PHP :: Bug #29035 :: using isset() crashes PHP5TS.DLL within Apache

Bug #29035

using isset() crashes PHP5TS.DLL within Apache

Submitted:

2004-07-06 19:19 UTC

Modified:

2004-11-04 15:08 UTC

Votes:	8
Avg. Score:	4.4 ± 1.3
Reproduced:	8 of 8 (100.0%)
Same Version:	4 (50.0%)
Same OS:	6 (75.0%)

From:

steven at omicron-software dot co dot uk

Assigned:

andi (profile)

Status:

Closed

Package:

Reproducible crash

PHP Version:

5.0.0RC3

OS:

Private report:

CVE-ID:

None

View Developer Edit

[2004-07-06 19:19 UTC] steven at omicron-software dot co dot uk

Description:
------------
When using a simple isset() script crashes PHP5.

Reproduce code:
---------------
<?
$array = array('foo' => 'bar');
if (isset($array[])) echo "Something";
?>

Expected result:
----------------
The expected result is to echo "Something"

Actual result:
--------------
Actual result is a "Apache.exe has encountered a problem and needs to close.  We are sorry for the inconvenience." error in PHP5TS.DLL, running as a Module on Apache 1.3.31.

Debug tool with Microsoft Visual Studio returns this:
"Unhandled exception in Apache.exe (PHP5TS.DLL): 0xC0000005: Access Violation"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-07-07 09:11 UTC] derick@php.net

Your expected result is wrong, you can not isset on an addition to an array.

Besides that, i could reproduce this on Linux too.

backtrace:
0x08316ef5 in zend_isset_isempty_dim_prop_obj_handler (prop_dim=0,
    execute_data=0xbfffd540, opline=0x404e63e0, op_array=0x404e60c4)
    at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:3969
warning: Source file is more recent than executable.

3969
(gdb) bt
#0  0x08316ef5 in zend_isset_isempty_dim_prop_obj_handler (prop_dim=0,
    execute_data=0xbfffd540, opline=0x404e63e0, op_array=0x404e60c4)
    at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:3969
#1  0x083171c3 in zend_isset_isempty_dim_obj_handler (execute_data=0xbfffd540,
    opline=0x404e63e0, op_array=0x404e60c4)
    at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:4056
#2  0x0831029f in execute (op_array=0x404e60c4)
    at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:1391
#3  0x082ec861 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /dat/dev/php/php-5.0dev/Zend/zend.c:1058
#4  0x082a6b83 in php_execute_script (primary_file=0xbffff980)
    at /dat/dev/php/php-5.0dev/main/main.c:1630
#5  0x0831cd96 in main (argc=1, argv=0xbffffa24)
    at /dat/dev/php/php-5.0dev/sapi/cli/php_cli.c:943

valgrind says:
==21034==
==21034== Invalid read of size 1
==21034==    at 0x8316EF5: zend_isset_isempty_dim_prop_obj_handler (zend_execute.c:3969)
==21034==    by 0x83171C2: zend_isset_isempty_dim_obj_handler (zend_execute.c:4056)
==21034==    by 0x831029E: execute (zend_execute.c:1391)
==21034==    by 0x82EC860: zend_execute_scripts (zend.c:1058)
==21034==  Address 0xC is not stack'd, malloc'd or free'd
==21034==
==21034== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==21034==  Access not within mapped region at address 0xC
==21034==    at 0x8316EF5: zend_isset_isempty_dim_prop_obj_handler (zend_execute.c:3969)
==21034==    by 0x83171C2: zend_isset_isempty_dim_obj_handler (zend_execute.c:4056)
==21034==    by 0x831029E: execute (zend_execute.c:1391)
==21034==    by 0x82EC860: zend_execute_scripts (zend.c:1058)
==21034==

[2004-08-13 03:02 UTC] jsgoupil at lookstrike dot com

Same with empty()

[2004-11-04 15:08 UTC] thekid@php.net

Now outputs:

Fatal error: Cannot use [] for reading in /usr/home/thekid/test.php on line 3

The crash has gone, this is expected functionality, I assume this can be closed.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Jul 01 23:01:35 2025 UTC