PHP :: Bug #25547 :: error_handler and array index with function call

Bug #25547

error_handler and array index with function call

Submitted:

2003-09-15 13:37 UTC

Modified:

2004-03-31 18:18 UTC

Votes:	18
Avg. Score:	3.8 ± 1.0
Reproduced:	16 of 16 (100.0%)
Same Version:	7 (43.8%)
Same OS:	7 (43.8%)

From:

cschneid at cschneid dot com

Assigned:

Status:

Closed

Package:

Scripting Engine problem

PHP Version:

4CVS

OS:

Private report:

CVE-ID:

None

View Add Comment Developer Edit

[2003-09-15 13:37 UTC] cschneid at cschneid dot com

Description:
------------
Error handler seems to destroy array indices if called due
to a undefined array index generated by a function.

Reproduce code:
---------------
function handler($errno, $errstr, $errfile, $errline)
{
        $test = "aaa";
}

set_error_handler('handler');

$output[trim("bbbbbbb")]++;
print_r($output);


Expected result:
----------------
Array
(
    [bbbbbbb] => 1
)


Actual result:
--------------
Array
(
    [aaa] => 1
)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-10-15 08:19 UTC] cschneid at cschneid dot com

The problem seems to be that dim->value is overwritten, copying the value solves this. I don't have enough insight in Zend to know if this is a memory leak and the values should be freed at some point or if this is ok.

Hope this helps:

diff -u -u -r1.316.2.21 zend_execute.c
--- Zend/zend_execute.c 30 Jul 2003 16:33:54 -0000      1.316.2.21
+++ Zend/zend_execute.c 15 Oct 2003 12:17:10 -0000
@@ -626,7 +626,7 @@
                        offset_key_length = 0;
                        goto fetch_string_dim;
                case IS_STRING:
-                       offset_key = dim->value.str.val;
+                       offset_key = estrndup(dim->value.str.val, dim->value.str.len);
                        offset_key_length = dim->value.str.len;

 fetch_string_dim:

[2003-10-16 04:09 UTC] helly@php.net

You now have a memory leak. I tried something similar too. But we decided to look for a better solution where we don't gc the variable we still need.

[2003-12-31 03:17 UTC] dmitry@php.net

The bug is fixed in PHP5 CVS (zend.c,v 1.260).

[2004-01-04 17:49 UTC] cschneid at cschneid dot com

Problem still exists in PHP4 branch

[2004-01-04 17:53 UTC] cschneid at cschneid dot com

A workaround patch (without memory leak ;-)) can be found at http://cschneid.com/php/php4/bug25547.patch

[2004-01-04 22:45 UTC] cvianna at stech dot net dot br

The patch applied perfectly, and the make test didnt find any error after this.

Altough, my problem ([Mon Jan  5 01:48:52 2004] [notice] child pid 3965 exit signal Segmentation fault (11)
) every time I access an php page, persists. Not associated :) Back to google.

[2004-01-11 02:59 UTC] jclift at digitaldistribution dot com

That patch fixed my 4.3.4 release tarball, running on Sun's JDS, compiled in CLI mode.

Look like we'll be waiting for the 4.3.5 release now.

;-)

Regards and best wishes,

Justin Clift

[2004-01-16 22:50 UTC] jclift at digitaldistribution dot com

Just experienced this when doing a "make test" with PHP 4.3.5RC1, on a newly installed Sun Java Desktop System (a stripped down version of SuSE Linux).

[2004-02-15 18:41 UTC] bart at atsence dot nl

I am afraid the patch did not have the desired effect for me. I am still faced with the error (when making a make test) after compiling php with sablotron, see below.

I patched the php-4.3.4 tarball with:

patch -p1 < bug25547.patch

Result is an error

File to patch: php-4.3.4.tar.gz
patching file php-4.3.4.tar.gz
Hunk #1 FAILED at 638.
1 out of 1 hunk FAILED -- saving rejects to file php-4.3.4.tar.gz.rej


FAILED TEST SUMMARY
---------------------------------------------------------------------
Bug #25547 (error_handler and array index with function call) [tests/lang/bug25547.phpt]
xslt_set_object function [ext/xslt/tests/xslt_set_object.phpt]


Ideas anyone?

[2004-03-09 09:09 UTC] sm at netxcalibur dot com

This bug is still present in 4.3.4 and 4.3.5RC4 (aka php4-STABLE-200403091230), on both Linux Slackware 9.0 and 9.1. If patched as described, the bug disappears from both Linux/php versions.

[2004-03-31 18:18 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 16:01:27 2024 UTC