php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #32660 Assignment by reference causes crash when field access is overloaded (__get)
Submitted: 2005-04-10 22:22 UTC Modified: 2005-06-23 13:05 UTC
From: ladislav dot prosek at matfyz dot cz Assigned: dmitry
Status: Closed Package: Scripting Engine problem
PHP Version: 5CVS-2005-06-19 OS: *
Private report: No CVE-ID:
 [2005-04-10 22:22 UTC] ladislav dot prosek at matfyz dot cz
Description:
------------
There is probably a bug in memory allocation related to property getters. Note that the behavior depends on lengths of the two strings and also on the way the $q property is initialized.

Reproduce code:
---------------
class A
{
	var $q;

	function __construct()
	{
		$this->q = array();
	}

	function __get($name)
	{
		return $this->q;
	}
};

$a = new A;

$b = "short";
$a->whatever =& $b;
$b = "much longer";

var_dump($a);


Expected result:
----------------
// as __get does not return a reference
// the output should IMHO look like this:

object(A)#1 (1) {
  ["q"]=>
  array(0) {
  }
}

// if you guys think the output should be
// different, please do explain it!

Actual result:
--------------
object(A)#1 (1) {
  ["q"]=>
CRASH!

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-04-11 02:04 UTC] sniper@php.net
object(A)#1 (1) {
  ["q"]=>
  &UNKNOWN:0
}
/usr/src/php/php5/Zend/zend_execute.c(891) :  Freeing 0x0A117D6C (16 bytes), script=/home/jani/t.php
/usr/src/php/php5/Zend/zend_variables.h(45) :  Freeing 0x0A117D2C (12 bytes), script=/home/jani/t.php
/usr/src/php/php5/Zend/zend_variables.c(120) : Actual location (location was relayed)
=== Total 2 memory leaks detected ===

 [2005-05-11 12:40 UTC] tony2001@php.net
Initializing $a->whatever before assigning reference can be used as a temporary workaround.
 [2005-06-20 10:50 UTC] tony2001@php.net
Dmitry, plz take a look into it, it's still valid for HEAD.
 [2005-06-23 13:05 UTC] dmitry@php.net
Fixed in CVS HEAD and PHP_5_0.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 12:01:52 2014 UTC