php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #25547 error_handler and array index with function call
Submitted: 2003-09-15 13:37 UTC Modified: 2004-03-31 18:18 UTC
Votes:18
Avg. Score:3.8 ± 1.0
Reproduced:16 of 16 (100.0%)
Same Version:7 (43.8%)
Same OS:7 (43.8%)
From: cschneid at cschneid dot com Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 4CVS OS: *
Private report: No CVE-ID:
 [2003-09-15 13:37 UTC] cschneid at cschneid dot com
Description:
------------
Error handler seems to destroy array indices if called due
to a undefined array index generated by a function.

Reproduce code:
---------------
function handler($errno, $errstr, $errfile, $errline)
{
        $test = "aaa";
}

set_error_handler('handler');

$output[trim("bbbbbbb")]++;
print_r($output);


Expected result:
----------------
Array
(
    [bbbbbbb] => 1
)


Actual result:
--------------
Array
(
    [aaa] => 1
)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-10-15 08:19 UTC] cschneid at cschneid dot com
The problem seems to be that dim->value is overwritten, copying the value solves this. I don't have enough insight in Zend to know if this is a memory leak and the values should be freed at some point or if this is ok.

Hope this helps:

diff -u -u -r1.316.2.21 zend_execute.c
--- Zend/zend_execute.c 30 Jul 2003 16:33:54 -0000      1.316.2.21
+++ Zend/zend_execute.c 15 Oct 2003 12:17:10 -0000
@@ -626,7 +626,7 @@
                        offset_key_length = 0;
                        goto fetch_string_dim;
                case IS_STRING:
-                       offset_key = dim->value.str.val;
+                       offset_key = estrndup(dim->value.str.val, dim->value.str.len);
                        offset_key_length = dim->value.str.len;

 fetch_string_dim:
 [2003-10-16 04:09 UTC] helly@php.net
You now have a memory leak. I tried something similar too. But we decided to look for a better solution where we don't gc the variable we still need.
 [2003-12-31 03:17 UTC] dmitry@php.net
The bug is fixed in PHP5 CVS (zend.c,v 1.260).
 [2004-01-04 17:49 UTC] cschneid at cschneid dot com
Problem still exists in PHP4 branch
 [2004-01-04 17:53 UTC] cschneid at cschneid dot com
A workaround patch (without memory leak ;-)) can be found at http://cschneid.com/php/php4/bug25547.patch
 [2004-01-04 22:45 UTC] cvianna at stech dot net dot br
The patch applied perfectly, and the make test didnt find any error after this.

Altough, my problem ([Mon Jan  5 01:48:52 2004] [notice] child pid 3965 exit signal Segmentation fault (11)
) every time I access an php page, persists. Not associated :) Back to google.
 [2004-01-11 02:59 UTC] jclift at digitaldistribution dot com
That patch fixed my 4.3.4 release tarball, running on Sun's JDS, compiled in CLI mode.

Look like we'll be waiting for the 4.3.5 release now.

;-)

Regards and best wishes,

Justin Clift
 [2004-01-16 22:50 UTC] jclift at digitaldistribution dot com
Just experienced this when doing a "make test" with PHP 4.3.5RC1, on a newly installed Sun Java Desktop System (a stripped down version of SuSE Linux).
 [2004-02-15 18:41 UTC] bart at atsence dot nl
I am afraid the patch did not have the desired effect for me. I am still faced with the error (when making a make test) after compiling php with sablotron, see below.

I patched the php-4.3.4 tarball with:

patch -p1 < bug25547.patch

Result is an error

File to patch: php-4.3.4.tar.gz
patching file php-4.3.4.tar.gz
Hunk #1 FAILED at 638.
1 out of 1 hunk FAILED -- saving rejects to file php-4.3.4.tar.gz.rej


FAILED TEST SUMMARY
---------------------------------------------------------------------
Bug #25547 (error_handler and array index with function call) [tests/lang/bug25547.phpt]
xslt_set_object function [ext/xslt/tests/xslt_set_object.phpt]


Ideas anyone?
 [2004-03-09 09:09 UTC] sm at netxcalibur dot com
This bug is still present in 4.3.4 and 4.3.5RC4 (aka php4-STABLE-200403091230), on both Linux Slackware 9.0 and 9.1. If patched as described, the bug disappears from both Linux/php versions.
 [2004-03-31 18:18 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 05:03:21 2014 UTC