php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #27028 Echoing string while assigning math value
Submitted: 2004-01-23 18:24 UTC Modified: 2004-02-05 21:27 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: php at trancer dot nl Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 4.3.5RC2 OS: Linux Win32
Private report: No CVE-ID: None
 [2004-01-23 18:24 UTC] php at trancer dot nl
Description:
------------
The following script causes various PHP versions to segfault: <?php $string = 'abc'; echo $string{1} = 3+3 ?>

The following doesnt crash: <?php $string = 'abc'; echo $string{1} = 3 ?>

Anything with math will make it crash (* / + - ^ etc.) just using = 3 wont make it crash. May be noted that using the php -r way it wont core.. seems to work only being put in a file.

Results of the code on debian SID (yes, 4.3.3 but read on)are below.

---

hybrid:~# php < bla.php 
6Segmentation fault

hybrid:~# php -r "$string = 'abc'; echo $string{1} = 3+3"

Parse error: parse error in Command line code on line 1

---

(Tried) reproduced on:

WinXP + Apache 1.3.29 + PHP 4.3.4 crashed.
WinXP + PHP 4.2.3 does NOT crash

Fedora Red Hat Linux 3.3.2-1 + Apache2 + PHP 4.3.4: NOT crashed

FreeBSD 4.2: doesnt crash (4.1.2)
FreeBSD 4.5: didnt print anything (not even 6)
FreeBSD 4.6: doesnt crash 
FreeBSD 4.7: didnt print anything (not even 6) 
FreeBSD 4.8: didnt print anything (not even 6) (4.3.1)
FreeBSD 4.9-RELEASE: crash (4.3.3)

Slackware current + PHP 4.3.4: crash
Redhat 7.3 + PHP 4.3.4: prints nothing
PLD Linux: NOT crashing

Thats about all stats I could collect. Had no machines with 4.3.5RC1 around to test it.

Regards,

Reproduce code:
---------------
<?php $string = 'abc'; echo $string{1} = 3+3 ?>

Expected result:
----------------
Ehm 6, well something else in fact. Was just toying around with string incrementing etc. Wasnt going to work obviously (needed chr/ord) original code was 'c' - 32 instead of 3+3.

Actual result:
--------------
6Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-01-25 18:15 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Appears to be fixed (does not crash) in latest CVS. 
 [2004-02-05 13:47 UTC] php at trancer dot nl
Reopening

Still crashes in PHP 4.3.5RC2 on Win32, both in CLI and in Apache. 

Noticed some WEIRD behaviour in Apache handling though. First time the script runs all right, it produces 6. Second time Apache will crash. CLI crashes directly.
 [2004-02-05 13:48 UTC] php at trancer dot nl
and putting it effectively on open.
 [2004-02-05 21:27 UTC] iliaa@php.net
Cannot replicate with latest CVS with either CLI or Apache 
on Linux. 
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved.
Last updated: Sat Oct 25 08:00:01 2025 UTC