|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #48248 SIGSEGV when access to private property via &__get
Submitted: 2009-05-12 17:09 UTC Modified: 2009-05-12 23:39 UTC
From: ladislav at marek dot su Assigned: felipe
Status: Closed Package: Reproducible crash
PHP Version: 5.2CVS-2009-05-12 OS: * 64bit
Private report: No CVE-ID:
 [2009-05-12 17:09 UTC] ladislav at marek dot su
Attempt to access private property of extended class when the parent class has method '__get' which returns reference, causing segmentation fault.

Compiled only with --enable-debug.

Reproduce code:
class A
    public function & __get($name)
        return $this->test;

class B extends A
    private $test;

$b = new B;

Expected result:

Actual result:
#0  0x00000000007b4859 in zend_std_get_property_ptr_ptr (object=0x29d83c8, member=0x29dbca8) at /root/php/php5.3-200905121430/Zend/zend_object_handlers.c:588
#1  0x00000000007b9b2e in zend_fetch_property_address (result=0x7f0590a24350, container_ptr=0xdd73c0, prop_ptr=0x29dbca8, type=1)
    at /root/php/php5.3-200905121430/Zend/zend_execute.c:1156
#2  0x000000000082e580 in ZEND_FETCH_OBJ_W_SPEC_UNUSED_CONST_HANDLER (execute_data=0x7f0590a242a8)
    at /root/php/php5.3-200905121430/Zend/zend_vm_execute.h:17494
#3  0x00000000007ba081 in execute (op_array=0x29ddae0) at /root/php/php5.3-200905121430/Zend/zend_vm_execute.h:104
#4  0x000000000077bcd3 in zend_call_function (fci=0x7fff98bb4d10, fci_cache=0x7fff98bb4ca0) at /root/php/php5.3-200905121430/Zend/zend_execute_API.c:936
#5  0x00000000007a684b in zend_call_method (object_pp=0x7fff98bb4db8, obj_ce=0x29dbe18, fn_proxy=0x29dbfd8, function_name=0xb4dd62 "__get",
    function_name_len=5, retval_ptr_ptr=0x7fff98bb4dc8, param_count=1, arg1=0x29dca60, arg2=0x0) at /root/php/php5.3-200905121430/Zend/zend_interfaces.c:97
#6  0x00000000007b29e9 in zend_std_call_getter (object=0x29d83c8, member=0x29dca60) at /root/php/php5.3-200905121430/Zend/zend_object_handlers.c:81
#7  0x00000000007b383a in zend_std_read_property (object=0x29d83c8, member=0x29d98c0, type=0)
    at /root/php/php5.3-200905121430/Zend/zend_object_handlers.c:350
#8  0x000000000084944b in zend_fetch_property_address_read_helper_SPEC_CV_CONST (type=0, execute_data=0x7f0590a24090)
    at /root/php/php5.3-200905121430/Zend/zend_vm_execute.h:23769
#9  0x0000000000849574 in ZEND_FETCH_OBJ_R_SPEC_CV_CONST_HANDLER (execute_data=0x7f0590a24090) at /root/php/php5.3-200905121430/Zend/zend_vm_execute.h:23794
#10 0x00000000007ba081 in execute (op_array=0x29d8f90) at /root/php/php5.3-200905121430/Zend/zend_vm_execute.h:104
#11 0x000000000078b381 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/php/php5.3-200905121430/Zend/zend.c:1188
#12 0x0000000000719fad in php_execute_script (primary_file=0x7fff98bb7620) at /root/php/php5.3-200905121430/main/main.c:2182
#13 0x000000000086fd03 in main (argc=2, argv=0x7fff98bb7868) at /root/php/php5.3-200905121430/sapi/cli/php_cli.c:1188


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2009-05-12 23:21 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

Fixed in 5.2, 5.3 and HEAD.
PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Mon Nov 30 18:01:32 2015 UTC