PHP :: Bug #67151 :: strtr with empty array crashes

Bug #67151	strtr with empty array crashes
Submitted:	2014-04-29 16:34 UTC	Modified:	2014-05-05 21:58 UTC
From:	nikic@php.net	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	5.6.0beta1	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	nikic@php.net
New email:
PHP Version:		OS:

New Comment:

[2014-04-29 16:34 UTC] nikic@php.net

Description:
------------
<?php
var_dump(strtr("foo", []));

Valgrind:

==24828== Invalid read of size 1
==24828==    at 0x817D0EA: php_strtr_hash (string.c:2836)
==24828==    by 0x817DC37: php_strtr_array_do_repl (string.c:3049)
==24828==    by 0x817E255: php_strtr_array (string.c:3113)
==24828==    by 0x817E412: zif_strtr (string.c:3144)
==24828==    by 0x82A7E96: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:558)
==24828==    by 0x82AD85B: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2585)
==24828==    by 0x82A7392: execute_ex (zend_vm_execute.h:363)
==24828==    by 0x82A7447: zend_execute (zend_vm_execute.h:388)
==24828==    by 0x8266A15: zend_execute_scripts (zend.c:1330)
==24828==    by 0x81C77A3: php_execute_script (main.c:2549)
==24828==    by 0x831669C: do_cli (php_cli.c:994)
==24828==    by 0x8317BF6: main (php_cli.c:1378)
==24828==  Address 0x43fb16d is 3 bytes before a block of size 4 alloc'd
==24828==    at 0x402BE68: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==24828==    by 0x822C278: _emalloc (zend_alloc.c:2427)
==24828==    by 0x822C795: _estrndup (zend_alloc.c:2650)
==24828==    by 0x82624DD: _zval_copy_ctor_func (zend_variables.c:126)
==24828==    by 0x82A1BF1: _zval_copy_ctor (zend_variables.h:45)
==24828==    by 0x82ADC3E: ZEND_SEND_VAL_SPEC_CONST_HANDLER (zend_vm_execute.h:2754)
==24828==    by 0x82A7392: execute_ex (zend_vm_execute.h:363)
==24828==    by 0x82A7447: zend_execute (zend_vm_execute.h:388)
==24828==    by 0x8266A15: zend_execute_scripts (zend.c:1330)
==24828==    by 0x81C77A3: php_execute_script (main.c:2549)
==24828==    by 0x831669C: do_cli (php_cli.c:994)
==24828==    by 0x8317BF6: main (php_cli.c:1378)
==24828== 
string(3) "foo"
==24828== 
==24828== HEAP SUMMARY:
==24828==     in use at exit: 0 bytes in 0 blocks
==24828==   total heap usage: 12,026 allocs, 12,026 frees, 1,114,247 bytes allocated
==24828== 
==24828== All heap blocks were freed -- no leaks are possible
==24828== 
==24828== For counts of detected and suppressed errors, rerun with: -v
==24828== ERROR SUMMARY: 2 errors from 1 contexts (suppressed: 0 from 0)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-05-05 21:57 UTC] tyrael@php.net

I can't reproduce the script, could you tell me which platform did you experience it, and your exact configure line?

[2014-05-05 21:58 UTC] tyrael@php.net

-Status: Open +Status: Feedback

[2014-06-17 10:44 UTC] jocelyn dot fournier at gmail dot com

Hi,

Don't know if it's related, but I also have an issue with strtr reported by valgrind, on php 5.5.13 : 

==11275== Use of uninitialised value of size 8
==11275==    at 0x8DC69D4: php_strtr_array_do_repl (string.c:3055)
==11275==    by 0x8DC70D1: php_strtr_array (string.c:3118)
==11275==    by 0x8DC72AC: zif_strtr (string.c:3149)
==11275==    by 0x8FD2F28: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:550)
==11275==    by 0x8FD39BD: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:685)
==11275==    by 0x8FD225A: execute_ex (zend_vm_execute.h:363)
==11275==    by 0x8FD2340: zend_execute (zend_vm_execute.h:388)
==11275==    by 0x8F75963: zend_call_function (zend_execute_API.c:939)
==11275==    by 0x8D8023C: zif_call_user_func_array (basic_functions.c:4806)
==11275==    by 0x8FD2F28: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:550)
==11275==    by 0x8FD39BD: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:685)
==11275==    by 0x8FD225A: execute_ex (zend_vm_execute.h:363)
==11275== 

Thanks and regards,
  Jocelyn Fournier

[2014-06-17 10:56 UTC] jocelyn dot fournier at gmail dot com

My plateform :

Linux 3.13.0-29-generic #53-Ubuntu SMP Wed Jun 4 21:00:20 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux, tested on the home page of a blank ezpublish installation (http://share.ez.no/content/download/157408/929566/version/1/file/ezpublish5_community_project-v2014.03-gpl-full.tar.gz)

[2014-07-02 20:37 UTC] nikic@php.net

Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3cc6bd10acdec14dc28bce1f39689bc99add4514
Log: Fix bug #67151: strtr with empty array crashes

[2014-07-02 20:37 UTC] nikic@php.net

-Status: Feedback +Status: Closed

[2014-07-07 15:22 UTC] dmitry@php.net

Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3cc6bd10acdec14dc28bce1f39689bc99add4514
Log: Fix bug #67151: strtr with empty array crashes

[2014-07-21 09:31 UTC] ab@php.net

Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3cc6bd10acdec14dc28bce1f39689bc99add4514
Log: Fix bug #67151: strtr with empty array crashes

[2014-07-21 10:02 UTC] ab@php.net

Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3cc6bd10acdec14dc28bce1f39689bc99add4514
Log: Fix bug #67151: strtr with empty array crashes

[2014-07-30 09:52 UTC] tyrael@php.net

Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3cc6bd10acdec14dc28bce1f39689bc99add4514
Log: Fix bug #67151: strtr with empty array crashes

[2014-10-07 23:14 UTC] stas@php.net

Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=3cc6bd10acdec14dc28bce1f39689bc99add4514
Log: Fix bug #67151: strtr with empty array crashes

[2014-10-07 23:25 UTC] stas@php.net

Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=3cc6bd10acdec14dc28bce1f39689bc99add4514
Log: Fix bug #67151: strtr with empty array crashes

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Dec 03 17:01:29 2024 UTC