PHP :: Bug #63173 :: Crash when invoking invalid array callback

Bug #63173	Crash when invoking invalid array callback
Submitted:	2012-09-27 16:11 UTC	Modified:	2012-09-27 16:57 UTC
From:	bugs dot php dot net at majkl578 dot cz	Assigned:	nikic (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	5.4.7	OS:	Linux & Windows
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	bugs dot php dot net at majkl578 dot cz
New email:
PHP Version:		OS:

New Comment:

[2012-09-27 16:11 UTC] bugs dot php dot net at majkl578 dot cz

Description:
------------
PHP crashes when the callback (defined as an array) is invalid.

Test script:
---------------
$foo = [
	1 => 0,
	2 => 0,
];

$foo();

Expected result:
----------------
PHP Fatal error

Actual result:
--------------
Segmentation fault; backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000a53ddf in ZEND_INIT_FCALL_BY_NAME_SPEC_CV_HANDLER (execute_data=0x7ffff7f740e8) at /storage/build/php/5.4/php-5.4.7/Zend/zend_vm_execute.h:1922
1922				if (Z_TYPE_PP(obj) != IS_STRING && Z_TYPE_PP(obj) != IS_OBJECT) {
(gdb) bt
#0  0x0000000000a53ddf in ZEND_INIT_FCALL_BY_NAME_SPEC_CV_HANDLER (execute_data=0x7ffff7f740e8) at /storage/build/php/5.4/php-5.4.7/Zend/zend_vm_execute.h:1922
#1  0x0000000000a4cb52 in execute (op_array=0x7ffff7fab698) at /storage/build/php/5.4/php-5.4.7/Zend/zend_vm_execute.h:410
#2  0x0000000000a1064a in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /storage/build/php/5.4/php-5.4.7/Zend/zend.c:1286
#3  0x0000000000987c90 in php_execute_script (primary_file=0x7fffffffdfc0) at /storage/build/php/5.4/php-5.4.7/main/main.c:2473
#4  0x0000000000b569ea in do_cli (argc=2, argv=0x7fffffffe368) at /storage/build/php/5.4/php-5.4.7/sapi/cli/php_cli.c:988
#5  0x0000000000b579a5 in main (argc=2, argv=0x7fffffffe368) at /storage/build/php/5.4/php-5.4.7/sapi/cli/php_cli.c:1364

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-09-27 16:48 UTC] nikic@php.net

-Status: Open +Status: Closed

[2012-09-27 16:48 UTC] nikic@php.net

Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=592b232e834ed2698fa97ad4dd58e5ab21f257be
Log: Fix bug #63173: Crash when invoking invalid array callback

[2012-09-27 16:57 UTC] nikic@php.net

Thanks for the report, this is now fixed in the repo.

Two more notes:
 * For call_user_func the call with go through zend_is_callable_ex where the check is properly done (see http://lxr.php.net/xref/PHP_5_3/Zend/zend_API.c#2771), so this bug doesn't apply to it (or an other function with f zpp)
 * Calling array callbacks using $callback() is only supported since 5.4, so this does not apply to PHP 5.3.

[2012-09-27 16:57 UTC] nikic@php.net

-Summary: Crash when invoking invalid callback +Summary: Crash when invoking invalid array callback -Assigned To: +Assigned To: nikic

[2014-10-07 23:22 UTC] stas@php.net

Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=592b232e834ed2698fa97ad4dd58e5ab21f257be
Log: Fix bug #63173: Crash when invoking invalid array callback

[2014-10-07 23:33 UTC] stas@php.net

Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=592b232e834ed2698fa97ad4dd58e5ab21f257be
Log: Fix bug #63173: Crash when invoking invalid array callback

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Dec 04 16:00:01 2025 UTC