php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74361 Compaction in array_rand() violates COW
Submitted: 2017-04-02 10:56 UTC Modified: -
From: nikic@php.net Assigned:
Status: Closed Package: Arrays related
PHP Version: 7.1.4RC1 OS:
Private report: No CVE-ID: None
 [2017-04-02 10:56 UTC] nikic@php.net
Description:
------------
From http://stackoverflow.com/questions/43162831/zend-mm-heap-corrupted-with-php-7-1.

If numUsed occupancy is <= 3/4 array_rand() compacts the array prior to sampling. This is done on a potentially shared array.

This may lead to SHM corruption, for example:

$array = [1 => 1, 2 => 2];
var_dump(array_rand($array));

Crashes on opcache.

It can also have other side effects:

<?php

$array = range(0, 100);
for ($i = 0; $i < 50; $i++) {
    unset($array[$i]);
}

foreach ($array as $x) {
    var_dump($x);
    if ($x == 55) {
        array_rand($array, 1);
    }
}

Here the array is resized during the loop, leaving a dangling pointer.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-04-02 11:20 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c8034514edadbafc4376f107e2a4ba52b7b17ff4
Log: Fixed bug #74361
 [2017-04-02 11:20 UTC] nikic@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC