php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69955 Segfault when trying to combine [] and assign-op on ArrayAccess object
Submitted: 2015-06-28 05:20 UTC Modified: 2015-06-28 11:04 UTC
From: stas@php.net Assigned: dmitry
Status: Closed Package: Reproducible crash
PHP Version: 7.0Git-2015-06-28 (Git) OS: *
Private report: No CVE-ID:
 [2015-06-28 05:20 UTC] stas@php.net
Description:
------------
When applying assign-operator (like +=) to result of $a[] when $a is an object implementing ArrayAccess, segfault happens.

Test script:
---------------
<?php
class C10 implements ArrayAccess
{
        function offsetExists($offset)
        {
                echo "\nInside " . __METHOD__ . "\n"; var_dump($offset);
        }
        function offsetGet($offset)
        {
                echo "\nInside " . __METHOD__ . "\n"; var_dump($offset); return 100;
        }
        function offsetSet($offset, $value)
        {
                echo "\nInside " . __METHOD__ . "\n"; var_dump($offset); var_dump($value);
        }
        function offsetUnset($offset)
        {
                echo "\nInside " . __METHOD__ . "\n"; var_dump($offset);
        }
}

$c10 = new C10;

var_dump($c10[] += 5);


Expected result:
----------------
No segfault

Actual result:
--------------
Inside C10::offsetGet
NULL
Segmentation fault: 11


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-28 05:21 UTC] stas@php.net
-Assigned To: +Assigned To: dmitry
 [2015-06-28 06:05 UTC] stas@php.net
-PHP Version: master-Git-2015-06-28 (Git) +PHP Version: 7.0Git-2015-06-28 (Git)
 [2015-06-28 09:17 UTC] laruence@php.net
what I get is: 
Inside C10::offsetGet
PHP Notice:  Undefined variable: offset in /tmp/1.php on line 10

Notice: Undefined variable: offset in /tmp/1.php on line 10
NULL
PHP Notice:  Indirect modification of overloaded element of C10 has no effect in /tmp/1.php on line 24

Notice: Indirect modification of overloaded element of C10 has no effect in /tmp/1.php on line 24
php: /home/huixinchen/opensource/trunk/Zend/zend_vm_execute.h:34205: zend_binary_assign_op_dim_helper_SPEC_CV_UNUSED: Assertion `zval_get_type(&(rv)) == 15' failed.
Aborted (core dumped)


and zend_fetch_dimension_address_RW may really don't return a IS_INDRECT value.

thanks
 [2015-06-28 11:04 UTC] laruence@php.net
seems we should always have this:

diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index 933be83..be9b012 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -804,13 +804,11 @@ ZEND_VM_HELPER_EX(zend_binary_assign_op_dim_helper, VAR|UNUSED|CV, CONST|TMPVAR|
 			if (OP1_TYPE != IS_UNUSED) {
 				ZVAL_DEREF(container);
 			}
-#if !defined(ZEND_VM_SPEC) || (OP2_TYPE != IS_UNUSED)
 			if (OP1_TYPE == IS_UNUSED || EXPECTED(Z_TYPE_P(container) == IS_OBJECT)) {
 				value = get_zval_ptr((opline+1)->op1_type, (opline+1)->op1, execute_data, &free_op_data1
, BP_VAR_R);
 				zend_binary_assign_op_obj_dim(container, dim, value, UNEXPECTED(RETURN_VALUE_USED(opline
)) ? EX_VAR(opline->result.var) : NULL, binary_op);
 				break;
 			}
-#endif
 		}


thanks
 [2015-06-29 08:18 UTC] dmitry@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8e923197b48a200eb7cdb0f07d5e7d1a6533b12d
Log: Fixed bug #69955 (Segfault when trying to combine [] and assign-op on ArrayAccess object). (Laruence)
 [2015-06-29 08:18 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2015-07-07 23:37 UTC] ab@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8e923197b48a200eb7cdb0f07d5e7d1a6533b12d
Log: Fixed bug #69955 (Segfault when trying to combine [] and assign-op on ArrayAccess object). (Laruence)
 [2016-07-20 11:38 UTC] davey@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8e923197b48a200eb7cdb0f07d5e7d1a6533b12d
Log: Fixed bug #69955 (Segfault when trying to combine [] and assign-op on ArrayAccess object). (Laruence)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Apr 30 18:01:35 2017 UTC