php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #26281 switch on string offset crashes w/bus error
Submitted: 2003-11-16 23:06 UTC Modified: 2003-11-29 12:30 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: tater at potatoe dot com Assigned: iliaa (profile)
Status: Closed Package: Strings related
PHP Version: 5CVS-2003-11-29 (dev) OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: tater at potatoe dot com
New email:
PHP Version: OS:

 

 [2003-11-16 23:06 UTC] tater at potatoe dot com 
Description:
------------
a switch() statement testing a string offset, like 
'switch($string{0})', crashes after executing the
matching case or default block. this only happens
if there is at least one case. workarounds: assign
offset to another variable first, or put it in 
quotes like "{$string{0}}".

This breaks a lot of PEAR code, btw.

Reproduce code:
---------------
$x = 'abc';
switch ($x{0}) { default: print "default - works\n"; }
switch ($x{0}) { case 'a': print "case 'a' - bus error\n"; }
print "done\n";

Expected result:
----------------
default - works
case 'a' - bus error
done

Actual result:
--------------
default - works
case 'a' - bus error
Bus error
--------------------
backtrace:
(gdb) run bug.php
Starting program: /usr/local/book/php/bin/php bug.php
[Switching to process 5410 thread 0xb03]
Reading symbols for shared libraries . done
Reading symbols for shared libraries ............ done
default - works
case 'a' - bus error

Program received signal EXC_BAD_ACCESS, Could not access memory.
0x00229f8c in _zval_dtor (zvalue=0xbb4c10, __zend_filename=0x2c2a24 "/Users/tater/book/php-src/Zend/zend_execute.c", __zend_lineno=203) at /Users/tater/book/php-src/Zend/zend_variables.c:44
44                              CHECK_ZVAL_STRING_REL(zvalue);
(gdb)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-11-18 19:39 UTC] iliaa@php.net 
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.
 [2003-11-29 02:31 UTC] sniper@php.net 
This still crashes, here's the backtrace:

[Switching to Thread 16384 (LWP 12818)]
0x0831ac74 in _zval_ptr_dtor (zval_ptr=0xbfffd680, 
    __zend_filename=0x8571ae0 "/usr/src/web/php/php5/Zend/zend_execute.c", __zend_lineno=197)
    at /usr/src/web/php/php5/Zend/zend_execute_API.c:352
352             (*zval_ptr)->refcount--;
(gdb) bt
#0  0x0831ac74 in _zval_ptr_dtor (zval_ptr=0xbfffd680, 
    __zend_filename=0x8571ae0 "/usr/src/web/php/php5/Zend/zend_execute.c", __zend_lineno=197)
    at /usr/src/web/php/php5/Zend/zend_execute_API.c:352
#1  0x083514f7 in zend_switch_free (opline=0x40e48e80, Ts=0xbfffd610) at /usr/src/web/php/php5/Zend/zend_execute.c:197
#2  0x0834d76a in zend_switch_free_handler (execute_data=0xbfffd7a0, op_array=0x40e488b4)
    at /usr/src/web/php/php5/Zend/zend_execute.c:3070
#3  0x083481e9 in execute (op_array=0x40e488b4) at /usr/src/web/php/php5/Zend/zend_execute.c:1269
#4  0x08326c78 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/web/php/php5/Zend/zend.c:1016
#5  0x082e585b in php_execute_script (primary_file=0xbffffba0) at /usr/src/web/php/php5/main/main.c:1625
#6  0x083602e3 in main (argc=2, argv=0xbffffc34) at /usr/src/web/php/php5/sapi/cli/php_cli.c:910
 [2003-11-29 02:32 UTC] sniper@php.net 
Crashes only in HEAD. The PHP_4_3 branch works fine.
 [2003-11-29 12:30 UTC] iliaa@php.net 
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 20:01:29 2024 UTC