PHP :: Bug #44184 :: Double free of loop-variable on exception

Bug #44184	Double free of loop-variable on exception
Submitted:	2008-02-20 11:51 UTC	Modified:	2008-02-20 12:07 UTC
From:	dmitry at dot php dot net	Assigned:	dmitry (profile)
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	5.2.5	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

[2008-02-20 11:51 UTC] dmitry at dot php dot net

Description:
------------
See the following code

Reproduce code:
---------------
<?php
function foo() {
        $x = array(1,2,3);
        foreach ($x as $a) {
                while (1) {
                        throw new Exception();
                }
            return;
        }
}
try {
        foo();
} catch (Exception $ex) {
        echo "ok\n";
}


Expected result:
----------------
ok

Actual result:
--------------
==31644== Invalid read of size 4
==31644==    at 0x83A0310: _zval_ptr_dtor (zend_execute_API.c:412)
==31644==    by 0x83D7383: zend_switch_free (zend_execute.c:372)
==31644==    by 0x83D712A: ZEND_HANDLE_EXCEPTION_SPEC_HANDLER (zend_vm_execute.h:580)
==31644==    by 0x83D4EA4: execute (zend_vm_execute.h:92)
==31644==    by 0x83D54BD: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==31644==    by 0x83DABD2: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1681)
==31644==    by 0x83D4EA4: execute (zend_vm_execute.h:92)
==31644==    by 0x83AFD6A: zend_execute_scripts (zend.c:1134)
==31644==    by 0x835D8B6: php_execute_script (main.c:2006)
==31644==    by 0x842CB94: main (php_cli.c:1140)
==31644==  Address 0x4557F30 is 8 bytes inside a block of size 16 free'd
==31644==    at 0x400513F: free (vg_replace_malloc.c:233)
==31644==    by 0x8392725: _efree (zend_alloc.c:2290)
==31644==    by 0x83A03D7: safe_free_zval_ptr_rel (zend_execute.h:70)
==31644==    by 0x83A036C: _zval_ptr_dtor (zend_execute_API.c:415)
==31644==    by 0x83D734D: zend_switch_free (zend_execute.c:370)
==31644==    by 0x83D712A: ZEND_HANDLE_EXCEPTION_SPEC_HANDLER (zend_vm_execute.h:580)
==31644==    by 0x83D4EA4: execute (zend_vm_execute.h:92)
==31644==    by 0x83D54BD: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234)
==31644==    by 0x83DABD2: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1681)
==31644==    by 0x83D4EA4: execute (zend_vm_execute.h:92)
==31644==    by 0x83AFD6A: zend_execute_scripts (zend.c:1134)
==31644==    by 0x835D8B6: php_execute_script (main.c:2006)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-02-20 12:07 UTC] dmitry@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Nov 13 10:00:02 2025 UTC