php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71303 Segfault in zend_assign_concat due to E_NOTICE
Submitted: 2016-01-07 14:58 UTC Modified: 2016-01-18 10:21 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: laruence@php.net Assigned: dmitry (profile)
Status: Assigned Package: Scripting Engine problem
PHP Version: 7.0.2 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: laruence@php.net
New email:
PHP Version: OS:

 

 [2016-01-07 14:58 UTC] laruence@php.net
Description:
------------
E_NOTICE maybe result in symbol table resize, which will result in segfault

Test script:
---------------
function test() {
    for ($n = 'a'; $n < 'g'; $n++) {
        $$n = array();
    }
    $$n = array();
    $$n .= "test";
    return $$n;
}   


var_dump(test2());

Expected result:
----------------
no segfault

Actual result:
--------------
segfault 

valgrind:
PHP Notice:  Array to string conversion in /tmp/1.php on line 15

Notice: Array to string conversion in /tmp/1.php on line 15
==12029== Invalid read of size 1
==12029==    at 0x984238: _zval_dtor (zend_variables.h:41)
==12029==    by 0x98CF70: concat_function (zend_operators.c:1611)
==12029==    by 0xA137FD: zend_binary_assign_op_helper_SPEC_VAR_CONST (zend_vm_execute.h:16581)
==12029==    by 0xA13B7D: ZEND_ASSIGN_CONCAT_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:16739)
==12029==    by 0x9F0BB4: execute_ex (zend_vm_execute.h:414)
==12029==    by 0x9F0CC6: zend_execute (zend_vm_execute.h:458)
==12029==    by 0x995C1E: zend_execute_scripts (zend.c:1427)
==12029==    by 0x902F01: php_execute_script (main.c:2484)
==12029==    by 0xA55028: do_cli (php_cli.c:974)
==12029==    by 0xA561EC: main (php_cli.c:1345)
==12029==  Address 0xb722de9 is 265 bytes inside a block of size 288 free'd
==12029==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==12029==    by 0x9624DE: _efree (zend_alloc.c:2453)
==12029==    by 0x9A9251: zend_hash_do_resize (zend_hash.c:880)
==12029==    by 0x9A81E9: _zend_hash_add_or_update_i (zend_hash.c:591)
==12029==    by 0x9A85F0: _zend_hash_str_update_ind (zend_hash.c:662)
==12029==    by 0x9807BF: zend_set_local_var_str (zend_execute_API.c:1653)
==12029==    by 0x9004C7: php_error_cb (main.c:1203)
==12029==    by 0x7547C5: soap_error_handler (soap.c:2139)
==12029==    by 0x994CEB: zend_error (zend.c:1154)
==12029==    by 0x986E11: _zval_get_string_func (zend_operators.c:834)
==12029==    by 0x9934F2: zend_make_printable_zval (zend.c:249)
==12029==    by 0x98CF45: concat_function (zend_operators.c:1605)



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-01-07 14:58 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence
 [2016-01-09 14:09 UTC] laruence@php.net
and also:
<?php

class evil {
    public function __toString() {
        global $array;
        $array[] = 1;
        $array[] = 1;
        $array[] = 1;
        $array[] = 1;
        return "okey";
    }
}

$array = range(0, 5);

$array[1] .= new evil;
var_dump($array[1]);

thanks
 [2016-01-18 10:21 UTC] dmitry@php.net
-Assigned To: laruence +Assigned To: dmitry
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC