|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #26696 Using string index in a switch() crashes with multiple matches
Submitted: 2003-12-22 14:33 UTC Modified: 2004-01-19 19:20 UTC
Avg. Score:5.0 ± 0.0
Reproduced:7 of 7 (100.0%)
Same Version:7 (100.0%)
Same OS:6 (85.7%)
From: saruman at northernhacking dot org Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 5CVS-2004-01-02 OS: *
Private report: No CVE-ID: None
 [2003-12-22 14:33 UTC] saruman at northernhacking dot org
The ONLY change I'd done is install php-5.0.0b3 with the same config as the php-5.0.0b2 it replaced.

Config vars:

Configure Command  './configure' '--with-pear' '--with-pgsql' '--with-apxs=/usr/local/apache/bin/apxs' '--enable-mbstring' '--prefix=/usr/local/php5' '--with-libxml-dir=/usr'

Using this with php-5.0.0b2 works as expected. This behavior of a string is required by DB.php in PEAR, amongst others.

Reproduce code:

//$str = Array('a', 's', 'd', 'd', '/', '?');
$str = 'asdd/?';
$len = strlen($str);
for ($i = 0; $i < $len; $i++) {
	switch ($str[$i]) {
		case '?':
			echo '?';

Did not crash.

Expected result:
?Did not crash.

Actual result:
From error_log:
[Mon Dec 22 14:15:38 2003] [notice] child pid 30170 exit signal Segmentation fault (11)
[Mon Dec 22 14:15:38 2003] [notice] child pid 30187 exit signal Segmentation fault (11)

The two response are because MSIE seems to do a second query when the first one unexpectedly close.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2003-12-22 14:51 UTC] saruman at northernhacking dot org
case '?': is the culprit.
 [2003-12-22 17:00 UTC]
Maybe related to bug #17997
 [2003-12-22 17:22 UTC] saruman at northernhacking dot org
This bug is very similar to #26281, in fact, it's probably the same.
 [2004-01-02 10:43 UTC]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 20298)]
0x08357f99 in zend_pzval_unlock_func (z=0x1) at /usr/src/web/php/php5/Zend/zend_execute.c:64
64              z->refcount--;
(gdb) bt
#0  0x08357f99 in zend_pzval_unlock_func (z=0x1) at /usr/src/web/php/php5/Zend/zend_execute.c:64
#1  0x08358499 in zend_switch_free (opline=0x40e491f8, Ts=0xbfffd640) at /usr/src/web/php/php5/Zend/zend_execute.c:198
#2  0x083545d6 in zend_switch_free_handler (execute_data=0xbfffd7a0, op_array=0x40e48704)
    at /usr/src/web/php/php5/Zend/zend_execute.c:3072
#3  0x0834efd8 in execute (op_array=0x40e48704) at /usr/src/web/php/php5/Zend/zend_execute.c:1260
#4  0x0832d924 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/web/php/php5/Zend/zend.c:1050
#5  0x082eac2c in php_execute_script (primary_file=0xbffffba0) at /usr/src/web/php/php5/main/main.c:1642
#6  0x08367237 in main (argc=2, argv=0xbffffc34) at /usr/src/web/php/php5/sapi/cli/php_cli.c:924

 [2004-01-07 21:36 UTC]
See also bug #26801
 [2004-01-18 23:06 UTC]
Confirmed in recent cvs. It only happens with a default: block before which there is an applicable case ending in a break; statement.

$line = '*';
switch ($line{0}) { // crashes also with $line[0]
 case '*';
  echo '* RAN!';
  echo 'Default RAN!';

This results in '* RAN!Segmentation Fault'. :(

BTW, I discovered this bug because it breaks Wakka.
 [2004-01-19 19:20 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Jun 24 04:01:30 2024 UTC