#44046 [Opn]: array_slice(&$offset, $offset) crash

Mon, 04 Feb 2008 14:53:35 -0800 

 ID:               44046
 User updated by:  victor dot stinner at haypocalc dot com
 Reported By:      victor dot stinner at haypocalc dot com
 Status:           Open
 Bug Type:         Arrays related
 Operating System: Linux (Ubuntu Gutsy) on i386
 PHP Version:      5.2.5
 New Comment:

gdb session:

* $input type in array_slice() entry:
(gdb) print (**input).type
$1 = 4 '\004'    # IS_ARRAY

* $input type after execution of convert_to_long_ex() or
convert_to_boolean_ex() :
(gdb) print (**input).type
$4 = 1 '\001'    # IS_LONG

* Execution of « num_in = zend_hash_num_elements(Z_ARRVAL_PP(input)) »
:

Program received signal SIGSEGV, Segmentation fault.
(gdb) where
#0  0x083281ad in _zend_is_inconsistent (ht=0x1, file=0x8451248
"/home/haypo/php-5.2.5/Zend/zend_hash.c", 
    line=1015) at /home/haypo/php-5.2.5/Zend/zend_hash.c:53
#1  0x0832ae37 in zend_hash_num_elements (ht=0x1) at
/home/haypo/php-5.2.5/Zend/zend_hash.c:1015
#2  0x08226ff2 in zif_array_slice (ht=3, return_value=0x853e928,
return_value_ptr=0x0, this_ptr=0x0, 
    return_value_used=0) at
/home/haypo/php-5.2.5/ext/standard/array.c:2253
(...)
(gdb) frame 2
#2  0x08226ff2 in zif_array_slice (ht=3, return_value=0x853e928,
return_value_ptr=0x0, this_ptr=0x0, 
    return_value_used=0) at
/home/haypo/php-5.2.5/ext/standard/array.c:2253
2253            num_in = zend_hash_num_elements(Z_ARRVAL_PP(input));
(gdb) print (**input).type
$2 = 1 '\001'


Previous Comments:
------------------------------------------------------------------------

[2008-02-04 22:31:23] victor dot stinner at haypocalc dot com

Description:
------------
Code to crash PHP5 :
* « $input = Array("array"); array_slice(&$input, &$input); »
* « $input = Array("array"); array_slice(&$input, 0, &$input); »
* « $input = Array("array"); array_slice(&$input, 0, 0, &$input); »

array_slice() first checks first argument ($input) and then converts
other arguments ($offset to long, $length to long, $preverse_keys to
boolean). If arguments are shared as reference, $input type can change
(to long or boolean).

Crash occurs in instruction « num_in =
zend_hash_num_elements(Z_ARRVAL_PP(input)) » : it reads
((HashTable*)input)->inconsistent. If input is 0 or 1, input read does
crash with segmentation fault.




------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=44046&edit=1

Reply via email to