php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #33136 method offsetSet in class extended from ArrayObject crash PHP
Submitted: 2005-05-25 13:39 UTC Modified: 2005-06-20 05:04 UTC
From: nightik at intech dot ru Assigned: helly
Status: Closed Package: SPL related
PHP Version: 5.0.* OS: *
Private report: No CVE-ID:
 [2005-05-25 13:39 UTC] nightik at intech dot ru
Description:
------------
method offsetSet in class extended from ArrayObject crash PHP with message "PHP has encountered an Access Violation at 018CC7A0"
If method offsetSet not present in Collection class it work fine.

Web-server IIS 5.0 on Windows XP and 6.0 on Windows 2003 Server

Reproduce code:
---------------
class Collection extends ArrayObject
{
	private $data;
	
	function __construct()
	{
		$this->data = array();
		parent::__construct( $this->data );
	}
	
	function offsetGet( $index )
	{
		echo "Collection::offsetGet()\n";
		return parent::offsetGet( $index );
	}
	
	function offsetSet( $index, $value )
	{
		echo "Collection::offsetSet()\n";
		parent::offsetSet( $index, $value );
	}
}

echo "\n\nInitiate Obj\n";
$arrayObj = new Collection();

echo "Assign values\n";

$arrayObj[] = "foo";
$arrayObj[] = "bar";
$arrayObj["foo"] = "bar";

echo "Getting values\n";
echo $arrayObj["foo"];

echo "Printing Collection\n";
print_r( $arrayObj );

echo "Count Collection items\n";
echo count( $arrayObj );


Expected result:
----------------
Initiate Obj
Assign values
Collection::offsetSet()
Collection::offsetSet()
Collection::offsetSet()
Getting values
Collection::offsetGet()
bar
Printing Collection
Collection Object
(
    [0] => foo
    [1] => bar
    [foo] => bar
)
Count Collection items
3

Actual result:
--------------
PHP has encountered an Access Violation at 018CC7A0

Initiate Obj
Assign values


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-05-26 00:37 UTC] sniper@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip


 [2005-05-26 07:48 UTC] nightik at intech dot ru
With using latest CVS snapshot (PHP 5.1.0-dev, Build Date  May 26 2005 04:16:51) error still remain
 [2005-05-26 09:43 UTC] tony2001@php.net
Here is the backtrace I can see in HEAD.

Program received signal SIGSEGV, Segmentation fault.
0x08276943 in zend_call_function (fci=0xbfffc4a0, fci_cache=0xbfffc460) at /usr/src/dev/clean/php-src_head/Zend/zend_execute_API.c:777
777                             (*fci->params[i])->refcount++;
(gdb) bt
#0  0x08276943 in zend_call_function (fci=0xbfffc4a0, fci_cache=0xbfffc460) at /usr/src/dev/clean/php-src_head/Zend/zend_execute_API.c:777
#1  0x08292fe8 in zend_call_method (object_pp=0xbfffc544, obj_ce=0x844e3cc, fn_proxy=0x8448ec4, function_name=0x831bac3 "offsetSet", function_name_len=9,
    retval_ptr_ptr=0xbfffc52c, param_count=2, arg1=0x0, arg2=0x8453f3c) at /usr/src/dev/clean/php-src_head/Zend/zend_interfaces.c:87
#2  0x08168d88 in spl_array_write_dimension_ex (check_inherited=1, object=0x844df6c, offset=0x0, value=0x8453f3c) at /usr/src/dev/clean/php-src_head/ext/spl/spl_array.c:366
#3  0x08168ebe in spl_array_write_dimension (object=0x844df6c, offset=0x0, value=0x8453f3c) at /usr/src/dev/clean/php-src_head/ext/spl/spl_array.c:400
#4  0x082f640a in zend_assign_to_object (result=0x8451658, object_ptr=0x843ba60, op2=0x8451680, value_op=0x84516b8, Ts=0xbfffc670, opcode=147)
    at /usr/src/dev/clean/php-src_head/Zend/zend_execute.c:692
#5  0x082e5904 in ZEND_ASSIGN_DIM_SPEC_CV_UNUSED_HANDLER (execute_data=0xbfffcbc0) at zend_vm_execute.h:23687
#6  0x082a7252 in execute (op_array=0x8448de4) at zend_vm_execute.h:78
#7  0x08282449 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/dev/clean/php-src_head/Zend/zend.c:1072
#8  0x0823fe0c in php_execute_script (primary_file=0xbfffeff0) at /usr/src/dev/clean/php-src_head/main/main.c:1662
#9  0x082f88ae in main (argc=2, argv=0xbffff0c4) at /usr/src/dev/clean/php-src_head/sapi/cli/php_cli.c:1031
(gdb) p fci->params[i]
$3 = (zval **) 0xbfffc50c
(gdb) p *fci->params[i]
$4 = (zval *) 0x0
 [2005-05-26 10:16 UTC] nightik at intech dot ru
The error occurs only if index of array is not present. If delete this lines of code:

$arrayObj[] = "foo";
$arrayObj[] = "bar";

script work fine.

May be this help you for fix this bug.
 [2005-06-20 05:04 UTC] helly@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Fixed in 5.1 only
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 10:02:10 2014 UTC