php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #31158 array_splice on $GLOBALS crashes
Submitted: 2004-12-17 20:41 UTC Modified: 2005-07-11 18:26 UTC
Votes:3
Avg. Score:4.0 ± 0.8
Reproduced:3 of 3 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: postings-php-bug at hans-spath dot de Assigned: dmitry
Status: Closed Package: Reproducible crash
PHP Version: 5CVS, 4CVS (2005-02-21) OS: *
Private report: No CVE-ID:
 [2004-12-17 20:41 UTC] postings-php-bug at hans-spath dot de
Description:
------------
PHP doesn't handle an attempt of clearing $GLOBALS correctly.

Reproduce code:
---------------
function __(){array_splice($GLOBALS,0,count($GLOBALS));}__();

Expected result:
----------------
$GLOBALS should be empty or an error message should be printed.

Actual result:
--------------
My tests:

PHP 4.3.8 cli/cgi, 4.3.10 cli, Linux 2.6:
segmentation fault

PHP 4.3.8 apache2sapi, Windows XP SP2:
Apache2 log: Parent: child process exited with status 3221225477 -- Restarting.

PHP 5.0.1 cli, Windows XP SP2:
array_splice works, but then crashes on script end (probably during cleanups) or on phpinfo();


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-12-18 17:31 UTC] postings-php-bug at hans-spath dot de
<0>stob@netbrake:~/compile/php-4.3.10/sapi/cli% cat ~/test/killer.php
<?
function __(){array_splice($GLOBALS,0,count($GLOBALS));}__();
<0>stob@netbrake:~/compile/php-4.3.10/sapi/cli% gdb php
[...]
This GDB was configured as "i386-linux"...Using host libthread_db library "/lib/libthread_db.so.1".

(gdb) run ~/test/killer.php
Starting program: /home/stob/compile/php-4.3.10/sapi/cli/php ~/test/killer.php
[Sat Dec 18 17:28:35 2004]  Script:  '/home/stob/test/killer.php'
---------------------------------------
/home/stob/compile/php-4.3.10/ext/standard/array.c(1897) : Block 0x081C2B28 status:
Beginning:      Overrun (magic=0x00000000, expected=0x7312F8DC)

Program received signal SIGSEGV, Segmentation fault.
0xb7ec81c3 in memcpy () from /lib/libc.so.6
(gdb) bt
#0  0xb7ec81c3 in memcpy () from /lib/libc.so.6
#1  0x0814ace4 in _mem_block_check (ptr=0x81c2b4c, silent=0, __zend_filename=0x817ef80 "/home/stob/compile/php-4.3.10/ext/standard/array.c",
    __zend_lineno=1897, __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/stob/compile/php-4.3.10/Zend/zend_alloc.c:675
#2  0x0814aca5 in _mem_block_check (ptr=0x81c2b4c, silent=1, __zend_filename=0x817ef80 "/home/stob/compile/php-4.3.10/ext/standard/array.c",
    __zend_lineno=1897, __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/stob/compile/php-4.3.10/Zend/zend_alloc.c:667
#3  0x08149feb in _efree (ptr=0x81c2b4c, __zend_filename=0x817ef80 "/home/stob/compile/php-4.3.10/ext/standard/array.c", __zend_lineno=1897,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/stob/compile/php-4.3.10/Zend/zend_alloc.c:243
#4  0x080a2b90 in zif_array_splice (ht=3, return_value=0x81f6af4, this_ptr=0x0, return_value_used=0)
    at /home/stob/compile/php-4.3.10/ext/standard/array.c:1897
#5  0x0816eeb3 in execute (op_array=0x81f69b8) at /home/stob/compile/php-4.3.10/Zend/zend_execute.c:1642
#6  0x0816f0b1 in execute (op_array=0x81f15bc) at /home/stob/compile/php-4.3.10/Zend/zend_execute.c:1686
#7  0x0815be29 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/stob/compile/php-4.3.10/Zend/zend.c:900
#8  0x08127f54 in php_execute_script (primary_file=0xbffffa60) at /home/stob/compile/php-4.3.10/main/main.c:1736
#9  0x0817507b in main (argc=2, argv=0xbffffae4) at /home/stob/compile/php-4.3.10/sapi/cli/php_cli.c:822
 [2005-07-04 12:11 UTC] dmitry@php.net
Fixed in CVS HEAD and PHP_5_0.
 [2005-07-04 13:14 UTC] derick@php.net
Let's keep it open for now, so that we don't forget to backport it to 4.4.1 as soon as 4.4.0 is out.
 [2005-07-11 18:26 UTC] dmitry@php.net
Fixed in CVS PHP_4_4 too.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 15:01:54 2014 UTC