|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #34269 memory overwrite
Submitted: 2005-08-26 19:36 UTC Modified: 2005-08-30 09:19 UTC
Avg. Score:3.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: eka1970 at mail dot ru Assigned:
Status: Wont fix Package: Arrays related
PHP Version: 4CVS-2005-08-29 (only) OS: red hat 7.3
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
Solve the problem:
29 - 3 = ?
Subscribe to this entry?

 [2005-08-26 19:36 UTC] eka1970 at mail dot ru
hundreds of thousands of "$a[]= ..." and "array_pop()" calls triggers memory overwrite.

Reproduce code:

$a = array(0,1,2,3,4,5,6,7,8,9,10);

$paths = array();

$stack = array();
for($i=0; $i<100000; $i++) {
    $steps = mt_rand(2,6);
    // move forward
    for($j=0; $j<$steps; $j++) { $stack[] = array('x'=>$a[$j]); }
    $paths[] = $stack;
    // move backward
    for($j=0; $j<$steps; $j++) { array_pop($stack); }



Expected result:
array $a is never modified in the code, but when you print it at the end of the script it spills out a whole lot of unexpected reccursions or just dies with no output.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2005-08-28 07:09 UTC] eka1970 at mail dot ru
If you're not going to fix this and propose to use v5, please confirm there will be no more updates for v4.x.
 [2005-08-28 10:42 UTC]
Jani asked to *TRY* PHP5, not to install and use it instead of PHP4. Please do so or tell that you're not interested in solution for your problem. Thank you.
 [2005-08-29 02:25 UTC] eka1970 at mail dot ru
Problem is not found in v5 but we're not going to migrate to it until stable 5.1 is released
 [2005-08-30 09:19 UTC]
This is actually expected behavior. In PHP 4 the refcount is a short, meaning that you can have a maximum of 6553x (internal) references to the same value. In PHP 5 this is now an int, meaning that you can use about 2 million of them.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Apr 14 07:01:28 2024 UTC