php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70852 Segfault getting NULL offset of an ArrayObject
Submitted: 2015-11-04 12:25 UTC Modified: 2015-11-04 18:12 UTC
From: bastiaan at mollie dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 5.6.15 OS: Linux
Private report: No CVE-ID:
 [2015-11-04 12:25 UTC] bastiaan at mollie dot com
Description:
------------
Attempts to access index NULL of an ArrayObject segfault

Test script:
---------------
<?php
$y = new ArrayObject();
echo $y[NULL];

Expected result:
----------------
PHP Notice: Undefined index: 

Actual result:
--------------
Segfault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-11-04 12:56 UTC] bastiaan at mollie dot com
Backtrace:

(gdb) bt
#0  __strlen_sse42 () at ../sysdeps/x86_64/multiarch/strlen-sse4.S:32
#1  0x0000000000699195 in xbuf_format_converter (xbuf=xbuf@entry=0x7fffffffa2e0, fmt=0xbe37ed "s", ap=0x7fffffffa4a0) at /usr/src/builddir/main/spprintf.c:585
#2  0x0000000000699ebb in vspprintf (pbuf=pbuf@entry=0x7fffffffa360, max_len=1024, format=<optimized out>, ap=<optimized out>) at /usr/src/builddir/main/spprintf.c:821
#3  0x00000000006932c8 in php_error_cb (type=8, error_filename=0x7ffff7fd6898 "/var/www/public/test.php", error_lineno=4, format=<optimized out>, args=<optimized out>) at /usr/src/builddir/main/main.c:1022
#4  0x00000000005a7c30 in soap_error_handler (error_num=8, error_filename=0x7ffff7fd6898 "/var/www/public/test.php", error_lineno=4, format=0xbe37db "Undefined index: %s", args=0x7fffffffaa90)
    at /usr/src/builddir/ext/soap/soap.c:2216
#5  0x00000000006fa10c in zend_error (type=type@entry=8, format=format@entry=0xbe37db "Undefined index: %s") at /usr/src/builddir/Zend/zend.c:1142
#6  0x00000000005f0c22 in spl_array_get_dimension_ptr_ptr (object=<optimized out>, offset=0x7ffff7fd8668, type=type@entry=0, check_inherited=<error reading variable: Unhandled dwarf expression opcode 0xfa>)
    at /usr/src/builddir/ext/spl/spl_array.c:328
#7  0x00000000005f1181 in spl_array_read_dimension_ex (check_inherited=<optimized out>, object=0x7ffff7fd68c8, offset=0x7ffff7fd8668, type=0) at /usr/src/builddir/ext/spl/spl_array.c:406
#8  0x000000000077c972 in zend_fetch_dimension_address_read (result=0x7ffff7fa40b8, container=0x7ffff7fd68c8, dim=0x7ffff7fd8668, dim_type=dim_type@entry=1, type=type@entry=0) at /usr/src/builddir/Zend/zend_execute.c:1366
#9  0x000000000077da9c in ZEND_FETCH_DIM_R_SPEC_CV_CONST_HANDLER (execute_data=0x7ffff7fa4178) at /usr/src/builddir/Zend/zend_vm_execute.h:32676
#10 0x0000000000762f58 in execute_ex (execute_data=0x7ffff7fa4178) at /usr/src/builddir/Zend/zend_vm_execute.h:363
#11 0x00000000006e868d in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/builddir/Zend/zend_dtrace.c:73
#12 0x00000000006fafe8 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /usr/src/builddir/Zend/zend.c:1341
#13 0x0000000000696502 in php_execute_script (primary_file=primary_file@entry=0x7fffffffd210) at /usr/src/builddir/main/main.c:2597
#14 0x00000000007a1394 in do_cli (argc=3, argv=0xf509d0) at /usr/src/builddir/sapi/cli/php_cli.c:994
#15 0x0000000000471bff in main (argc=3, argv=0xf509d0) at /usr/src/builddir/sapi/cli/php_cli.c:1378
 [2015-11-04 18:12 UTC] requinix@php.net
-Summary: php.net +Summary: Segfault getting NULL offset of an ArrayObject -Status: Open +Status: Verified -Package: *General Issues +Package: Reproducible crash
 [2015-11-04 18:12 UTC] requinix@php.net
https://3v4l.org/fnKeC

Only happens with 5.6.15.
 [2015-11-05 05:47 UTC] reeze@php.net
Automatic comment on behalf of reeze
Revision: http://git.php.net/?p=php-src.git;a=commit;h=51218b3b9dc612b2db7511f93296f975b6c2aa9d
Log: Fixed bug #70852 Segfault getting NULL offset of an ArrayObject.
 [2015-11-05 05:47 UTC] reeze@php.net
-Status: Verified +Status: Closed
 [2015-11-05 06:31 UTC] reeze@php.net
Automatic comment on behalf of reeze
Revision: http://git.php.net/?p=php-src.git;a=commit;h=51218b3b9dc612b2db7511f93296f975b6c2aa9d
Log: Fixed bug #70852 Segfault getting NULL offset of an ArrayObject.
 [2015-11-05 06:32 UTC] reeze@php.net
Automatic comment on behalf of reeze
Revision: http://git.php.net/?p=php-src.git;a=commit;h=51218b3b9dc612b2db7511f93296f975b6c2aa9d
Log: Fixed bug #70852 Segfault getting NULL offset of an ArrayObject.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Thu Apr 27 22:01:38 2017 UTC