exists

Bug #46893	extract($foo) crashes if $foo['foo'] exists
Submitted:	2008-12-17 23:06 UTC	Modified:	2008-12-27 03:08 UTC
From:	steffen dot weber at gmail dot com	Assigned:	lbarnaud (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	5CVS, 6CVS (2008-12-18)	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	steffen dot weber at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2008-12-17 23:06 UTC] steffen dot weber at gmail dot com

Description:
------------
Execute the following script and observe that $bar is set to a random integer (*). Furthermore $test is not set at all. This problem did not occur with PHP 5.2.6.

(*) Could this have security implications?

Reproduce code:
---------------
<?php
$foo = array('foo' => 1, 'bar' => 2, 'test' => 3);
extract($foo);
var_dump($foo, $bar, $test);
?>

Expected result:
----------------
int(1)
int(2)
int(3)

Actual result:
--------------
Notice: Undefined variable: test in extract-bug.php on line 4
int(1)
int(RANDOM_NUMBER)
NULL

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-12-18 12:25 UTC] jani@php.net

It fails "silently" because it crashes. :)

#0  0x083437ad in _zend_is_inconsistent (ht=0x1, file=0x85ffca4 "/home/jani/src/php-5.2/Zend/zend_hash.c", line=1083)
    at /home/jani/src/php-5.2/Zend/zend_hash.c:53
#1  0x083465be in zend_hash_move_forward_ex (ht=0x1, pos=0xbfffcd98) at /home/jani/src/php-5.2/Zend/zend_hash.c:1083
#2  0x082435a0 in zif_extract (ht=1, return_value=0x86e16f8, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
    at /home/jani/src/php-5.2/ext/standard/array.c:1491
#3  0x0835e8bf in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffcfa8)
    at /home/jani/src/php-5.2/Zend/zend_vm_execute.h:200
#4  0x083641f9 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbfffcfa8)
    at /home/jani/src/php-5.2/Zend/zend_vm_execute.h:1729
#5  0x0835e43c in execute (op_array=0x86e1088) at /home/jani/src/php-5.2/Zend/zend_vm_execute.h:92
#6  0x083397aa in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/jani/src/php-5.2/Zend/zend.c:1134
#7  0x082e831a in php_execute_script (primary_file=0xbffff324) at /home/jani/src/php-5.2/main/main.c:2023
#8  0x083b4bc9 in main (argc=2, argv=0xbffff464) at /home/jani/src/php-5.2/sapi/cli/php_cli.c:1133

[2008-12-18 13:44 UTC] crrodriguez at opensuse dot org

Related to/Duplicated of Bug #46873 ?

[2008-12-23 10:00 UTC] matthieu at brunet-prod dot com

Same error here (5.2.8), but only if the array name is longer than 4 
cars.
So the supplied code works for me, but :
$foooo = array('foooo' => 1, 'bar' => 2, 'test' => 3);
will crash.
And it will crash only if there is one or more element after the element 
with the same name of the array.
So 
$foooo = array('foooo' => 1, 'bar' => 2);
will crash, but
$foooo = array('bar' => 1, 'foooo' => 2);
will work.

hth

[2008-12-26 11:54 UTC] felipe@php.net

Hi Arnald, that patch broken this.

[2008-12-26 11:58 UTC] felipe@php.net

*Arnaud
I suppose http://cvs.php.net/viewvc.cgi/php-src/ext/standard/array.c?r1=1.308.2.21.2.58&r2=1.308.2.21.2.59 (Fixed bugs #44181 & #44182 (extract() and references))

[2008-12-27 03:08 UTC] lbarnaud@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Jul 15 11:01:32 2025 UTC