php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #41813 segmentation fault in string to array conversion
Submitted: 2007-06-26 15:23 UTC Modified: 2007-06-27 08:56 UTC
From: jontsa at amigaone dot cc Assigned: dmitry
Status: Closed Package: Scripting Engine problem
PHP Version: 5.2.4-dev OS: Gentoo Linux
Private report: No CVE-ID:
 [2007-06-26 15:23 UTC] jontsa at amigaone dot cc
Description:
------------
If you convert a non-empty string to an array with object as value, you get a segmentation fault. Tested on Gentoo Linux and Solaris with Apache 2 and PHP 5.2.3. Theres no segmentation fault when converting for example a scalar variable but an error message as expected.

Also tested from shell using:

 # echo '<?php $foo="50";$foo[0]->bar="xyz"; ?>' | /opt/php5/bin/php
 Segmentation fault

Reproduce code:
---------------
$foo="50";
$foo[0]->bar="xyz";

Expected result:
----------------
An error message of some sort.

Actual result:
--------------
From apache logs:

[Tue Jun 26 18:03:23 2007] [notice] child pid 16155 exit signal Segmentation fault (11)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-06-26 15:53 UTC] sniper@php.net
Verified.
 [2007-06-27 08:15 UTC] judas dot iscariote at gmail dot com
Index: Zend/zend_execute.c
===================================================================
RCS file: /repository/ZendEngine2/zend_execute.c,v
retrieving revision 1.716.2.12.2.20
diff -u -r1.716.2.12.2.20 zend_execute.c
--- Zend/zend_execute.c 6 Jun 2007 08:35:23 -0000       1.716.2.12.2.20
+++ Zend/zend_execute.c 27 Jun 2007 08:14:40 -0000
@@ -530,6 +530,10 @@
        zval *value = get_zval_ptr(value_op, Ts, &free_value, BP_VAR_R);
        zval **retval = &T(result->u.var).var.ptr;

+       if (!object_ptr) {
+               zend_error_noreturn(E_ERROR, "Cannot use string offset as an array");
+       }
+
        if (*object_ptr == EG(error_zval_ptr)) {
                FREE_OP(free_op2);
                if (!RETURN_VALUE_UNUSED(result)) {
 [2007-06-27 08:56 UTC] tony2001@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 24 02:02:10 2014 UTC