php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #65901 ArrayObject causes symbolic table corruption
Submitted: 2013-10-15 17:00 UTC Modified: 2013-10-15 17:25 UTC
From: vgabor at vgabor dot com Assigned: nikic (profile)
Status: Closed Package: SPL related
PHP Version: Irrelevant OS: Linux/Debian
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: vgabor at vgabor dot com
New email:
PHP Version: OS:

 

 [2013-10-15 17:00 UTC] vgabor at vgabor dot com 
Description:
------------
In specific circumstances ArrayObject causes symbolic table corruption (current scope and independent function scope as well)

The main cause: if you set an array element on ArrayObject with null key (see test script)

$x = new ArrayObject;
...
$x[null]['bar'] = 'foo';

From now on all array access to non existing keys are corrupted. 
$a = array('a' => 'aa');
$a['b'] will return the $a itself.

tested version: 5.4.4-14+deb7u4


Test script:
---------------
##########################################

$a = array('a' => 'aa');

$x = new ArrayObject;
$x[null] = array();
$x[null]['bar'] = 'foo';  ### this causes it

# ----------------------------------------

function f($k) {
  $f = array('f' => 'ff');
  return $f[$k];
}

echo "ArrayObject dump:\n";
var_dump($x);

echo "Non-existing array elements (current scope, function scope)\n";
var_dump($a['b'], f('b'));

echo "Define a new variable: \$s='hohohoooo'\n";
$s = 'hohohoooo';
var_dump($a['b'], f('b'));

echo "Define a new variable: \$n=1\n";
$n = 1;
var_dump($a['b'], f('b'));

##########################################


Expected result:
----------------
ArrayObject dump:

object(ArrayObject)[8]
  public '' => 
    array (size=1)
      'bar' => string 'foo' (length=3)

Non-existing array elements (current scope, function scope)

null

null

Define a new variable: $s='hohohoooo'

null

null

Define a new variable: $n=1

null

null


Actual result:
--------------
ArrayObject dump:

object(ArrayObject)[8]
  
    array (size=0)
      empty

Non-existing array elements (current scope, function scope)

array (size=1)
  'bar' => string 'foo' (length=3)

array (size=1)
  'bar' => string 'foo' (length=3)

Define a new variable: $s='hohohoooo'

string 'hohohoooo' (length=9)

string 'hohohoooo' (length=9)

Define a new variable: $n=1

int 1

int 1

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-10-15 17:25 UTC] nikic@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2013-10-15 17:25 UTC] nikic@php.net 
This was fixed in PHP 5.4.8, see http://3v4l.org/p0fnK.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Apr 23 12:01:31 2024 UTC