php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #31706 overload() causes SIGSEGV.
Submitted: 2005-01-26 18:32 UTC Modified: 2005-01-26 21:59 UTC
From: darrell at brogdon dot net Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 4.3.10 OS: Red Hat Linux 7.3
Private report: No CVE-ID: None
 [2005-01-26 18:32 UTC] darrell at brogdon dot net
Description:
------------
Using a modified version of the example in the online manual (http://us4.php.net/overload) causes PHP to segfault.  The version of PHP used was compiled without any modules.

Reproduce code:
---------------
1 <?php
2 class OO {
3    var $elem = array('b' => 9, 'c' => 42);
4
5    function OO() {}
6
7    function __call($fn_name, $args, &$ret) {
8        return true;
9    }
10
11    function __set($prop_name, $prop_value) {
12        $this->elem[$prop_name] = $prop_value;
13        return true;
14    }
15 }
16 overload('OO');
17 $o = new OO;
18 $o->d('foo');
19 $o->x = 56;
20 ?>

Expected result:
----------------
Exit normally with no output.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x00596f0a in ?? ()
(gdb) bt
#0  0x00596f0a in ?? ()
#1  0x08119c9d in set_overloaded_property (T=0xbfffc8dc, value=0x81a0448) at /storage/dbrogdon/mxl-php-src/Zend/zend_execute.c:978
#2  0x0811c700 in execute (op_array=0x819bf1c) at /storage/dbrogdon/mxl-php-src/Zend/zend_execute.c:339
#3  0x0810db1a in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /storage/dbrogdon/mxl-php-src/Zend/zend.c:900
#4  0x080eb232 in php_execute_script (primary_file=0xbffff500) at /storage/dbrogdon/mxl-php-src/main/main.c:1736
#5  0x081269c8 in main (argc=2, argv=0xbffff5a4) at /storage/dbrogdon/mxl-php-src/sapi/cli/php_cli.c:822
(gdb) up
#1  0x08119c9d in set_overloaded_property (T=0xbfffc8dc, value=0x81a0448) at /storage/dbrogdon/mxl-php-src/Zend/zend_execute.c:978
978                     ce->handle_property_set(&T->EA.data.overloaded_element, value);
(gdb) p *value
$1 = {value = {lval = 56, dval = 2.1219958186329485e-314, str = {val = 0x38 <Address 0x38 out of bounds>, len = 1}, ht = 0x38, obj = {ce = 0x38, properties = 0x1}},
  type = 1 '\001', is_ref = 1 '\001', refcount = 2}
(gdb) p *T
$2 = {tmp_var = {value = {lval = 0, dval = 0, str = {val = 0x0, len = 0}, ht = 0x0, obj = {ce = 0x0, properties = 0x0}}, type = 0 '\0', is_ref = 0 '\0', refcount = 0}, var = {
    ptr_ptr = 0x0, ptr = 0x0}, EA = {tmp_var = {value = {lval = 0, dval = 0, str = {val = 0x0, len = 0}, ht = 0x0, obj = {ce = 0x0, properties = 0x0}}, type = 0 '\0',
      is_ref = 0 '\0', refcount = 0}, data = {str_offset = {str = 0x1, offset = 135928188}, overloaded_element = {type = 1, object = 0x81a197c, elements_list = 0x819bf84}},
    type = 1 '\001'}}


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-01-26 21:59 UTC] darrell at brogdon dot net
Appears to be fixed in php4-STABLE-200501261730.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Dec 15 03:01:24 2019 UTC