From: [EMAIL PROTECTED]
Operating system: Linux (RH 7.2)
PHP version: 4.1.0
PHP Bug Type: Reproducible crash
Bug description: String offset reference can be created and segfaults interpreter
It's possible to create a reference to a string offset (which is supposed
to be illegal) by returning it from a function:
<?php
function &f() {
$x = "x";
return $x{0};
}
$y =& f();
?>
The above code triggers a segfault (tested with versions 4.0.6 and
4.1.0).
Here is the backtrace:
(gdb) bt
#0 0x080dc270 in execute (op_array=0x8141a88) at ./zend_execute.c:1751
#1 0x080dbf00 in execute (op_array=0x813c8bc) at ./zend_execute.c:1703
#2 0x080bf4c4 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at zend.c:814
#3 0x0805bab5 in php_execute_script (primary_file=0xbffff8e0) at
main.c:1309
#4 0x08059698 in main (argc=1, argv=0xbffff984) at cgi_main.c:738
#5 0x400d3507 in __libc_start_main (main=0x8058ea8 <main>, argc=1,
ubp_av=0xbffff984, init=0x8057d2c <_init>, fini=0x80e1290 <_fini>,
rtld_fini=0x4000dc14 <_dl_fini>, stack_end=0xbffff97c)
at ../sysdeps/generic/libc-start.c:129
(gdb) frame 0
#0 0x080dc270 in execute (op_array=0x8141a88) at ./zend_execute.c:1751
1751
SEPARATE_ZVAL_TO_MAKE_IS_REF(retval_ptr_ptr);
--
Edit bug report at http://bugs.php.net/?id=16558&edit=1
--
Fixed in CVS: http://bugs.php.net/fix.php?id=16558&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=16558&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=16558&r=needtrace
Try newer version: http://bugs.php.net/fix.php?id=16558&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=16558&r=support
Expected behavior: http://bugs.php.net/fix.php?id=16558&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=16558&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=16558&r=submittedtwice
