php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #28086 overload() segfaults
Submitted: 2004-04-21 09:34 UTC Modified: 2005-01-21 01:32 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: tony2001 at phpclub dot net Assigned: andi
Status: Closed Package: Scripting Engine problem
PHP Version: 4CVS-2005-01-18 OS: *
Private report: No CVE-ID:
 [2004-04-21 09:34 UTC] tony2001 at phpclub dot net
Description:
------------
Segfault in overload extension.
Backtrace:
----
0x4037bb1d in fetch_overloaded_element (result=0x8146c4c, op1=0x8146c5c, op2=0x8146c6c, Ts=0xbfffbe9c, type=1,
    retval=0xbfffbf60, overloaded_element_type=1) at /home/tony/CVS/php_src_PHP_4_3_debug/Zend/zend_execute.c:735
735             overloaded_element.element = *get_zval_ptr(op2, Ts, &EG(free_op2), type);
(gdb) bt
#0  0x4037bb1d in fetch_overloaded_element (result=0x8146c4c, op1=0x8146c5c, op2=0x8146c6c, Ts=0xbfffbe9c, type=1,
    retval=0xbfffbf60, overloaded_element_type=1) at /home/tony/CVS/php_src_PHP_4_3_debug/Zend/zend_execute.c:735
#1  0x4037bc98 in zend_fetch_dimension_address (result=0x8146c4c, op1=0x8146c5c, op2=0x8146c6c, Ts=0xbfffbe9c, type=1)
    at /home/tony/CVS/php_src_PHP_4_3_debug/Zend/zend_execute.c:758
#2  0x4037e052 in execute (op_array=0x813ab5c) at /home/tony/CVS/php_src_PHP_4_3_debug/Zend/zend_execute.c:1301
#3  0x4036c520 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/tony/CVS/php_src_PHP_4_3_debug/Zend/zend.c:886
#4  0x4033162e in php_execute_script (primary_file=0xbffff310) at /home/tony/CVS/php_src_PHP_4_3_debug/main/main.c:1731
#5  0x4038527a in apache_php_module_main (r=0x81309f4, display_source_mode=0)
    at /home/tony/CVS/php_src_PHP_4_3_debug/sapi/apache/sapi_apache.c:54
#6  0x40386309 in send_php (r=0x81309f4, display_source_mode=0, filename=0x8130f5c "/www/index.php")
    at /home/tony/CVS/php_src_PHP_4_3_debug/sapi/apache/mod_php4.c:620
#7  0x4038639a in send_parsed_php (r=0x81309f4) at /home/tony/CVS/php_src_PHP_4_3_debug/sapi/apache/mod_php4.c:635
#8  0x08074542 in ap_invoke_handler ()
#9  0x0808a56a in process_request_internal ()
#10 0x0808a9d4 in ap_internal_redirect ()
#11 0x0806024a in handle_dir ()
#12 0x08074542 in ap_invoke_handler ()
#13 0x0808a56a in process_request_internal ()
#14 0x0808a5c7 in ap_process_request ()
#15 0x08080f80 in child_main ()
#16 0x08081132 in make_child ()
#17 0x080812b1 in startup_children ()
#18 0x0808199b in standalone_main ()
#19 0x08082235 in main ()
#20 0x4010eaf7 in __libc_start_main () from /lib/i686/libc.so.6



Reproduce code:
---------------
<?

class Foo { 

    var $arr; 
    var $bar; 

    function __set($prop_name, $prop_value) 
    { 
        $this->bar[$prop_name] = $prop_value; 
    } 
} 

overload('Foo'); 

$foo = new Foo; 

$foo->blabla[] = '123'; 

?>



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-01-08 23:06 UTC] tony2001@php.net
Patch:

Index: zend_execute.c
===================================================================
RCS file: /repository/Zend/Attic/zend_execute.c,v
retrieving revision 1.316.2.43
diff -u -r1.316.2.43 zend_execute.c
--- zend_execute.c      21 Dec 2004 10:37:49 -0000      1.316.2.43
+++ zend_execute.c      8 Jan 2005 19:49:13 -0000
@@ -715,6 +715,7 @@
 static void fetch_overloaded_element(znode *result, znode *op1, znode *op2, temp_variable *Ts, int type, zval ***retval, int overloaded_element_type TSRMLS_DC)
 {
        zend_overloaded_element overloaded_element;
+       zval *tmp;

        if (Ts[op1->u.var].EA.type == IS_STRING_OFFSET) {
                get_zval_ptr(op2, Ts, &EG(free_op2), BP_VAR_R);
@@ -733,7 +734,11 @@
                return;
        }

-       overloaded_element.element = *get_zval_ptr(op2, Ts, &EG(free_op2), type);
+       tmp = get_zval_ptr(op2, Ts, &EG(free_op2), type);
+       if (!tmp) {
+               MAKE_STD_ZVAL(tmp);
+       }
+       overloaded_element.element = *tmp;
        overloaded_element.type = overloaded_element_type;
        if (!EG(free_op2)) {
                zval_copy_ctor(&overloaded_element.element);

 [2005-01-21 01:32 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 14:01:50 2014 UTC