PHP :: Bug #71539 :: Memory error on $arr[$a] =& $arr[$b] if RHS rehashes

Bug #71539

Memory error on $arr[$a] =& $arr[$b] if RHS rehashes

Submitted:

2016-02-06 15:55 UTC

Modified:

2016-10-03 06:46 UTC

Votes:	1
Avg. Score:	4.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

nikic@php.net

Assigned:

dmitry (profile)

Status:

Closed

Package:

Scripting Engine problem

PHP Version:

7.0.3

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	nikic@php.net
New email:
PHP Version:		OS:

New Comment:

[2016-02-06 15:55 UTC] nikic@php.net

Description:
------------
Reproduce code:

$array = [];
$array[0] =& $array[''];

The $array[''] is used to force a packed-to-hash conversion.

Output:

[Sat Feb  6 16:53:58 2016]  Script:  '/home/nikic/php-src/t203.php'
/home/nikic/php-src/Zend/zend_execute.c(577) :  Freeing 0x7FEE3D6010E0 (24 bytes), script=/home/nikic/php-src/t203.php
=== Total 1 memory leaks detected ===

First valgrind:

==30433== Invalid read of size 1
==30433==    at 0xB7EAAD: zval_get_type (zend_types.h:330)
==30433==    by 0xBB80A5: ZEND_ASSIGN_REF_SPEC_VAR_VAR_HANDLER (zend_vm_execute.h:19702)
==30433==    by 0xB88A6F: execute_ex (zend_vm_execute.h:422)
==30433==    by 0xB88C71: zend_execute (zend_vm_execute.h:466)
==30433==    by 0xB247EC: zend_execute_scripts (zend.c:1427)
==30433==    by 0xA630F9: php_execute_script (main.c:2484)
==30433==    by 0xC0783C: do_cli (php_cli.c:974)
==30433==    by 0xC08CD1: main (php_cli.c:1345)
==30433==  Address 0xf47b680 is 16 bytes inside a block of size 264 free'd
==30433==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==30433==    by 0xAE4EAD: _efree (zend_alloc.c:2453)
==30433==    by 0xB379A8: zend_hash_packed_to_hash (zend_hash.c:220)
==30433==    by 0xB3915C: _zend_hash_add_or_update_i (zend_hash.c:566)
==30433==    by 0xB3951C: _zend_hash_add_new (zend_hash.c:640)
==30433==    by 0xB852E5: zend_fetch_dimension_address_inner (zend_execute.c:1466)
==30433==    by 0xB85AB4: zend_fetch_dimension_address (zend_execute.c:1681)
==30433==    by 0xB861AE: zend_fetch_dimension_address_W (zend_execute.c:1772)
==30433==    by 0xBDAB96: ZEND_FETCH_DIM_W_SPEC_CV_CONST_HANDLER (zend_vm_execute.h:36832)
==30433==    by 0xB88A6F: execute_ex (zend_vm_execute.h:422)
==30433==    by 0xB88C71: zend_execute (zend_vm_execute.h:466)
==30433==    by 0xB247EC: zend_execute_scripts (zend.c:1427)

The cause is the opcode sequence:

@1 = FETCH_DIM_W $array 0
@2 = FETCH_DIM_W $array ""
ASSIGN_REF @1 @2

Where the second FETCH_DIM_W will reallocate the backing array while @1 still holds a pointer into it.

Patches

bug71539.diff (last revision 2016-07-06 20:13 UTC by dmitry@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-03-19 14:23 UTC] nikic@php.net

Related To: Bug #71850

[2016-05-13 09:02 UTC] dmitry@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry

[2016-07-06 10:07 UTC] dmitry@php.net

The following patch has been added/updated:

Patch Name: bug71539.diff
Revision:   1467799650
URL:        https://bugs.php.net/patch-display.php?bug=71539&patch=bug71539.diff&revision=1467799650

[2016-07-06 14:33 UTC] dmitry@php.net

The following patch has been added/updated:

Patch Name: bug71539.diff
Revision:   1467815599
URL:        https://bugs.php.net/patch-display.php?bug=71539&patch=bug71539.diff&revision=1467815599

[2016-07-06 19:05 UTC] dmitry@php.net

The following patch has been added/updated:

Patch Name: bug71539.diff
Revision:   1467831947
URL:        https://bugs.php.net/patch-display.php?bug=71539&patch=bug71539.diff&revision=1467831947

[2016-07-06 20:13 UTC] dmitry@php.net

The following patch has been added/updated:

Patch Name: bug71539.diff
Revision:   1467835982
URL:        https://bugs.php.net/patch-display.php?bug=71539&patch=bug71539.diff&revision=1467835982

[2016-07-06 22:00 UTC] dmitry@php.net

Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fbca255cd001e377202437d8fabded0192107d84
Log: Fixed bug #71539 (Memory error on $arr[$a] =&amp; $arr[$b] if RHS rehashes)

[2016-07-06 22:00 UTC] dmitry@php.net

-Status: Assigned +Status: Closed

[2016-07-20 11:30 UTC] davey@php.net

Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fbca255cd001e377202437d8fabded0192107d84
Log: Fixed bug #71539 (Memory error on $arr[$a] =&amp; $arr[$b] if RHS rehashes)

[2016-09-30 10:48 UTC] cmb@php.net

Related To: Bug #73207

[2016-09-30 11:13 UTC] cmb@php.net

-Status: Closed +Status: Re-Opened

[2016-09-30 11:13 UTC] cmb@php.net

Is there any particular reason why this hasn't been fixed for PHP-7.0?

[2016-10-03 04:37 UTC] tuyen-truong at cybozu dot vn

Related To: Bug #73207

[2016-10-03 06:46 UTC] dmitry@php.net

-Status: Re-Opened +Status: Closed

[2016-10-03 06:46 UTC] dmitry@php.net

The fix relays on a new VM instruction, and new instructions are not allowed in minor releases.

[2016-10-17 10:11 UTC] bwoebi@php.net

Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fbca255cd001e377202437d8fabded0192107d84
Log: Fixed bug #71539 (Memory error on $arr[$a] =&amp; $arr[$b] if RHS rehashes)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 14:01:29 2024 UTC