PHP :: Bug #67874 :: Crash in array

Bug #67874	Crash in array_map()
Submitted:	2014-08-20 17:38 UTC	Modified:	2014-08-20 17:38 UTC
From:	dmitry@php.net	Assigned:	dmitry (profile)
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	master-Git-2014-08-20 (Git)	OS:	*
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2014-08-20 17:38 UTC] dmitry@php.net

Description:
------------
The following script makes use after free that may lead to crash.

Test script:
---------------
<?php
$a = array(1,2,3);
$data = array($a);
$data = array_map('current', $data);
var_dump($data);
?>

Expected result:
----------------
array(1) {
  [0]=>
  int(1)
}


Actual result:
--------------
==10659== Invalid read of size 4
==10659==    at 0x867F392: zval_delref_p (zend.h:422)
==10659==    by 0x867F4F9: i_zval_ptr_dtor (zend_execute.h:57)
==10659==    by 0x868062B: _zval_ptr_dtor (zend_execute_API.c:492)
==10659==    by 0x8692889: _zval_ptr_dtor_wrapper (zend_variables.c:296)
==10659==    by 0x86A4B9B: zend_hash_destroy (zend_hash.c:900)
==10659==    by 0x86920A1: _zval_dtor_func (zend_variables.c:48)
==10659==    by 0x86CEDDA: zend_assign_to_variable (zend_execute.c:944)
==10659==    by 0x87262E6: ZEND_ASSIGN_SPEC_CV_VAR_HANDLER (zend_vm_execute.h:37258)
==10659==    by 0x86D131C: execute_ex (zend_vm_execute.h:354)
==10659==    by 0x86D1405: zend_execute (zend_vm_execute.h:383)
==10659==    by 0x8695554: zend_execute_scripts (zend.c:1319)
==10659==    by 0x861797E: php_execute_script (main.c:2564)
==10659==  Address 0x6c54968 is 0 bytes inside a block of size 24 free'd
==10659==    at 0x4007B21: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==10659==    by 0x8663C8C: _efree (zend_alloc.c:2448)
==10659==    by 0x869239D: _zval_dtor_func_for_ptr (zend_variables.c:139)
==10659==    by 0x867F547: i_zval_ptr_dtor (zend_execute.h:59)
==10659==    by 0x868062B: _zval_ptr_dtor (zend_execute_API.c:492)
==10659==    by 0x84E5ECA: zif_array_map (array.c:4473)
==10659==    by 0x86D1BE4: ZEND_DO_FCALL_SPEC_HANDLER (zend_vm_execute.h:595)
==10659==    by 0x86D131C: execute_ex (zend_vm_execute.h:354)
==10659==    by 0x86D1405: zend_execute (zend_vm_execute.h:383)
==10659==    by 0x8695554: zend_execute_scripts (zend.c:1319)
==10659==    by 0x861797E: php_execute_script (main.c:2564)
==10659==    by 0x87301D0: do_cli (php_cli.c:980)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-08-20 17:38 UTC] dmitry@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry

[2014-08-20 18:07 UTC] dmitry@php.net

Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cf09bc7825fc38a49b878beb9e73093aa0b7cf7e
Log: Fixed bug #67874 (Crash in array_map())

[2014-08-20 18:07 UTC] dmitry@php.net

-Status: Assigned +Status: Closed

[2016-07-20 11:40 UTC] davey@php.net

Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cf09bc7825fc38a49b878beb9e73093aa0b7cf7e
Log: Fixed bug #67874 (Crash in array_map())

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 26 02:01:29 2024 UTC