php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #32394 offsetUnset() segfaults in a foreach
Submitted: 2005-03-21 13:29 UTC Modified: 2005-03-21 21:15 UTC
From: guth at fiifo dot u-psud dot fr Assigned: helly
Status: Closed Package: SPL related
PHP Version: 5.0.3 OS: *
Private report: No CVE-ID:
 [2005-03-21 13:29 UTC] guth at fiifo dot u-psud dot fr
Description:
------------
Look at the following code :)

Reproduce code:
---------------
<?php

$object = new ArrayIterator;
$object->append(new stdClass);

foreach($object as $key => $value) {
	$object->offsetUnset($key);
}

exit((string)mt_rand(0, 1000));

?>

Expected result:
----------------
No crash.

Actual result:
--------------
#0  0x404195df in zend_hash_get_current_key_type_ex (ht=0x817a6ec, pos=0x815556c)
    at /usr/src/php5-STABLE-200502101130/Zend/zend_hash.c:1083
#1  0x402ffe1b in spl_array_next (intern=0x815555c) at /usr/src/php5-STABLE-200502101130/ext/spl/spl_array.c:498
#2  0x403001b7 in spl_array_it_move_forward (iter=0x817f6ec) at /usr/src/php5-STABLE-200502101130/ext/spl/spl_array.c:586
#3  0x4043d6e0 in zend_fe_fetch_handler (execute_data=0xbfffcc10, opline=0x817ef44, op_array=0x817a57c)
    at /usr/src/php5-STABLE-200502101130/Zend/zend_execute.c:3847
#4  0x40435156 in execute (op_array=0x817a57c) at /usr/src/php5-STABLE-200502101130/Zend/zend_execute.c:1406
#5  0x404113c0 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /usr/src/php5-STABLE-200502101130/Zend/zend.c:1068
#6  0x403d0c7e in php_execute_script (primary_file=0xbfffef80) at /usr/src/php5-STABLE-200502101130/main/main.c:1630
#7  0x4043ec7e in apache_php_module_main (r=0x817100c, display_source_mode=0)
    at /usr/src/php5-STABLE-200502101130/sapi/apache/sapi_apache.c:54
#8  0x4043f901 in send_php (r=0x817100c, display_source_mode=0, filename=0x8171b14 "/anticorps/www/test.php")
    at /usr/src/php5-STABLE-200502101130/sapi/apache/mod_php5.c:622
#9  0x4043f968 in send_parsed_php (r=0x817100c) at /usr/src/php5-STABLE-200502101130/sapi/apache/mod_php5.c:637
#10 0x08071e88 in ap_invoke_handler ()
#11 0x08086f10 in process_request_internal ()
#12 0x08086f6f in ap_process_request ()
#13 0x0807df91 in child_main ()
#14 0x0807e19c in make_child ()
#15 0x0807e300 in startup_children ()
#16 0x0807e9bf in standalone_main ()
#17 0x0807f1d7 in main ()

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-03-21 13:53 UTC] tony2001@php.net
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1079353056 (LWP 31492)]
0x0829c122 in zend_hash_get_current_key_type_ex (ht=0x85c6234, pos=0x85deaac) at /usr/src/dev/php-src/Zend/zend_hash.c:1083
1083                    if (p->nKeyLength) {
(gdb) bt
#0  0x0829c122 in zend_hash_get_current_key_type_ex (ht=0x85c6234, pos=0x85deaac) at /usr/src/dev/php-src/Zend/zend_hash.c:1083
#1  0x081b9320 in spl_array_next (intern=0x85dea9c) at /usr/src/dev/php-src/ext/spl/spl_array.c:583
#2  0x081b96bc in spl_array_it_move_forward (iter=0x85dd124) at /usr/src/dev/php-src/ext/spl/spl_array.c:671
#3  0x082ca35c in ZEND_FE_FETCH_SPEC_VAR_HANDLER (execute_data=0xbfffcca0) at zend_vm_execute.h:7616
#4  0x082b7f3a in execute (op_array=0x85d8d9c) at zend_vm_execute.h:78
#5  0x08293a90 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/dev/php-src/Zend/zend.c:1059
#6  0x08251382 in php_execute_script (primary_file=0xbffff0d0) at /usr/src/dev/php-src/main/main.c:1640
#7  0x083072cc in main (argc=2, argv=0xbffff1a4) at /usr/src/dev/php-src/sapi/cli/php_cli.c:951
(gdb) p p
$1 = (Bucket *) 0x5a5a5a5a
(gdb) f 1
#1  0x081b9320 in spl_array_next (intern=0x85dea9c) at /usr/src/dev/php-src/ext/spl/spl_array.c:583
583                             return zend_hash_has_more_elements_ex(aht, &intern->pos);
(gdb) p intern->pos
$3 = 0x5a5a5a5a
(gdb) f 2
#2  0x081b96bc in spl_array_it_move_forward (iter=0x85dd124) at /usr/src/dev/php-src/ext/spl/spl_array.c:671
671                     spl_array_next(object TSRMLS_CC);
(gdb) p *object
$5 = {std = {ce = 0x8561758, properties = 0x85d8e5c, in_get = 0, in_set = 0}, array = 0x85c61f4, pos = 0x5a5a5a5a, is_ref = 0, fptr_offset_get = 0x0, fptr_offset_set = 0x0,
  fptr_offset_has = 0x0, fptr_offset_del = 0x0}                                       
 [2005-03-21 21:15 UTC] helly@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 20:01:57 2014 UTC