php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78956 ArrayObject becomes SEGV under certain conditions.
Submitted: 2019-12-12 16:30 UTC Modified: 2019-12-13 09:45 UTC
From: zeriyoshi at gmail dot com Assigned:
Status: Duplicate Package: SPL related
PHP Version: 7.4.0 OS: Linux
Private report: No CVE-ID: None
 [2019-12-12 16:30 UTC] zeriyoshi at gmail dot com
Description:
------------
Call property_exists function in offsetExists method, ArrayObject raise Segmentation fault.

Test script:
---------------
<?php

// OK (Handled with memory-size over.)
// property_exists(
//     new class ([], \ArrayObject::ARRAY_AS_PROPS) extends \ArrayObject {
//         public function offsetExists($index)
//         {
//             return $this->offsetExists($index);
//         }
//     }, 
//     'foo'
// );

// NG (SEGV)
property_exists(
    new class ([], \ArrayObject::ARRAY_AS_PROPS) extends \ArrayObject {
        public function offsetExists($index)
        {
            return property_exists($this, $index);
        }
    }, 
    'foo'
);

Expected result:
----------------
Fatal error: Allowed memory size of %d bytes exhausted (tried to allocate %d bytes) in %s on line %d

Actual result:
--------------
Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-12-12 17:25 UTC] cmb@php.net
This looks like infinite recursion, which would be considered a
programmer error.
 [2019-12-13 09:45 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 [2019-12-13 09:45 UTC] nikic@php.net
Duplicate of bug #64196.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Nov 23 08:01:28 2024 UTC