php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70852 Segfault getting NULL offset of an ArrayObject
Submitted: 2015-11-04 12:25 UTC Modified: 2015-11-04 18:12 UTC
From: bastiaan at mollie dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 5.6.15 OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: bastiaan at mollie dot com
New email:
PHP Version: OS:

 

 [2015-11-04 12:25 UTC] bastiaan at mollie dot com
Description:
------------
Attempts to access index NULL of an ArrayObject segfault

Test script:
---------------
<?php
$y = new ArrayObject();
echo $y[NULL];

Expected result:
----------------
PHP Notice: Undefined index: 

Actual result:
--------------
Segfault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-11-04 12:56 UTC] bastiaan at mollie dot com
Backtrace:

(gdb) bt
#0  __strlen_sse42 () at ../sysdeps/x86_64/multiarch/strlen-sse4.S:32
#1  0x0000000000699195 in xbuf_format_converter (xbuf=xbuf@entry=0x7fffffffa2e0, fmt=0xbe37ed "s", ap=0x7fffffffa4a0) at /usr/src/builddir/main/spprintf.c:585
#2  0x0000000000699ebb in vspprintf (pbuf=pbuf@entry=0x7fffffffa360, max_len=1024, format=<optimized out>, ap=<optimized out>) at /usr/src/builddir/main/spprintf.c:821
#3  0x00000000006932c8 in php_error_cb (type=8, error_filename=0x7ffff7fd6898 "/var/www/public/test.php", error_lineno=4, format=<optimized out>, args=<optimized out>) at /usr/src/builddir/main/main.c:1022
#4  0x00000000005a7c30 in soap_error_handler (error_num=8, error_filename=0x7ffff7fd6898 "/var/www/public/test.php", error_lineno=4, format=0xbe37db "Undefined index: %s", args=0x7fffffffaa90)
    at /usr/src/builddir/ext/soap/soap.c:2216
#5  0x00000000006fa10c in zend_error (type=type@entry=8, format=format@entry=0xbe37db "Undefined index: %s") at /usr/src/builddir/Zend/zend.c:1142
#6  0x00000000005f0c22 in spl_array_get_dimension_ptr_ptr (object=<optimized out>, offset=0x7ffff7fd8668, type=type@entry=0, check_inherited=<error reading variable: Unhandled dwarf expression opcode 0xfa>)
    at /usr/src/builddir/ext/spl/spl_array.c:328
#7  0x00000000005f1181 in spl_array_read_dimension_ex (check_inherited=<optimized out>, object=0x7ffff7fd68c8, offset=0x7ffff7fd8668, type=0) at /usr/src/builddir/ext/spl/spl_array.c:406
#8  0x000000000077c972 in zend_fetch_dimension_address_read (result=0x7ffff7fa40b8, container=0x7ffff7fd68c8, dim=0x7ffff7fd8668, dim_type=dim_type@entry=1, type=type@entry=0) at /usr/src/builddir/Zend/zend_execute.c:1366
#9  0x000000000077da9c in ZEND_FETCH_DIM_R_SPEC_CV_CONST_HANDLER (execute_data=0x7ffff7fa4178) at /usr/src/builddir/Zend/zend_vm_execute.h:32676
#10 0x0000000000762f58 in execute_ex (execute_data=0x7ffff7fa4178) at /usr/src/builddir/Zend/zend_vm_execute.h:363
#11 0x00000000006e868d in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/builddir/Zend/zend_dtrace.c:73
#12 0x00000000006fafe8 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /usr/src/builddir/Zend/zend.c:1341
#13 0x0000000000696502 in php_execute_script (primary_file=primary_file@entry=0x7fffffffd210) at /usr/src/builddir/main/main.c:2597
#14 0x00000000007a1394 in do_cli (argc=3, argv=0xf509d0) at /usr/src/builddir/sapi/cli/php_cli.c:994
#15 0x0000000000471bff in main (argc=3, argv=0xf509d0) at /usr/src/builddir/sapi/cli/php_cli.c:1378
 [2015-11-04 18:12 UTC] requinix@php.net
-Summary: php.net +Summary: Segfault getting NULL offset of an ArrayObject -Status: Open +Status: Verified -Package: *General Issues +Package: Reproducible crash
 [2015-11-04 18:12 UTC] requinix@php.net
https://3v4l.org/fnKeC

Only happens with 5.6.15.
 [2015-11-05 05:47 UTC] reeze@php.net
Automatic comment on behalf of reeze
Revision: http://git.php.net/?p=php-src.git;a=commit;h=51218b3b9dc612b2db7511f93296f975b6c2aa9d
Log: Fixed bug #70852 Segfault getting NULL offset of an ArrayObject.
 [2015-11-05 05:47 UTC] reeze@php.net
-Status: Verified +Status: Closed
 [2015-11-05 06:31 UTC] reeze@php.net
Automatic comment on behalf of reeze
Revision: http://git.php.net/?p=php-src.git;a=commit;h=51218b3b9dc612b2db7511f93296f975b6c2aa9d
Log: Fixed bug #70852 Segfault getting NULL offset of an ArrayObject.
 [2015-11-05 06:32 UTC] reeze@php.net
Automatic comment on behalf of reeze
Revision: http://git.php.net/?p=php-src.git;a=commit;h=51218b3b9dc612b2db7511f93296f975b6c2aa9d
Log: Fixed bug #70852 Segfault getting NULL offset of an ArrayObject.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 12 18:01:26 2024 UTC