php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #41685 Missing WARNING in array_push where next index is used.
Submitted: 2007-06-14 08:22 UTC Modified: 2007-06-24 17:37 UTC
From: rob_nicholson at uk dot ibm dot com Assigned:
Status: Closed Package: Arrays related
PHP Version: 5.2.3 OS: all
Private report: No CVE-ID:
 [2007-06-14 08:22 UTC] rob_nicholson at uk dot ibm dot com
Description:
------------
This testcase produces a warning:

<?php

$arr = array();
$arr[0x80000000]=8;
$arr[0x7FFFFFFF]=1;
$arr[]="foo";
?>

Output is:

WARNING: Cannot add element to the array as the next element is already occupied in  g:\foo.php on line 6.

This equivalent testcase produces no warning.

<?php

$arr = array();
$arr[0x80000000]=8;
$arr[0x7FFFFFFF]=1;

array_push ($arr,"foo","bar");
var_dump($arr);
?>







Reproduce code:
---------------
<?php

$arr = array();
$arr[0x80000000]=8;
$arr[0x7FFFFFFF]=1;

array_push ($arr,"foo","bar");
var_dump($arr);
?>


Expected result:
----------------
WARNING: Cannot add element to the array as the next element is already occupied in  g:\foo.php on line 6.
array(2) {
  [-2147483648]=>
  int(8)
  [2147483647]=>
  int(1)
}


Actual result:
--------------
array(2) {
  [-2147483648]=>
  int(8)
  [2147483647]=>
  int(1)
}

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-06-14 15:51 UTC] zoe@php.net
In case this helps - I think I can see where the problem is in the code:

In zend_fetch_dimension_address in zend_execute.c the following code snippet:


		case IS_ARRAY:
			if ((type==BP_VAR_W || type==BP_VAR_RW) && container->refcount>1 && !PZVAL_IS_REF(container)) {
				SEPARATE_ZVAL(container_ptr);
				container = *container_ptr;
			}
			if (dim == NULL) {
				zval *new_zval = &EG(uninitialized_zval);

				new_zval->refcount++;
				if (zend_hash_next_index_insert(Z_ARRVAL_P(container), &new_zval, sizeof(zval *), (void **) &retval) == FAILURE) {
					zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied");
					retval = &EG(error_zval_ptr);
					new_zval->refcount--;
				}

But in array_push in ext/standard/array.c is the following code:

	/* For each subsequent argument, make it a reference, increase refcount, and add it to the end of the array */
	for (i=1; i<argc; i++) {
		new_var = *args[i];
		new_var->refcount++;
	
		zend_hash_next_index_insert(Z_ARRVAL_P(stack), &new_var, sizeof(zval *), NULL);
	}

It looks as though this code should be checking the return code from zend_hash_next_index_insert and reporting the error.
 [2007-06-24 17:37 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 07:02:02 2014 UTC