php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #31158 array_splice on $GLOBALS crashes
Submitted: 2004-12-17 20:41 UTC Modified: 2005-07-11 18:26 UTC
Votes:3
Avg. Score:4.0 ± 0.8
Reproduced:3 of 3 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: postings-php-bug at hans-spath dot de Assigned: dmitry (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5CVS, 4CVS (2005-02-21) OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: postings-php-bug at hans-spath dot de
New email:
PHP Version: OS:

 

 [2004-12-17 20:41 UTC] postings-php-bug at hans-spath dot de
Description:
------------
PHP doesn't handle an attempt of clearing $GLOBALS correctly.

Reproduce code:
---------------
function __(){array_splice($GLOBALS,0,count($GLOBALS));}__();

Expected result:
----------------
$GLOBALS should be empty or an error message should be printed.

Actual result:
--------------
My tests:

PHP 4.3.8 cli/cgi, 4.3.10 cli, Linux 2.6:
segmentation fault

PHP 4.3.8 apache2sapi, Windows XP SP2:
Apache2 log: Parent: child process exited with status 3221225477 -- Restarting.

PHP 5.0.1 cli, Windows XP SP2:
array_splice works, but then crashes on script end (probably during cleanups) or on phpinfo();


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-12-18 17:31 UTC] postings-php-bug at hans-spath dot de
<0>stob@netbrake:~/compile/php-4.3.10/sapi/cli% cat ~/test/killer.php
<?
function __(){array_splice($GLOBALS,0,count($GLOBALS));}__();
<0>stob@netbrake:~/compile/php-4.3.10/sapi/cli% gdb php
[...]
This GDB was configured as "i386-linux"...Using host libthread_db library "/lib/libthread_db.so.1".

(gdb) run ~/test/killer.php
Starting program: /home/stob/compile/php-4.3.10/sapi/cli/php ~/test/killer.php
[Sat Dec 18 17:28:35 2004]  Script:  '/home/stob/test/killer.php'
---------------------------------------
/home/stob/compile/php-4.3.10/ext/standard/array.c(1897) : Block 0x081C2B28 status:
Beginning:      Overrun (magic=0x00000000, expected=0x7312F8DC)

Program received signal SIGSEGV, Segmentation fault.
0xb7ec81c3 in memcpy () from /lib/libc.so.6
(gdb) bt
#0  0xb7ec81c3 in memcpy () from /lib/libc.so.6
#1  0x0814ace4 in _mem_block_check (ptr=0x81c2b4c, silent=0, __zend_filename=0x817ef80 "/home/stob/compile/php-4.3.10/ext/standard/array.c",
    __zend_lineno=1897, __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/stob/compile/php-4.3.10/Zend/zend_alloc.c:675
#2  0x0814aca5 in _mem_block_check (ptr=0x81c2b4c, silent=1, __zend_filename=0x817ef80 "/home/stob/compile/php-4.3.10/ext/standard/array.c",
    __zend_lineno=1897, __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/stob/compile/php-4.3.10/Zend/zend_alloc.c:667
#3  0x08149feb in _efree (ptr=0x81c2b4c, __zend_filename=0x817ef80 "/home/stob/compile/php-4.3.10/ext/standard/array.c", __zend_lineno=1897,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/stob/compile/php-4.3.10/Zend/zend_alloc.c:243
#4  0x080a2b90 in zif_array_splice (ht=3, return_value=0x81f6af4, this_ptr=0x0, return_value_used=0)
    at /home/stob/compile/php-4.3.10/ext/standard/array.c:1897
#5  0x0816eeb3 in execute (op_array=0x81f69b8) at /home/stob/compile/php-4.3.10/Zend/zend_execute.c:1642
#6  0x0816f0b1 in execute (op_array=0x81f15bc) at /home/stob/compile/php-4.3.10/Zend/zend_execute.c:1686
#7  0x0815be29 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/stob/compile/php-4.3.10/Zend/zend.c:900
#8  0x08127f54 in php_execute_script (primary_file=0xbffffa60) at /home/stob/compile/php-4.3.10/main/main.c:1736
#9  0x0817507b in main (argc=2, argv=0xbffffae4) at /home/stob/compile/php-4.3.10/sapi/cli/php_cli.c:822
 [2005-07-04 12:11 UTC] dmitry@php.net
Fixed in CVS HEAD and PHP_5_0.
 [2005-07-04 13:14 UTC] derick@php.net
Let's keep it open for now, so that we don't forget to backport it to 4.4.1 as soon as 4.4.0 is out.
 [2005-07-11 18:26 UTC] dmitry@php.net
Fixed in CVS PHP_4_4 too.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved.
Last updated: Thu Feb 06 23:01:28 2025 UTC