|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2002-04-11 17:34 UTC] dcowgill at mail dot communityconnect dot com
It's possible to create a reference to a string offset (which is supposed to be illegal) by returning it from a function:
<?php
function &f() {
$x = "x";
return $x{0};
}
$y =& f();
?>
The above code triggers a segfault (tested with versions 4.0.6 and 4.1.0).
Here is the backtrace:
(gdb) bt
#0 0x080dc270 in execute (op_array=0x8141a88) at ./zend_execute.c:1751
#1 0x080dbf00 in execute (op_array=0x813c8bc) at ./zend_execute.c:1703
#2 0x080bf4c4 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at zend.c:814
#3 0x0805bab5 in php_execute_script (primary_file=0xbffff8e0) at main.c:1309
#4 0x08059698 in main (argc=1, argv=0xbffff984) at cgi_main.c:738
#5 0x400d3507 in __libc_start_main (main=0x8058ea8 <main>, argc=1,
ubp_av=0xbffff984, init=0x8057d2c <_init>, fini=0x80e1290 <_fini>,
rtld_fini=0x4000dc14 <_dl_fini>, stack_end=0xbffff97c)
at ../sysdeps/generic/libc-start.c:129
(gdb) frame 0
#0 0x080dc270 in execute (op_array=0x8141a88) at ./zend_execute.c:1751
1751 SEPARATE_ZVAL_TO_MAKE_IS_REF(retval_ptr_ptr);
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Fri Dec 05 17:00:01 2025 UTC |
Note: you do not have to do reference-assignment ("= &") to trigger the segfault; the following reproduces the crash as well: <?php function &f() { $x = "x"; return $x{0}; } $y = f(); ?>