php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71539 Memory error on $arr[$a] =& $arr[$b] if RHS rehashes
Submitted: 2016-02-06 15:55 UTC Modified: 2016-10-03 06:46 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: nikic@php.net Assigned: dmitry
Status: Closed Package: Scripting Engine problem
PHP Version: 7.0.3 OS:
Private report: No CVE-ID:
 [2016-02-06 15:55 UTC] nikic@php.net
Description:
------------
Reproduce code:

$array = [];
$array[0] =& $array[''];

The $array[''] is used to force a packed-to-hash conversion.

Output:

[Sat Feb  6 16:53:58 2016]  Script:  '/home/nikic/php-src/t203.php'
/home/nikic/php-src/Zend/zend_execute.c(577) :  Freeing 0x7FEE3D6010E0 (24 bytes), script=/home/nikic/php-src/t203.php
=== Total 1 memory leaks detected ===

First valgrind:

==30433== Invalid read of size 1
==30433==    at 0xB7EAAD: zval_get_type (zend_types.h:330)
==30433==    by 0xBB80A5: ZEND_ASSIGN_REF_SPEC_VAR_VAR_HANDLER (zend_vm_execute.h:19702)
==30433==    by 0xB88A6F: execute_ex (zend_vm_execute.h:422)
==30433==    by 0xB88C71: zend_execute (zend_vm_execute.h:466)
==30433==    by 0xB247EC: zend_execute_scripts (zend.c:1427)
==30433==    by 0xA630F9: php_execute_script (main.c:2484)
==30433==    by 0xC0783C: do_cli (php_cli.c:974)
==30433==    by 0xC08CD1: main (php_cli.c:1345)
==30433==  Address 0xf47b680 is 16 bytes inside a block of size 264 free'd
==30433==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==30433==    by 0xAE4EAD: _efree (zend_alloc.c:2453)
==30433==    by 0xB379A8: zend_hash_packed_to_hash (zend_hash.c:220)
==30433==    by 0xB3915C: _zend_hash_add_or_update_i (zend_hash.c:566)
==30433==    by 0xB3951C: _zend_hash_add_new (zend_hash.c:640)
==30433==    by 0xB852E5: zend_fetch_dimension_address_inner (zend_execute.c:1466)
==30433==    by 0xB85AB4: zend_fetch_dimension_address (zend_execute.c:1681)
==30433==    by 0xB861AE: zend_fetch_dimension_address_W (zend_execute.c:1772)
==30433==    by 0xBDAB96: ZEND_FETCH_DIM_W_SPEC_CV_CONST_HANDLER (zend_vm_execute.h:36832)
==30433==    by 0xB88A6F: execute_ex (zend_vm_execute.h:422)
==30433==    by 0xB88C71: zend_execute (zend_vm_execute.h:466)
==30433==    by 0xB247EC: zend_execute_scripts (zend.c:1427)

The cause is the opcode sequence:

@1 = FETCH_DIM_W $array 0
@2 = FETCH_DIM_W $array ""
ASSIGN_REF @1 @2

Where the second FETCH_DIM_W will reallocate the backing array while @1 still holds a pointer into it.




Patches

bug71539.diff (last revision 2016-07-06 20:13 UTC) by dmitry@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-13 09:02 UTC] dmitry@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry
 [2016-07-06 10:07 UTC] dmitry@php.net
The following patch has been added/updated:

Patch Name: bug71539.diff
Revision:   1467799650
URL:        https://bugs.php.net/patch-display.php?bug=71539&patch=bug71539.diff&revision=1467799650
 [2016-07-06 14:33 UTC] dmitry@php.net
The following patch has been added/updated:

Patch Name: bug71539.diff
Revision:   1467815599
URL:        https://bugs.php.net/patch-display.php?bug=71539&patch=bug71539.diff&revision=1467815599
 [2016-07-06 19:05 UTC] dmitry@php.net
The following patch has been added/updated:

Patch Name: bug71539.diff
Revision:   1467831947
URL:        https://bugs.php.net/patch-display.php?bug=71539&patch=bug71539.diff&revision=1467831947
 [2016-07-06 20:13 UTC] dmitry@php.net
The following patch has been added/updated:

Patch Name: bug71539.diff
Revision:   1467835982
URL:        https://bugs.php.net/patch-display.php?bug=71539&patch=bug71539.diff&revision=1467835982
 [2016-07-06 22:00 UTC] dmitry@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fbca255cd001e377202437d8fabded0192107d84
Log: Fixed bug #71539 (Memory error on $arr[$a] =& $arr[$b] if RHS rehashes)
 [2016-07-06 22:00 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2016-07-20 11:30 UTC] davey@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fbca255cd001e377202437d8fabded0192107d84
Log: Fixed bug #71539 (Memory error on $arr[$a] =& $arr[$b] if RHS rehashes)
 [2016-09-30 11:13 UTC] cmb@php.net
-Status: Closed +Status: Re-Opened
 [2016-09-30 11:13 UTC] cmb@php.net
Is there any particular reason why this hasn't been fixed for PHP-7.0?
 [2016-10-03 06:46 UTC] dmitry@php.net
-Status: Re-Opened +Status: Closed
 [2016-10-03 06:46 UTC] dmitry@php.net
The fix relays on a new VM instruction, and new instructions are not allowed in minor releases.
 [2016-10-17 10:11 UTC] bwoebi@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fbca255cd001e377202437d8fabded0192107d84
Log: Fixed bug #71539 (Memory error on $arr[$a] =& $arr[$b] if RHS rehashes)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Feb 19 11:01:37 2017 UTC