|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #41813 segmentation fault in string to array conversion
Submitted: 2007-06-26 15:23 UTC Modified: 2007-06-27 08:56 UTC
From: jontsa at amigaone dot cc Assigned: dmitry (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5.2.4-dev OS: Gentoo Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: jontsa at amigaone dot cc
New email:
PHP Version: OS:


 [2007-06-26 15:23 UTC] jontsa at amigaone dot cc
If you convert a non-empty string to an array with object as value, you get a segmentation fault. Tested on Gentoo Linux and Solaris with Apache 2 and PHP 5.2.3. Theres no segmentation fault when converting for example a scalar variable but an error message as expected.

Also tested from shell using:

 # echo '<?php $foo="50";$foo[0]->bar="xyz"; ?>' | /opt/php5/bin/php
 Segmentation fault

Reproduce code:

Expected result:
An error message of some sort.

Actual result:
From apache logs:

[Tue Jun 26 18:03:23 2007] [notice] child pid 16155 exit signal Segmentation fault (11)


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2007-06-26 15:53 UTC]
 [2007-06-27 08:15 UTC] judas dot iscariote at gmail dot com
Index: Zend/zend_execute.c
RCS file: /repository/ZendEngine2/zend_execute.c,v
retrieving revision 1.716.
diff -u -r1.716. zend_execute.c
--- Zend/zend_execute.c 6 Jun 2007 08:35:23 -0000       1.716.
+++ Zend/zend_execute.c 27 Jun 2007 08:14:40 -0000
@@ -530,6 +530,10 @@
        zval *value = get_zval_ptr(value_op, Ts, &free_value, BP_VAR_R);
        zval **retval = &T(result->u.var).var.ptr;

+       if (!object_ptr) {
+               zend_error_noreturn(E_ERROR, "Cannot use string offset as an array");
+       }
        if (*object_ptr == EG(error_zval_ptr)) {
                if (!RETURN_VALUE_UNUSED(result)) {
 [2007-06-27 08:56 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue Sep 21 12:03:37 2021 UTC