php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #54262 Crash when assigning value to a dimension in a non-array
Submitted: 2011-03-16 01:48 UTC Modified: 2019-09-26 09:34 UTC
From: stas@php.net Assigned: dmitry (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.3SVN-2011-03-16 (SVN) OS: MacOS X 10.6.6
Private report: No CVE-ID: None
 [2011-03-16 01:48 UTC] stas@php.net
Description:
------------
Reported by Christian Holler on mailing list, test named 
'crashMemCorruptionZvalDtorFunc', produces the following on valgrind:


==71892== Invalid read of size 4
==71892==    at 0x51D7EA: zend_hash_destroy (in /Users/smalyshev/mphp)
==71892==    by 0x50DFCC: _zval_dtor_func (in /Users/smalyshev/mphp)
==71892==    by 0x4FFB62: _zval_dtor (in /Users/smalyshev/mphp)
==71892==    by 0x4FFEB6: _zval_ptr_dtor (in /Users/smalyshev/mphp)
==71892==    by 0x5B0982: ZEND_ASSIGN_DIM_SPEC_CV_CONST_HANDLER (in 
/Users/smalyshev/mphp)
==71892==    by 0x53AB23: execute (in /Users/smalyshev/mphp)
==71892==    by 0x510794: zend_execute_scripts (in /Users/smalyshev/mphp)
==71892==    by 0x49D228: php_execute_script (in /Users/smalyshev/mphp)
==71892==    by 0x5D2CDD: main (in /Users/smalyshev/mphp)
==71892==  Address 0x5c is not stack'd, malloc'd or (recently) free'd

The bug seems to be because in ZEND_ASSIGN_DIM_SPEC_CV_CONST_HANDLER, 
error_zval_ptr is used to assign to it as if it were array, which seems to lead 
to unexpected consequences. 

Test script:
---------------
$a = '0';
var_dump(isset($a['b']));
$simpleString = preg_match('//', '', $a->a);
$simpleString["wrong"] = "f";



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-03-16 03:08 UTC] stas@php.net
Looks like SEND_REF in preg_match() line makes error_zval_ptr not point to 
error_zval, which may be the source of the problem...
 [2011-03-16 06:05 UTC] stas@php.net
-Type: Bug +Type: Security -Private report: N +Private report: Y
 [2011-03-16 12:15 UTC] dmitry@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: dmitry
 [2011-03-16 12:15 UTC] dmitry@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2019-09-26 09:34 UTC] nikic@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Fri Nov 22 08:01:24 2019 UTC