PHP :: Bug #68059 :: array

Bug #68059

array_shift segfaults

Submitted:

2014-09-19 21:42 UTC

Modified:

2017-10-24 08:25 UTC

Votes:	3
Avg. Score:	4.7 ± 0.5
Reproduced:	3 of 3 (100.0%)
Same Version:	2 (66.7%)
Same OS:	0 (0.0%)

From:

rrh at newrelic dot com

Assigned:

Status:

Suspended

Package:

xhprof (PECL)

PHP Version:

5.6.0

OS:

ubuntu 14.04

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	rrh at newrelic dot com
New email:
PHP Version:		OS:

New Comment:

[2014-09-19 21:42 UTC] rrh at newrelic dot com

Description:
------------
If xhprof is enabled, and the php 5.6 executes php function array_shift, then the guts of _phpi_pop indirects through 0 for the return_value_ptr, resulting in a segfault.

The xhprof call through ->handler passes a 3rd argument which is the result of evaluating the C code:
  (EX(function_state).function->common.fn_flags &  ZEND_ACC_RETURN_REFERENCE) ?  &retvar->var.ptr:NULL
and for the case of the array_shift function, this passes NULL as the value of return_value_ptr in the environment of array_shift.

For PHP 5.6, and apparently PHP 5.6 only, the implementation of array_shift calls _phpi_pop which invokes macro RETVAL_ZVAL_FAST which has a code path that stores through return_value_ptr, without doing any checking for null pointers.

There are a handful of uses of RETVAL_ZVAL_FAST in PHP 5.6, all(?) related to array manipulation or iteration.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-10-24 08:25 UTC] kalle@php.net

-Status: Open +Status: Suspended

[2017-10-24 08:25 UTC] kalle@php.net

This package has not had a release for over 4 years, and the last bit of git activity was over 2 years ago, so I think its safe to say this extension is no longer in active development. If development picks back up, then please re-open this report

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 12:01:31 2024 UTC