php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #52237 Crash when passing the reference of the property of a non-object
Submitted: 2010-07-02 19:30 UTC Modified: 2010-07-05 11:15 UTC
From: sfera7512 at yahoo dot com Assigned: dmitry (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.2, 5.3, trunk OS: All
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: sfera7512 at yahoo dot com
New email:
PHP Version: OS:

 

 [2010-07-02 19:30 UTC] sfera7512 at yahoo dot com
Description:
------------
>	php5ts_debug.dll!zval_addref_p(_zval_struct * pz=0x034e1b73)  Line 381 + 0x3 bytes	C
 	php5ts_debug.dll!zend_fetch_property_address(_temp_variable * result=0x028e3778, _zval_struct * * container_ptr=0x3d767c8c, _zval_struct * prop_ptr=0x3d529e48, int type=1, void * * * tsrm_ls=0x024c1b18)  Line 1150 + 0x18 bytes	C
 	php5ts_debug.dll!ZEND_FETCH_OBJ_W_SPEC_VAR_CONST_HANDLER(_zend_execute_data * execute_data=0x028e3070, void * * * tsrm_ls=0x024c1b18)  Line 10092 + 0x20 bytes	C
 	php5ts_debug.dll!execute(_zend_op_array * op_array=0x03161028, void * * * tsrm_ls=0x024c1b18)  Line 107 + 0x11 bytes	C
 	php5ts_debug.dll!zend_execute_scripts(int type=8, void * * * tsrm_ls=0x024c1b18, _zval_struct * * retval=0x00000000, int file_count=3, ...)  Line 1194 + 0x21 bytes	C
 	php5ts_debug.dll!php_execute_script(_zend_file_handle * primary_file=0x00c1fed8, void * * * tsrm_ls=0x024c1b18)  Line 2260 + 0x1b bytes	C
 	php.exe!main(int argc=2, char * * argv=0x024c3f38)  Line 1192 + 0x13 bytes	C
 	php.exe!__tmainCRTStartup()  Line 586 + 0x19 bytes	C
 	php.exe!mainCRTStartup()  Line 403	C
 	kernel32.dll!763c3677() 	
 	[Frames below may be incorrect and/or missing, no symbols loaded for kernel32.dll]	
 	ntdll.dll!76f39d72() 	
 	ntdll.dll!76f39d45()

Test script:
---------------
while (1)
{
        $data = 'test';
        parse_str($data,$data->info);
}

Expected result:
----------------
should throw Warning: Attempt to modify property of non-object

Actual result:
--------------
crash

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-07-03 00:07 UTC] felipe@php.net
-Summary: GC crash on updating property of nonobject +Summary: Crash when using an inexistent property of a variable converted to object as ref -Status: Open +Status: Assigned -Operating System: Win 7 x64 +Operating System: All -PHP Version: 5.3SVN-2010-07-02 (SVN) +PHP Version: 5.2, 5.3, trunk -Assigned To: +Assigned To: dmitry
 [2010-07-03 00:07 UTC] felipe@php.net
This is a common problem with variable converted internally to object and passing an inexistent property to function that expects reference.
e.g.

<?php

$data = 'test';
preg_match('//', '', $data->info);


Warning: Attempt to modify property of non-object in /home/felipe/dev/bug.php on line 4
[Fri Jul  2 19:06:18 2010]  Script:  '../bug.php'
/home/felipe/dev/php5/ext/pcre/php_pcre.c(543) :  Freeing 0x0891D378 (44 bytes), script=../bug.php
/home/felipe/dev/php5/Zend/zend_API.c(957) : Actual location (location was relayed)
Last leak repeated 1 time
[Fri Jul  2 19:06:18 2010]  Script:  '../bug.php'
/home/felipe/dev/php5/Zend/zend_API.c(1349) :  Freeing 0x0891D51C (20 bytes), script=../bug.php
[Fri Jul  2 19:06:18 2010]  Script:  '../bug.php'
/home/felipe/dev/php5/Zend/zend_API.c(1350) :  Freeing 0x0891D560 (1 bytes), script=../bug.php
[Fri Jul  2 19:06:18 2010]  Script:  '../bug.php'
/home/felipe/dev/php5/Zend/zend_API.c(1352) :  Freeing 0x0891D594 (35 bytes), script=../bug.php
/home/felipe/dev/php5/Zend/zend_hash.c(388) : Actual location (location was relayed)
=== Total 5 memory leaks detected ===
 [2010-07-03 01:34 UTC] felipe@php.net
-Summary: Crash when using an inexistent property of a variable converted to object as ref +Summary: Crash when passing the reference of the property of a non-object
 [2010-07-03 14:15 UTC] felipe@php.net
The issue is that $data->info actually pointers to EG(error_zval_ptr) because $data is not empty, thus no object is created.
 [2010-07-05 11:08 UTC] dmitry@php.net
Automatic comment from SVN on behalf of dmitry
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=300990
Log: Fixed bug #52237 (Crash when passing the reference of the property of a non-object)
 [2010-07-05 11:15 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2010-07-05 11:15 UTC] dmitry@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Oct 08 12:01:26 2024 UTC