PHP :: Bug #25856 :: Segfault when copying uninitialized variable into array sub-index

Bug #25856	Segfault when copying uninitialized variable into array sub-index
Submitted:	2003-10-13 15:47 UTC	Modified:	2003-10-13 19:18 UTC
From:	cluby at omniture dot com	Assigned:
Status:	Wont fix	Package:	Scripting Engine problem
PHP Version:	4CVS-2003-10-13 (stable)	OS:	Linux
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	cluby at omniture dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2003-10-13 15:47 UTC] cluby at omniture dot com

Description:
------------
The following snippet will cause a segfault in the CGI binary 4.3.1 and up including the latest snapshot using the default configure.  It seemed to work fine in 4.1.2.  When testing with the latest snapshot no changes were made to php.ini:

<?
$data = array();
for ($i = 0;$i < 70000;$i++) {
    $data[$i][1] = $x; // $x is undefined
}
?>

It segfaults when $i = 65533.  It seems to be tied to the fact that it is copying the value of an uninitialized variable into a sub-index of an array.  If you change the copy line to this:

    $y = 'foo';
    ...
    $data[$i][1] = $y;

or this:

    $data[$i] = $x;

It will not segfault.

Reproduce code:
---------------
<?
$data = array();
for ($i = 0;$i < 70000;$i++) {
    $data[$i][1] = $x; // $x is undefined
}
?>

Expected result:
----------------
Not segfault.  Possibly fill sub-index 1 with "undefines" or not modify the array at all because there is nothing to copy.

Actual result:
--------------
Segfault when $i = 65533

GDB backtrace on CGI binary and core file:

#0  0x0810e2bd in zend_hash_index_find (ht=0x0, h=1, pData=0x0) at /usr/local/src/php4-STABLE-200310131730/Zend/zend_hash.c:962
#1  0x08117f61 in zend_fetch_dimension_address_inner (ht=0x910dbc4, op2=0x8191c78, Ts=0xbfffd3f0, type=1) at /usr/local/src/php4-STABLE-200310131730/Zend/zend_execute.c:665
#2  0x08112b41 in zend_fetch_dimension_address (result=0x8191c58, op1=0x815f024, op2=0x8191c78, Ts=0xbfffd3f0, type=1) at /usr/local/src/php4-STABLE-200310131730/Zend/zend_execute.c:787
#3  0x08116c01 in execute (op_array=0x818d7f4) at /usr/local/src/php4-STABLE-200310131730/Zend/zend_execute.c:1287
#4  0x0810a313 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/local/src/php4-STABLE-200310131730/Zend/zend.c:885
#5  0x080e9097 in php_execute_script (primary_file=0xbffff9b0) at /usr/local/src/php4-STABLE-200310131730/main/main.c:1729
#6  0x081192da in main (argc=2, argv=0xbffffa34) at /usr/local/src/php4-STABLE-200310131730/sapi/cgi/cgi_main.c:1578
#7  0x420158d4 in __libc_start_main () from /lib/i686/libc.so.6

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-10-13 19:17 UTC] moriyoshi@php.net

Duplicate of bug #23132.
Will be fixed in ZE2 (php5).

[2003-10-13 19:18 UTC] sniper@php.net

This happens only without --enable-debug.
This does not happen with PHP 5.0.0b2-dev.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 26 13:01:28 2024 UTC