php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #36825 Exceptions thrown in ArrayObject::offsetGet cause segfault
Submitted: 2006-03-22 22:09 UTC Modified: 2006-03-22 22:57 UTC
From: small at cybertronic dot com Assigned: tony2001
Status: Closed Package: SPL related
PHP Version: 5.1.2 OS: Linux
Private report: No CVE-ID:
 [2006-03-22 22:09 UTC] small at cybertronic dot com
Description:
------------
Throwing exceptions in an overloaded offsetGet() functions seems to cause segfaults in PHP 5.1.2.

Reproduce code:
---------------
<?php
    class foo extends ArrayObject {
        public function __construct($obj, $flags = 0, $iterator_class = "ArrayIterator") {
        }

        public function offsetGet($key) {
            throw new Exception("hi");
        }
    }

    $test=new foo();
    try{
        $a=$test['bar'];
    } catch (Exception $e) {
        echo "got exception";
    }
?>


Expected result:
----------------
I expect the output:

got exception

Actual result:
--------------
I get a segfault, with backtrace as follows:

#0  0x081cb2cd in spl_array_read_dimension_ex ()
#1  0x081cb35f in spl_array_read_dimension ()
#2  0x08309d27 in zend_fetch_dimension_address ()
#3  0x0833d89e in ZEND_FETCH_DIM_R_SPEC_CV_CONST_HANDLER ()
#4  0x0830a386 in execute ()
#5  0x082ed585 in zend_execute_scripts ()
#6  0x082a917e in php_execute_script ()
#7  0x0835039d in main ()


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-03-22 22:40 UTC] judas dot iscariote at gmail dot com
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 46912511254464 (LWP 861)]
0x000000000050381f in spl_array_read_dimension_ex (check_inherited=1, object=0xa13c60, offset=0xa19310, type=0)
    at /local/local/bodegon/php-debug/ext/spl/spl_array.c:265
265        ZVAL_ZVAL(intern->retval, rv, 1, 1);
(gdb) bt full
#0  0x000000000050381f in spl_array_read_dimension_ex (check_inherited=1, object=0xa13c60, offset=0xa19310, type=0)
    at /local/local/bodegon/php-debug/ext/spl/spl_array.c:265
   is_ref = <value optimized out>
   refcount = <value optimized out>
   rv = (zval *) 0x0
   intern = (spl_array_object *) 0x9f17e0
#1  0x0000000000633c07 in zend_fetch_dimension_address (result=0x7fffffdaa660, container_ptr=0xa198d8, dim=0xa19310,
    dim_is_tmp_var=0, type=0) at /local/local/bodegon/php-debug/Zend/zend_execute.c:1164
   overloaded_result = <value optimized out>
   container = <value optimized out>
#2  0x0000000000642fe6 in ZEND_FETCH_DIM_R_SPEC_CV_CONST_HANDLER (execute_data=0x7fffffdaa6f0)
    at zend_vm_execute.h:20430
   opline = (zend_op *) 0xa192c0
   dim = (zval *) 0xa19310
#3  0x0000000000628a3e in execute (op_array=0xa14cc0) at zend_vm_execute.h:92
   execute_data = {opline = 0xa19518, function_state = {function_symbol_table = 0xa19790, function = 0xa14cc0,
    reserved = {0x7fffffdacda0, 0x8d7138, 0x2aaaab642e9c, 0xc}}, fbc = 0x0, op_array = 0xa14cc0, object = 0x0,
  Ts = 0x7fffffdaa570, CVs = 0x7fffffdaa550, original_in_execution = 0 '\0', symbol_table = 0x8d7368,
  prev_execute_data = 0x0, old_error_reporting = 0x0}
#4  0x000000000060b784 in zend_execute_scripts (type=8, retval=<value optimized out>, file_count=3)
    at /local/local/bodegon/php-debug/Zend/zend.c:1109
   files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fffffdaa970, reg_save_area = 0x7fffffdaa880}}
   i = 1
   file_handle = (zend_file_handle *) 0x7fffffdacda0
   orig_op_array = (zend_op_array *) 0x0
   local_retval = (zval *) 0x0
#5  0x00000000005caa9b in php_execute_script (primary_file=0x7fffffdacda0)
    at /local/local/bodegon/php-debug/main/main.c:1726
   realfile = "/srv/www/htdocs/php-bugs/array-obejct.php\000a\000\000\000\000\000symlink\000&#65533;p\000\000\000\000\000`\006\000\000\000\000\000\0001\ta\000\000\000\000\000P&#65533;*\000\000\000\200]*\000\000`\006\000\000\000\000\000\000,\206\000\000\000\000\000 vj\000\000\000\000\000`&#65533;\177", '\0' <repeats 26 times>, "&#65533;*\000\000\001", '\0' <repeats 15 times>, "rawurldeP&#65533;*\000\000\000\000\000\000\000\000\000\0002O*\000\0000[j", '\0' <repeats 13 times>...
   prepend_file_p = (zend_file_handle *) 0x0
   append_file_p = <value optimized out>
   prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {
      handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'}
   append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {


PHP 5.1.3RC2-dev (cli) (built: Mar 22 2006 15:29:32) (DEBUG)
 [2006-03-22 22:57 UTC] tony2001@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 16:02:22 2014 UTC