PHP :: Bug #39046 :: double free on circular references (PHP 4 only!)

Bug #39046

double free on circular references (PHP 4 only!)

Submitted:

2006-10-05 11:07 UTC

Modified:

2008-07-11 21:24 UTC

Votes:	2
Avg. Score:	4.5 ± 0.5
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	1 (100.0%)

From:

checat at yandex dot ru

Assigned:

derick (profile)

Status:

Wont fix

Package:

Reproducible crash

PHP Version:

4.4.4

OS:

RHEL4

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	checat at yandex dot ru
New email:
PHP Version:		OS:

New/Additional Comment:

[2006-10-05 11:07 UTC] checat at yandex dot ru

Description:
------------
When freeing array variables with multiple references, variables which should still be accessible via other reference may be unexpectedly freed.

Depending of the code it may produce data corruption, glibc-detected memory corruption or segfault.

Reproduce code:
---------------
<?php

$root=array('id'=>'1', 'parent_id'=>NULL);
$child1 = array('id'=>'2', 'parent_id'=>'1');

// build tree with references up and down
$root['childs'] = array();

$child1['parent'] = & $root;
$child1['parent']['childs'][] = & $child1;
$child1['childs'] = array();


print_r($root['childs'][0]['childs']);

unset($child1);

print_r($root['childs'][0]['childs']);

?>


Expected result:
----------------
Array
(
)
Array
(
)



Actual result:
--------------
CGI:
Array
(
)
Array
(
)
Segmentation fault

Apache2/prefork/mod_php: no output, Segmentation fault in log

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-10-05 11:13 UTC] checat at yandex dot ru

To have "double free" bug, one needs to wrap my test case into a function.

[2006-10-05 11:15 UTC] tony2001@php.net

Circular references is the easiest way one can shoot his own leg.
Upgrade to PHP5, which doesn't segfault.

[2006-10-05 11:31 UTC] derick@php.net

We still need to address segfaults in 4.4.

[2008-07-11 21:24 UTC] jani@php.net

We are sorry, but we can not support PHP 4 related problems anymore.
Momentum is gathering for PHP 6, and we think supporting PHP 4 will
lead to a waste of resources which we want to put into getting PHP 6
ready.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Apr 20 20:01:27 2025 UTC