php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #34269 memory overwrite
Submitted: 2005-08-26 19:36 UTC Modified: 2005-08-30 09:19 UTC
Votes:2
Avg. Score:3.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: eka1970 at mail dot ru Assigned:
Status: Wont fix Package: Arrays related
PHP Version: 4CVS-2005-08-29 (only) OS: red hat 7.3
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: eka1970 at mail dot ru
New email:
PHP Version: OS:

 

 [2005-08-26 19:36 UTC] eka1970 at mail dot ru
Description:
------------
hundreds of thousands of "$a[]= ..." and "array_pop()" calls triggers memory overwrite.

Reproduce code:
---------------
<?php

$a = array(0,1,2,3,4,5,6,7,8,9,10);

$paths = array();

$stack = array();
for($i=0; $i<100000; $i++) {
    $steps = mt_rand(2,6);
    // move forward
    for($j=0; $j<$steps; $j++) { $stack[] = array('x'=>$a[$j]); }
    $paths[] = $stack;
    // move backward
    for($j=0; $j<$steps; $j++) { array_pop($stack); }
}

print_r($a);

?>

Expected result:
----------------
array $a is never modified in the code, but when you print it at the end of the script it spills out a whole lot of unexpected reccursions or just dies with no output.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-08-28 07:09 UTC] eka1970 at mail dot ru
If you're not going to fix this and propose to use v5, please confirm there will be no more updates for v4.x.
 [2005-08-28 10:42 UTC] tony2001@php.net
Jani asked to *TRY* PHP5, not to install and use it instead of PHP4. Please do so or tell that you're not interested in solution for your problem. Thank you.
 [2005-08-29 02:25 UTC] eka1970 at mail dot ru
Problem is not found in v5 but we're not going to migrate to it until stable 5.1 is released
 [2005-08-30 09:19 UTC] derick@php.net
This is actually expected behavior. In PHP 4 the refcount is a short, meaning that you can have a maximum of 6553x (internal) references to the same value. In PHP 5 this is now an int, meaning that you can use about 2 million of them.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Wed Jun 23 06:01:25 2021 UTC