php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67151 strtr with empty array crashes
Submitted: 2014-04-29 16:34 UTC Modified: 2014-05-05 21:58 UTC
From: nikic@php.net Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 5.6.0beta1 OS:
Private report: No CVE-ID:
 [2014-04-29 16:34 UTC] nikic@php.net
Description:
------------
<?php
var_dump(strtr("foo", []));

Valgrind:

==24828== Invalid read of size 1
==24828==    at 0x817D0EA: php_strtr_hash (string.c:2836)
==24828==    by 0x817DC37: php_strtr_array_do_repl (string.c:3049)
==24828==    by 0x817E255: php_strtr_array (string.c:3113)
==24828==    by 0x817E412: zif_strtr (string.c:3144)
==24828==    by 0x82A7E96: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:558)
==24828==    by 0x82AD85B: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2585)
==24828==    by 0x82A7392: execute_ex (zend_vm_execute.h:363)
==24828==    by 0x82A7447: zend_execute (zend_vm_execute.h:388)
==24828==    by 0x8266A15: zend_execute_scripts (zend.c:1330)
==24828==    by 0x81C77A3: php_execute_script (main.c:2549)
==24828==    by 0x831669C: do_cli (php_cli.c:994)
==24828==    by 0x8317BF6: main (php_cli.c:1378)
==24828==  Address 0x43fb16d is 3 bytes before a block of size 4 alloc'd
==24828==    at 0x402BE68: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==24828==    by 0x822C278: _emalloc (zend_alloc.c:2427)
==24828==    by 0x822C795: _estrndup (zend_alloc.c:2650)
==24828==    by 0x82624DD: _zval_copy_ctor_func (zend_variables.c:126)
==24828==    by 0x82A1BF1: _zval_copy_ctor (zend_variables.h:45)
==24828==    by 0x82ADC3E: ZEND_SEND_VAL_SPEC_CONST_HANDLER (zend_vm_execute.h:2754)
==24828==    by 0x82A7392: execute_ex (zend_vm_execute.h:363)
==24828==    by 0x82A7447: zend_execute (zend_vm_execute.h:388)
==24828==    by 0x8266A15: zend_execute_scripts (zend.c:1330)
==24828==    by 0x81C77A3: php_execute_script (main.c:2549)
==24828==    by 0x831669C: do_cli (php_cli.c:994)
==24828==    by 0x8317BF6: main (php_cli.c:1378)
==24828== 
string(3) "foo"
==24828== 
==24828== HEAP SUMMARY:
==24828==     in use at exit: 0 bytes in 0 blocks
==24828==   total heap usage: 12,026 allocs, 12,026 frees, 1,114,247 bytes allocated
==24828== 
==24828== All heap blocks were freed -- no leaks are possible
==24828== 
==24828== For counts of detected and suppressed errors, rerun with: -v
==24828== ERROR SUMMARY: 2 errors from 1 contexts (suppressed: 0 from 0)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-05-05 21:57 UTC] tyrael@php.net
I can't reproduce the script, could you tell me which platform did you experience it, and your exact configure line?
 [2014-05-05 21:58 UTC] tyrael@php.net
-Status: Open +Status: Feedback
 [2014-06-17 10:44 UTC] jocelyn dot fournier at gmail dot com
Hi,

Don't know if it's related, but I also have an issue with strtr reported by valgrind, on php 5.5.13 : 

==11275== Use of uninitialised value of size 8
==11275==    at 0x8DC69D4: php_strtr_array_do_repl (string.c:3055)
==11275==    by 0x8DC70D1: php_strtr_array (string.c:3118)
==11275==    by 0x8DC72AC: zif_strtr (string.c:3149)
==11275==    by 0x8FD2F28: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:550)
==11275==    by 0x8FD39BD: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:685)
==11275==    by 0x8FD225A: execute_ex (zend_vm_execute.h:363)
==11275==    by 0x8FD2340: zend_execute (zend_vm_execute.h:388)
==11275==    by 0x8F75963: zend_call_function (zend_execute_API.c:939)
==11275==    by 0x8D8023C: zif_call_user_func_array (basic_functions.c:4806)
==11275==    by 0x8FD2F28: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:550)
==11275==    by 0x8FD39BD: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:685)
==11275==    by 0x8FD225A: execute_ex (zend_vm_execute.h:363)
==11275== 

Thanks and regards,
  Jocelyn Fournier
 [2014-06-17 10:56 UTC] jocelyn dot fournier at gmail dot com
My plateform :

Linux 3.13.0-29-generic #53-Ubuntu SMP Wed Jun 4 21:00:20 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux, tested on the home page of a blank ezpublish installation (http://share.ez.no/content/download/157408/929566/version/1/file/ezpublish5_community_project-v2014.03-gpl-full.tar.gz)
 [2014-07-02 20:37 UTC] nikic@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3cc6bd10acdec14dc28bce1f39689bc99add4514
Log: Fix bug #67151: strtr with empty array crashes
 [2014-07-02 20:37 UTC] nikic@php.net
-Status: Feedback +Status: Closed
 [2014-07-07 15:22 UTC] dmitry@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3cc6bd10acdec14dc28bce1f39689bc99add4514
Log: Fix bug #67151: strtr with empty array crashes
 [2014-07-21 09:31 UTC] ab@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3cc6bd10acdec14dc28bce1f39689bc99add4514
Log: Fix bug #67151: strtr with empty array crashes
 [2014-07-21 10:02 UTC] ab@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3cc6bd10acdec14dc28bce1f39689bc99add4514
Log: Fix bug #67151: strtr with empty array crashes
 [2014-07-30 09:52 UTC] tyrael@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3cc6bd10acdec14dc28bce1f39689bc99add4514
Log: Fix bug #67151: strtr with empty array crashes
 [2014-10-07 23:14 UTC] stas@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=3cc6bd10acdec14dc28bce1f39689bc99add4514
Log: Fix bug #67151: strtr with empty array crashes
 [2014-10-07 23:25 UTC] stas@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=3cc6bd10acdec14dc28bce1f39689bc99add4514
Log: Fix bug #67151: strtr with empty array crashes
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Thu Jul 27 16:01:43 2017 UTC