php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69068 Exchanging array during array_walk -> memory errors
Submitted: 2015-02-17 16:13 UTC Modified: 2016-07-29 22:21 UTC
From: nikic@php.net Assigned: nikic
Status: Closed Package: Arrays related
PHP Version: Irrelevant OS:
Private report: No CVE-ID:
 [2015-02-17 16:13 UTC] nikic@php.net
Description:
------------
<?php

$array = [1, 2, 3];
array_walk($array, function($value, $key) {
    $GLOBALS['array'] = [1, 2];
});

var_dump($array);

Valgrind:

nikic@saturn:~/php-src$ USE_ZEND_ALLOC=0 valgrind sapi/cli/php t016.php
==3768== Memcheck, a memory error detector
==3768== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==3768== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright info
==3768== Command: sapi/cli/php t016.php
==3768== 
==3768== Invalid read of size 4
==3768==    at 0x65B619: zend_hash_move_forward_ex (zend_hash.c:1731)
==3768==    by 0x528BB4: php_array_walk (array.c:1158)
==3768==    by 0x5292E5: zif_array_walk (array.c:1199)
==3768==    by 0x6936CB: ZEND_DO_FCALL_SPEC_HANDLER (zend_vm_execute.h:596)
==3768==    by 0x692D40: execute_ex (zend_vm_execute.h:352)
==3768==    by 0x692E51: zend_execute (zend_vm_execute.h:381)
==3768==    by 0x646BFA: zend_execute_scripts (zend.c:1277)
==3768==    by 0x5C1AA2: php_execute_script (main.c:2549)
==3768==    by 0x6E8CCC: do_cli (php_cli.c:979)
==3768==    by 0x6E9D51: main (php_cli.c:1355)
==3768==  Address 0x5b0fa5c is 28 bytes inside a block of size 64 free'd
==3768==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3768==    by 0x618E5E: _efree (zend_alloc.c:2208)
==3768==    by 0x643A50: _zval_dtor_func_for_ptr (zend_variables.c:108)
==3768==    by 0x68D121: zend_assign_to_variable (zend_execute.h:88)
==3768==    by 0x6B1C75: ZEND_ASSIGN_DIM_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:13631)
==3768==    by 0x692D40: execute_ex (zend_vm_execute.h:352)
==3768==    by 0x630592: zend_call_function (zend_execute_API.c:845)
==3768==    by 0x5289E5: php_array_walk (array.c:1132)
==3768==    by 0x5292E5: zif_array_walk (array.c:1199)
==3768==    by 0x6936CB: ZEND_DO_FCALL_SPEC_HANDLER (zend_vm_execute.h:596)
==3768==    by 0x692D40: execute_ex (zend_vm_execute.h:352)
==3768==    by 0x692E51: zend_execute (zend_vm_execute.h:381)

And so on.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-07-29 22:21 UTC] nikic@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sat Apr 29 17:01:36 2017 UTC