ID: 16558
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Open
Bug Type: Reproducible crash
Operating System: Linux (RH 7.2)
PHP Version: 4.1.0
New Comment:
Note: you do not have to do reference-assignment ("= &") to trigger the
segfault; the following reproduces the crash as well:
<?php
function &f() {
$x = "x";
return $x{0};
}
$y = f();
?>
Previous Comments:
------------------------------------------------------------------------
[2002-04-11 17:34:10] [EMAIL PROTECTED]
It's possible to create a reference to a string offset (which is
supposed to be illegal) by returning it from a function:
<?php
function &f() {
$x = "x";
return $x{0};
}
$y =& f();
?>
The above code triggers a segfault (tested with versions 4.0.6 and
4.1.0).
Here is the backtrace:
(gdb) bt
#0 0x080dc270 in execute (op_array=0x8141a88) at
./zend_execute.c:1751
#1 0x080dbf00 in execute (op_array=0x813c8bc) at
./zend_execute.c:1703
#2 0x080bf4c4 in zend_execute_scripts (type=8, retval=0x0,
file_count=3)
at zend.c:814
#3 0x0805bab5 in php_execute_script (primary_file=0xbffff8e0) at
main.c:1309
#4 0x08059698 in main (argc=1, argv=0xbffff984) at cgi_main.c:738
#5 0x400d3507 in __libc_start_main (main=0x8058ea8 <main>, argc=1,
ubp_av=0xbffff984, init=0x8057d2c <_init>, fini=0x80e1290 <_fini>,
rtld_fini=0x4000dc14 <_dl_fini>, stack_end=0xbffff97c)
at ../sysdeps/generic/libc-start.c:129
(gdb) frame 0
#0 0x080dc270 in execute (op_array=0x8141a88) at
./zend_execute.c:1751
1751
SEPARATE_ZVAL_TO_MAKE_IS_REF(retval_ptr_ptr);
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=16558&edit=1
