php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71303 Segfault in zend_assign_concat due to E_NOTICE
Submitted: 2016-01-07 14:58 UTC Modified: 2016-01-18 10:21 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: laruence@php.net Assigned: dmitry (profile)
Status: Assigned Package: Scripting Engine problem
PHP Version: 7.0.2 OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: laruence@php.net
New email:
PHP Version: OS:

 

 [2016-01-07 14:58 UTC] laruence@php.net
Description:
------------
E_NOTICE maybe result in symbol table resize, which will result in segfault

Test script:
---------------
function test() {
    for ($n = 'a'; $n < 'g'; $n++) {
        $$n = array();
    }
    $$n = array();
    $$n .= "test";
    return $$n;
}   


var_dump(test2());

Expected result:
----------------
no segfault

Actual result:
--------------
segfault 

valgrind:
PHP Notice:  Array to string conversion in /tmp/1.php on line 15

Notice: Array to string conversion in /tmp/1.php on line 15
==12029== Invalid read of size 1
==12029==    at 0x984238: _zval_dtor (zend_variables.h:41)
==12029==    by 0x98CF70: concat_function (zend_operators.c:1611)
==12029==    by 0xA137FD: zend_binary_assign_op_helper_SPEC_VAR_CONST (zend_vm_execute.h:16581)
==12029==    by 0xA13B7D: ZEND_ASSIGN_CONCAT_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:16739)
==12029==    by 0x9F0BB4: execute_ex (zend_vm_execute.h:414)
==12029==    by 0x9F0CC6: zend_execute (zend_vm_execute.h:458)
==12029==    by 0x995C1E: zend_execute_scripts (zend.c:1427)
==12029==    by 0x902F01: php_execute_script (main.c:2484)
==12029==    by 0xA55028: do_cli (php_cli.c:974)
==12029==    by 0xA561EC: main (php_cli.c:1345)
==12029==  Address 0xb722de9 is 265 bytes inside a block of size 288 free'd
==12029==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==12029==    by 0x9624DE: _efree (zend_alloc.c:2453)
==12029==    by 0x9A9251: zend_hash_do_resize (zend_hash.c:880)
==12029==    by 0x9A81E9: _zend_hash_add_or_update_i (zend_hash.c:591)
==12029==    by 0x9A85F0: _zend_hash_str_update_ind (zend_hash.c:662)
==12029==    by 0x9807BF: zend_set_local_var_str (zend_execute_API.c:1653)
==12029==    by 0x9004C7: php_error_cb (main.c:1203)
==12029==    by 0x7547C5: soap_error_handler (soap.c:2139)
==12029==    by 0x994CEB: zend_error (zend.c:1154)
==12029==    by 0x986E11: _zval_get_string_func (zend_operators.c:834)
==12029==    by 0x9934F2: zend_make_printable_zval (zend.c:249)
==12029==    by 0x98CF45: concat_function (zend_operators.c:1605)



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-01-07 14:58 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence
 [2016-01-09 14:09 UTC] laruence@php.net
and also:
<?php

class evil {
    public function __toString() {
        global $array;
        $array[] = 1;
        $array[] = 1;
        $array[] = 1;
        $array[] = 1;
        return "okey";
    }
}

$array = range(0, 5);

$array[1] .= new evil;
var_dump($array[1]);

thanks
 [2016-01-18 10:21 UTC] dmitry@php.net
-Assigned To: laruence +Assigned To: dmitry
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 14 12:01:32 2024 UTC