PHP :: Bug #67801 :: PHPNG: SIGSEGV in zend_hash_index_find

Bug #67801

PHPNG: SIGSEGV in zend_hash_index_find_bucket (assigning values w/o key)

Submitted:

2014-08-06 21:32 UTC

Modified:

2014-08-15 11:52 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

bugs dot php dot net at majkl578 dot cz

Assigned:

Status:

Closed

Package:

Reproducible crash

PHP Version:

master-Git-2014-08-06 (Git)

OS:

Debian

Private report:

CVE-ID:

None

View Add Comment Developer Edit

[2014-08-06 21:32 UTC] bugs dot php dot net at majkl578 dot cz

Description:
------------
While trying PHPNG, I encountered a strange segmentation fault while appending entries to an array. I'm providing full reproduce case as I was unable to isolate it in a smaller script.

The crash occurs in file Tester/Runner/Runner.php on line 83:
$running[] = $job = array_shift($this->jobs);

PHPNG built from 414762fc12 using clang.

Test script:
---------------
$ git clone git://github.com/nette/tester.git
$ cd tester/
$ git checkout 5d7e2b4f4
$ gdb --args /path/to/sapi/cli/php -n tests/Runner.annotations.phpt
(gdb) run

Expected result:
----------------
No segmentation fault.

Actual result:
--------------
#0  0x0000000000cc0fed in zend_hash_index_find_bucket (ht=0x7fffed034a30, h=8) at Zend/zend_hash.c:239
#1  0x0000000000cbd700 in _zend_hash_index_update_or_next_insert_i (ht=0x7fffed034a30, h=8, pData=0x15c6db0 <executor_globals>, flag=4, __zend_filename=0x12259ce "/build/php/php-src/Zend/zend_execute.c", 
    __zend_lineno=1124) at Zend/zend_hash.c:479
#2  0x0000000000cbdb2b in _zend_hash_next_index_insert (ht=0x7fffed034a30, pData=0x15c6db0 <executor_globals>, __zend_filename=0x12259ce "/build/php/php-src/Zend/zend_execute.c", __zend_lineno=1124)
    at Zend/zend_hash.c:543
#3  0x0000000000d5d32b in zend_fetch_dimension_address (result=0x7ffff7e88be0, container_ptr=0x7ffff7e88860, dim=0x0, dim_type=8, type=1, is_ref=0) at Zend/zend_execute.c:1124
#4  0x0000000000d5c037 in zend_fetch_dimension_address_W (result=0x7ffff7e88be0, container_ptr=0x7ffff7e88860, dim=0x0, dim_type=8) at Zend/zend_execute.c:1253
#5  0x0000000000d4ac64 in ZEND_ASSIGN_DIM_SPEC_CV_UNUSED_HANDLER (execute_data=0x7ffff7e887d0) at Zend/zend_vm_execute.h:38691
#6  0x0000000000cf659c in execute_ex (execute_data=0x7ffff7e887d0) at Zend/zend_vm_execute.h:354
#7  0x0000000000cf673b in zend_execute (op_array=0x7ffff7f83318, return_value=0x0) at Zend/zend_vm_execute.h:383
#8  0x0000000000ca7655 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at Zend/zend.c:1322
#9  0x0000000000bea53e in php_execute_script (primary_file=0x7fffffffe028) at main/main.c:2564
#10 0x0000000000d7f4f9 in do_cli (argc=2, argv=0x15cbce0) at sapi/cli/php_cli.c:980
#11 0x0000000000d7e369 in main (argc=2, argv=0x15cbce0) at sapi/cli/php_cli.c:1358

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-08-15 11:52 UTC] bugs dot php dot net at majkl578 dot cz

-Status: Open +Status: Closed

[2014-08-15 11:52 UTC] bugs dot php dot net at majkl578 dot cz

Seems to be fixed.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Apr 23 09:01:27 2024 UTC