PHP :: Bug #46893 :: extract($foo) crashes if $foo['foo'] exists

Bug #46893	extract($foo) crashes if $foo['foo'] exists
Submitted:	2008-12-17 23:06 UTC	Modified:	2008-12-27 03:08 UTC
From:	steffen dot weber at gmail dot com	Assigned:	lbarnaud (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	5CVS, 6CVS (2008-12-18)	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

[2008-12-17 23:06 UTC] steffen dot weber at gmail dot com

Description:
------------
Execute the following script and observe that $bar is set to a random integer (*). Furthermore $test is not set at all. This problem did not occur with PHP 5.2.6.

(*) Could this have security implications?

Reproduce code:
---------------
<?php
$foo = array('foo' => 1, 'bar' => 2, 'test' => 3);
extract($foo);
var_dump($foo, $bar, $test);
?>

Expected result:
----------------
int(1)
int(2)
int(3)

Actual result:
--------------
Notice: Undefined variable: test in extract-bug.php on line 4
int(1)
int(RANDOM_NUMBER)
NULL

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-12-18 12:25 UTC] jani@php.net

It fails "silently" because it crashes. :)

#0  0x083437ad in _zend_is_inconsistent (ht=0x1, file=0x85ffca4 "/home/jani/src/php-5.2/Zend/zend_hash.c", line=1083)
    at /home/jani/src/php-5.2/Zend/zend_hash.c:53
#1  0x083465be in zend_hash_move_forward_ex (ht=0x1, pos=0xbfffcd98) at /home/jani/src/php-5.2/Zend/zend_hash.c:1083
#2  0x082435a0 in zif_extract (ht=1, return_value=0x86e16f8, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
    at /home/jani/src/php-5.2/ext/standard/array.c:1491
#3  0x0835e8bf in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffcfa8)
    at /home/jani/src/php-5.2/Zend/zend_vm_execute.h:200
#4  0x083641f9 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbfffcfa8)
    at /home/jani/src/php-5.2/Zend/zend_vm_execute.h:1729
#5  0x0835e43c in execute (op_array=0x86e1088) at /home/jani/src/php-5.2/Zend/zend_vm_execute.h:92
#6  0x083397aa in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/jani/src/php-5.2/Zend/zend.c:1134
#7  0x082e831a in php_execute_script (primary_file=0xbffff324) at /home/jani/src/php-5.2/main/main.c:2023
#8  0x083b4bc9 in main (argc=2, argv=0xbffff464) at /home/jani/src/php-5.2/sapi/cli/php_cli.c:1133

[2008-12-18 13:44 UTC] crrodriguez at opensuse dot org

Related to/Duplicated of Bug #46873 ?

[2008-12-23 10:00 UTC] matthieu at brunet-prod dot com

Same error here (5.2.8), but only if the array name is longer than 4 
cars.
So the supplied code works for me, but :
$foooo = array('foooo' => 1, 'bar' => 2, 'test' => 3);
will crash.
And it will crash only if there is one or more element after the element 
with the same name of the array.
So 
$foooo = array('foooo' => 1, 'bar' => 2);
will crash, but
$foooo = array('bar' => 1, 'foooo' => 2);
will work.

hth

[2008-12-26 11:54 UTC] felipe@php.net

Hi Arnald, that patch broken this.

[2008-12-26 11:58 UTC] felipe@php.net

*Arnaud
I suppose http://cvs.php.net/viewvc.cgi/php-src/ext/standard/array.c?r1=1.308.2.21.2.58&r2=1.308.2.21.2.59 (Fixed bugs #44181 & #44182 (extract() and references))

[2008-12-27 03:08 UTC] lbarnaud@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Dec 07 15:00:01 2025 UTC