php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #71303 Segfault in zend_assign_concat due to E_NOTICE
Submitted: 2016-01-07 14:58 UTC Modified: 2016-01-18 10:21 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: laruence@php.net Assigned: dmitry (profile)
Status: Assigned Package: Scripting Engine problem
PHP Version: 7.0.2 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: laruence@php.net
New email:
PHP Version: OS:

 

 [2016-01-07 14:58 UTC] laruence@php.net 
Description:
------------
E_NOTICE maybe result in symbol table resize, which will result in segfault

Test script:
---------------
function test() {
    for ($n = 'a'; $n < 'g'; $n++) {
        $$n = array();
    }
    $$n = array();
    $$n .= "test";
    return $$n;
}   


var_dump(test2());

Expected result:
----------------
no segfault

Actual result:
--------------
segfault 

valgrind:
PHP Notice:  Array to string conversion in /tmp/1.php on line 15

Notice: Array to string conversion in /tmp/1.php on line 15
==12029== Invalid read of size 1
==12029==    at 0x984238: _zval_dtor (zend_variables.h:41)
==12029==    by 0x98CF70: concat_function (zend_operators.c:1611)
==12029==    by 0xA137FD: zend_binary_assign_op_helper_SPEC_VAR_CONST (zend_vm_execute.h:16581)
==12029==    by 0xA13B7D: ZEND_ASSIGN_CONCAT_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:16739)
==12029==    by 0x9F0BB4: execute_ex (zend_vm_execute.h:414)
==12029==    by 0x9F0CC6: zend_execute (zend_vm_execute.h:458)
==12029==    by 0x995C1E: zend_execute_scripts (zend.c:1427)
==12029==    by 0x902F01: php_execute_script (main.c:2484)
==12029==    by 0xA55028: do_cli (php_cli.c:974)
==12029==    by 0xA561EC: main (php_cli.c:1345)
==12029==  Address 0xb722de9 is 265 bytes inside a block of size 288 free'd
==12029==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==12029==    by 0x9624DE: _efree (zend_alloc.c:2453)
==12029==    by 0x9A9251: zend_hash_do_resize (zend_hash.c:880)
==12029==    by 0x9A81E9: _zend_hash_add_or_update_i (zend_hash.c:591)
==12029==    by 0x9A85F0: _zend_hash_str_update_ind (zend_hash.c:662)
==12029==    by 0x9807BF: zend_set_local_var_str (zend_execute_API.c:1653)
==12029==    by 0x9004C7: php_error_cb (main.c:1203)
==12029==    by 0x7547C5: soap_error_handler (soap.c:2139)
==12029==    by 0x994CEB: zend_error (zend.c:1154)
==12029==    by 0x986E11: _zval_get_string_func (zend_operators.c:834)
==12029==    by 0x9934F2: zend_make_printable_zval (zend.c:249)
==12029==    by 0x98CF45: concat_function (zend_operators.c:1605)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-01-07 14:58 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence
 [2016-01-09 14:09 UTC] laruence@php.net 
and also:
<?php

class evil {
    public function __toString() {
        global $array;
        $array[] = 1;
        $array[] = 1;
        $array[] = 1;
        $array[] = 1;
        return "okey";
    }
}

$array = range(0, 5);

$array[1] .= new evil;
var_dump($array[1]);

thanks
 [2016-01-18 10:21 UTC] dmitry@php.net
-Assigned To: laruence +Assigned To: dmitry
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Oct 28 08:00:01 2025 UTC