PHP :: Bug #69068 :: Exchanging array during array

Bug #69068	Exchanging array during array_walk -> memory errors
Submitted:	2015-02-17 16:13 UTC	Modified:	2016-07-29 22:21 UTC
From:	nikic@php.net	Assigned:	nikic (profile)
Status:	Closed	Package:	Arrays related
PHP Version:	Irrelevant	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	nikic@php.net
New email:
PHP Version:		OS:

New Comment:

[2015-02-17 16:13 UTC] nikic@php.net

Description:
------------
<?php

$array = [1, 2, 3];
array_walk($array, function($value, $key) {
    $GLOBALS['array'] = [1, 2];
});

var_dump($array);

Valgrind:

nikic@saturn:~/php-src$ USE_ZEND_ALLOC=0 valgrind sapi/cli/php t016.php
==3768== Memcheck, a memory error detector
==3768== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==3768== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright info
==3768== Command: sapi/cli/php t016.php
==3768== 
==3768== Invalid read of size 4
==3768==    at 0x65B619: zend_hash_move_forward_ex (zend_hash.c:1731)
==3768==    by 0x528BB4: php_array_walk (array.c:1158)
==3768==    by 0x5292E5: zif_array_walk (array.c:1199)
==3768==    by 0x6936CB: ZEND_DO_FCALL_SPEC_HANDLER (zend_vm_execute.h:596)
==3768==    by 0x692D40: execute_ex (zend_vm_execute.h:352)
==3768==    by 0x692E51: zend_execute (zend_vm_execute.h:381)
==3768==    by 0x646BFA: zend_execute_scripts (zend.c:1277)
==3768==    by 0x5C1AA2: php_execute_script (main.c:2549)
==3768==    by 0x6E8CCC: do_cli (php_cli.c:979)
==3768==    by 0x6E9D51: main (php_cli.c:1355)
==3768==  Address 0x5b0fa5c is 28 bytes inside a block of size 64 free'd
==3768==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3768==    by 0x618E5E: _efree (zend_alloc.c:2208)
==3768==    by 0x643A50: _zval_dtor_func_for_ptr (zend_variables.c:108)
==3768==    by 0x68D121: zend_assign_to_variable (zend_execute.h:88)
==3768==    by 0x6B1C75: ZEND_ASSIGN_DIM_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:13631)
==3768==    by 0x692D40: execute_ex (zend_vm_execute.h:352)
==3768==    by 0x630592: zend_call_function (zend_execute_API.c:845)
==3768==    by 0x5289E5: php_array_walk (array.c:1132)
==3768==    by 0x5292E5: zif_array_walk (array.c:1199)
==3768==    by 0x6936CB: ZEND_DO_FCALL_SPEC_HANDLER (zend_vm_execute.h:596)
==3768==    by 0x692D40: execute_ex (zend_vm_execute.h:352)
==3768==    by 0x692E51: zend_execute (zend_vm_execute.h:381)

And so on.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-07-29 22:21 UTC] nikic@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic

[2016-07-29 22:21 UTC] nikic@php.net

Fixed via https://github.com/php/php-src/commit/11e050920d3052d2b14a9cff6c4c5764d674fc46.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 11:01:29 2024 UTC