php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #44046 array_slice(&$offset, $offset) crash
Submitted: 2008-02-04 22:31 UTC Modified: 2008-02-05 16:02 UTC
From: victor dot stinner at haypocalc dot com Assigned:
Status: Closed Package: Arrays related
PHP Version: 5.2.5 OS: Linux (Ubuntu Gutsy) on i386
Private report: No CVE-ID: None
 [2008-02-04 22:31 UTC] victor dot stinner at haypocalc dot com
Description:
------------
Code to crash PHP5 :
* ? $input = Array("array"); array_slice(&$input, &$input); ?
* ? $input = Array("array"); array_slice(&$input, 0, &$input); ?
* ? $input = Array("array"); array_slice(&$input, 0, 0, &$input); ?

array_slice() first checks first argument ($input) and then converts other arguments ($offset to long, $length to long, $preverse_keys to boolean). If arguments are shared as reference, $input type can change (to long or boolean).

Crash occurs in instruction ? num_in = zend_hash_num_elements(Z_ARRVAL_PP(input)) ? : it reads ((HashTable*)input)->inconsistent. If input is 0 or 1, input read does crash with segmentation fault.



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-02-04 22:53 UTC] victor dot stinner at haypocalc dot com
gdb session:

* $input type in array_slice() entry:
(gdb) print (**input).type
$1 = 4 '\004'    # IS_ARRAY

* $input type after execution of convert_to_long_ex() or convert_to_boolean_ex() :
(gdb) print (**input).type
$4 = 1 '\001'    # IS_LONG

* Execution of ? num_in = zend_hash_num_elements(Z_ARRVAL_PP(input)) ? :

Program received signal SIGSEGV, Segmentation fault.
(gdb) where
#0  0x083281ad in _zend_is_inconsistent (ht=0x1, file=0x8451248 "/home/haypo/php-5.2.5/Zend/zend_hash.c", 
    line=1015) at /home/haypo/php-5.2.5/Zend/zend_hash.c:53
#1  0x0832ae37 in zend_hash_num_elements (ht=0x1) at /home/haypo/php-5.2.5/Zend/zend_hash.c:1015
#2  0x08226ff2 in zif_array_slice (ht=3, return_value=0x853e928, return_value_ptr=0x0, this_ptr=0x0, 
    return_value_used=0) at /home/haypo/php-5.2.5/ext/standard/array.c:2253
(...)
(gdb) frame 2
#2  0x08226ff2 in zif_array_slice (ht=3, return_value=0x853e928, return_value_ptr=0x0, this_ptr=0x0, 
    return_value_used=0) at /home/haypo/php-5.2.5/ext/standard/array.c:2253
2253            num_in = zend_hash_num_elements(Z_ARRVAL_PP(input));
(gdb) print (**input).type
$2 = 1 '\001'
 [2008-02-05 00:45 UTC] felipe@php.net
My suggestion:
http://ecl.mediain.com.br/diff/bug44046.diff

In .phpt for array_slice, the expected result treats 0 as NULL. Then, i guess that using long rather than zval could be used...
 [2008-02-05 16:02 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Sat Sep 22 12:01:25 2018 UTC