From: [EMAIL PROTECTED]
Operating system: *
PHP version: 5CVS-2007-08-04 (CVS)
PHP Bug Type: Reproducible crash
Bug description: substr_replace() crashes when the same array is passed more
than once
Description:
------------
substr_replace( subject, replacement, from, len ) is able to accept arrays
for each parameter. However, when any two parameters which are arrays refer
to the same array internally, the function can crash due to pointer
equality.
For the specific case given, substr_replace() reads a value from $a,
performs convert_to_string_ex(), then reads a value from $b and performs
convert_to_long_ex(). Because both arrays refer to the same hashtable, the
code then ends up with a string expected and a long value instead, and the
result is a sometimes-crash.
Reproduce code:
---------------
$a = array( 1, 2 );
$b = array( 1, 2 ); // creates new hashtable
$c = $a; // bumps refcount on $a, no zval_copy_ctor()
var_dump( substr_replace( $a, 1, 1, $b ) );
var_dump( substr_replace( $a, 1, 1, $c ) );
Expected result:
----------------
array(2) {
[0]=>
string(2) "11"
[1]=>
string(2) "21"
}
array(2) {
[0]=>
string(2) "11"
[1]=>
string(2) "21"
}
Actual result:
--------------
array(2) {
[0]=>
string(2) "11"
[1]=>
string(2) "21"
}
Bus error or Segmentation fault
(gdb) bt
#0 0x00290913 in zif_substr_replace (ht=4, return_value=0x17b4728,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at
/Users/gwynne/src/php-src/php-5cvs/ext/standard/string.c:2341
#1 0x0037c25e in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfffd940) at
/Users/gwynne/src/php-src/php-5cvs/Zend/zend_vm_execute.h:200
#2 0x003825e3 in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0xbfffd940) at
/Users/gwynne/src/php-src/php-5cvs/Zend/zend_vm_execute.h:1681
#3 0x0037bd31 in execute (op_array=0x17b360c) at
/Users/gwynne/src/php-src/php-5cvs/Zend/zend_vm_execute.h:92
#4 0x00353829 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at /Users/gwynne/src/php-src/php-5cvs/Zend/zend.c:1134
#5 0x002f5378 in php_execute_script (primary_file=0xbfffe058) at
/Users/gwynne/src/php-src/php-5cvs/main/main.c:1794
#6 0x003d6aab in main (argc=2, argv=0xbfffe17c) at
/Users/gwynne/src/php-src/php-5cvs/sapi/cli/php_cli.c:1138
--
Edit bug report at http://bugs.php.net/?id=42208&edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=42208&r=trysnapshot44
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=42208&r=trysnapshot52
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=42208&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=42208&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=42208&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=42208&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=42208&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=42208&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=42208&r=support
Expected behavior: http://bugs.php.net/fix.php?id=42208&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=42208&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=42208&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=42208&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=42208&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=42208&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=42208&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=42208&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=42208&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=42208&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=42208&r=mysqlcfg
