PHP :: Bug #70852 :: Segfault getting NULL offset of an ArrayObject

Bug #70852	Segfault getting NULL offset of an ArrayObject
Submitted:	2015-11-04 12:25 UTC	Modified:	2015-11-04 18:12 UTC
From:	bastiaan at mollie dot com	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	5.6.15	OS:	Linux
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	bastiaan at mollie dot com
New email:
PHP Version:		OS:

New Comment:

[2015-11-04 12:25 UTC] bastiaan at mollie dot com

Description:
------------
Attempts to access index NULL of an ArrayObject segfault

Test script:
---------------
<?php
$y = new ArrayObject();
echo $y[NULL];

Expected result:
----------------
PHP Notice: Undefined index: 

Actual result:
--------------
Segfault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-11-04 12:56 UTC] bastiaan at mollie dot com

Backtrace:

(gdb) bt
#0  __strlen_sse42 () at ../sysdeps/x86_64/multiarch/strlen-sse4.S:32
#1  0x0000000000699195 in xbuf_format_converter (xbuf=xbuf@entry=0x7fffffffa2e0, fmt=0xbe37ed "s", ap=0x7fffffffa4a0) at /usr/src/builddir/main/spprintf.c:585
#2  0x0000000000699ebb in vspprintf (pbuf=pbuf@entry=0x7fffffffa360, max_len=1024, format=<optimized out>, ap=<optimized out>) at /usr/src/builddir/main/spprintf.c:821
#3  0x00000000006932c8 in php_error_cb (type=8, error_filename=0x7ffff7fd6898 "/var/www/public/test.php", error_lineno=4, format=<optimized out>, args=<optimized out>) at /usr/src/builddir/main/main.c:1022
#4  0x00000000005a7c30 in soap_error_handler (error_num=8, error_filename=0x7ffff7fd6898 "/var/www/public/test.php", error_lineno=4, format=0xbe37db "Undefined index: %s", args=0x7fffffffaa90)
    at /usr/src/builddir/ext/soap/soap.c:2216
#5  0x00000000006fa10c in zend_error (type=type@entry=8, format=format@entry=0xbe37db "Undefined index: %s") at /usr/src/builddir/Zend/zend.c:1142
#6  0x00000000005f0c22 in spl_array_get_dimension_ptr_ptr (object=<optimized out>, offset=0x7ffff7fd8668, type=type@entry=0, check_inherited=<error reading variable: Unhandled dwarf expression opcode 0xfa>)
    at /usr/src/builddir/ext/spl/spl_array.c:328
#7  0x00000000005f1181 in spl_array_read_dimension_ex (check_inherited=<optimized out>, object=0x7ffff7fd68c8, offset=0x7ffff7fd8668, type=0) at /usr/src/builddir/ext/spl/spl_array.c:406
#8  0x000000000077c972 in zend_fetch_dimension_address_read (result=0x7ffff7fa40b8, container=0x7ffff7fd68c8, dim=0x7ffff7fd8668, dim_type=dim_type@entry=1, type=type@entry=0) at /usr/src/builddir/Zend/zend_execute.c:1366
#9  0x000000000077da9c in ZEND_FETCH_DIM_R_SPEC_CV_CONST_HANDLER (execute_data=0x7ffff7fa4178) at /usr/src/builddir/Zend/zend_vm_execute.h:32676
#10 0x0000000000762f58 in execute_ex (execute_data=0x7ffff7fa4178) at /usr/src/builddir/Zend/zend_vm_execute.h:363
#11 0x00000000006e868d in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/builddir/Zend/zend_dtrace.c:73
#12 0x00000000006fafe8 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /usr/src/builddir/Zend/zend.c:1341
#13 0x0000000000696502 in php_execute_script (primary_file=primary_file@entry=0x7fffffffd210) at /usr/src/builddir/main/main.c:2597
#14 0x00000000007a1394 in do_cli (argc=3, argv=0xf509d0) at /usr/src/builddir/sapi/cli/php_cli.c:994
#15 0x0000000000471bff in main (argc=3, argv=0xf509d0) at /usr/src/builddir/sapi/cli/php_cli.c:1378

[2015-11-04 18:12 UTC] requinix@php.net

-Summary: php.net +Summary: Segfault getting NULL offset of an ArrayObject -Status: Open +Status: Verified -Package: *General Issues +Package: Reproducible crash

[2015-11-04 18:12 UTC] requinix@php.net

https://3v4l.org/fnKeC

Only happens with 5.6.15.

[2015-11-05 05:47 UTC] reeze@php.net

Automatic comment on behalf of reeze
Revision: http://git.php.net/?p=php-src.git;a=commit;h=51218b3b9dc612b2db7511f93296f975b6c2aa9d
Log: Fixed bug #70852 Segfault getting NULL offset of an ArrayObject.

[2015-11-05 05:47 UTC] reeze@php.net

-Status: Verified +Status: Closed

[2015-11-05 06:31 UTC] reeze@php.net

Automatic comment on behalf of reeze
Revision: http://git.php.net/?p=php-src.git;a=commit;h=51218b3b9dc612b2db7511f93296f975b6c2aa9d
Log: Fixed bug #70852 Segfault getting NULL offset of an ArrayObject.

[2015-11-05 06:32 UTC] reeze@php.net

Automatic comment on behalf of reeze
Revision: http://git.php.net/?p=php-src.git;a=commit;h=51218b3b9dc612b2db7511f93296f975b6c2aa9d
Log: Fixed bug #70852 Segfault getting NULL offset of an ArrayObject.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 18 11:01:28 2024 UTC