php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #30328 Crash when passing undefned variable to __get() and return its name
Submitted: 2004-10-05 12:37 UTC Modified: 2005-05-20 01:00 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: flying at dom dot natm dot ru Assigned:
Status: No Feedback Package: Reproducible crash
PHP Version: 5CVS-2005-03-09 OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: flying at dom dot natm dot ru
New email:
PHP Version: OS:

 

 [2004-10-05 12:37 UTC] flying at dom dot natm dot ru
Description:
------------
PHP 5.0.2 on Windows 2000 SP4.

There is reproducible crash happens when one tries to pass undefined variable to a class with defined __get() function.

Example code:
<?php
class Test {
    function __construct() {}

    public function __get($name)
    {
        echo '__get() called: '.$name;
        return($name);
    }
};

$test = new Test();
echo $test->$testvar;
?>

 Running this code from under Apache results in HTTP 500 error, running it from shell results to some garbage to be shown on screen and program exit. However running it as:

php.exe test.php >log

results in following text appearing in log:

Notice: Undefined variable:  testvar in C:\web\test.php on line 13
__get() called: 

 Moreover changing return($name); inside __get() to returning anything else (either static value or some other variable) results in crash disappearing.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-10-05 15:27 UTC] tony2001@php.net
Seems to be 5.0.x specific - I can't reproduce it with 5.1-dev.

Notice: Undefined variable:  testvar in /www/index.php on line 13
__get() called:
Program received signal SIGSEGV, Segmentation fault.
0x4207c0dc in mempcpy () from /lib/tls/libc.so.6
(gdb) bt
#0  0x4207c0dc in mempcpy () from /lib/tls/libc.so.6
#1  0x4206e660 in _IO_file_xsputn () from /lib/tls/libc.so.6
#2  0x42062e32 in fwrite () from /lib/tls/libc.so.6
#3  0x081c601a in sapi_cli_single_write (str=0x0, str_length=136509472) at /home/dev/php-src_PHP_5_0/sapi/cli/php_cli.c:192
#4  0x081c4692 in sapi_cli_ub_write (str=0x0, str_length=136509472) at /home/dev/php-src_PHP_5_0/sapi/cli/php_cli.c:205
#5  0x0815d563 in php_ub_body_write_no_header (str=0x0, str_length=136509472) at /home/dev/php-src_PHP_5_0/main/output.c:684
#6  0x0815c1aa in php_body_write (str=0x0, str_length=136509472) at /home/dev/php-src_PHP_5_0/main/output.c:119
#7  0x0814da36 in php_body_write_wrapper (str=0x0, str_length=136509472) at /home/dev/php-src_PHP_5_0/main/main.c:1242
#8  0x0819251c in zend_print_zval_ex (write_func=0x814da15 <php_body_write_wrapper>, expr=0xbfffd2b0, indent=0)
    at /home/dev/php-src_PHP_5_0/Zend/zend.c:288
#9  0x0819249a in zend_print_zval (expr=0xbfffd300, indent=0) at /home/dev/php-src_PHP_5_0/Zend/zend.c:269
#10 0x08191c2f in zend_print_variable (var=0xbfffd300) at /home/dev/php-src_PHP_5_0/Zend/zend_variables.c:168
#11 0x081b9d2d in zend_echo_handler (execute_data=0xffd45008, opline=0x2ca910bf, op_array=0x2c641c08) at /home/dev/php-src_PHP_5_0/Zend/zend_execute.c:1989
 [2004-11-04 15:00 UTC] thekid@php.net
This actually happens with $testvar defined to anything that will evaluate to "" for the member (including being undefined).

So:  
  $testvar= ''; // or NULL, or FALSE, or omitted altogether
  $test = new Test();
  echo $test->$testvar;

The zend_std_read_property() object handler converts the member to a string before trying to read it, so in each of the above cases (whether not defined at all, being defined to an empty string, NULL, or FALSE), the __get argument $name is an empty string (created with STR_EMPTY_ALLOC() in convert_to_string()) and makes PHP crash at shutdown.

Now a crash *only* happens if the argument $name is an empty string *and* left unmodified (e.g. having $name.= '' in the __get method will not cause the problem).

Maybe this gives a hint at how to solve the problem.
 [2005-02-06 14:50 UTC] bart at mediawave dot nl
I've experienced the same problem (with 5.0.3). It doesn't matter if $testvar is empty or not. The error seems to be triggered only when returning $name. For example when using: return 'blah'; it won't crash.
 [2005-03-09 21:50 UTC] sniper@php.net
Crashes nicely too with HEAD.

 [2005-05-12 13:02 UTC] tony2001@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.0-win32-latest.zip

Not reproducible anymore.
 [2005-05-20 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Mon Jul 04 02:05:45 2022 UTC