From: [EMAIL PROTECTED]
Operating system: FreeBSD
PHP version: 5.2.5
PHP Bug Type: Reproducible crash
Bug description: efree() issue (reported by suhosin)
Description:
------------
The issue happens at a cast of an array, to an object.
Reproduce code:
---------------
<?php
/**
* @global array $wp_taxonomies Fill me out please
*/
$wp_taxonomies = array();
$wp_taxonomies['category'] = (object) array('name' => 'category',
'object_type' => 'post',
'hierarchical' => true, 'update_count_callback' =>
'_update_post_term_count');
$wp_taxonomies['post_tag'] = (object) array('name' => 'post_tag',
'object_type' => 'post',
'hierarchical' => false, 'update_count_callback' =>
'_update_post_term_count');
$wp_taxonomies['link_category'] = (object) array('name' =>
'link_category',
'object_type' => 'link', 'hierarchical' => false);
var_dump($wp_taxonomies);
?>
Expected result:
----------------
A var_dump() of the objects, which are stacked in an array
($wp_taxonomies).
When I replace the above code with:
$wp_taxonomies['post_tag'] = new stdClass;
$wp_taxonomies['post_tag']->name = 'post_tag';
...
It works.
Actual result:
--------------
1.
==11388== Memcheck, a memory error detector for x86-linux.
2.
==11388== Copyright (C) 2002-2004, and GNU GPL'd, by Julian Seward.
3.
==11388== Using valgrind-2.1.0, a program supervision framework for
x86-linux.
4.
==11388== Copyright (C) 2000-2004, and GNU GPL'd, by Julian Seward.
5.
==11388== Estimated CPU clock rate is 2426 MHz
6.
==11388== For more details, rerun with: -v
7.
==11388==
8.
==11388== Conditional jump or move depends on uninitialised
value(s)
9.
==11388== at 0x80F2016: php_realpath (in /usr/local/bin/php)
10.
==11388== by 0x80F2549: virtual_file_ex (in /usr/local/bin/php)
11.
==11388== by 0x80F8F5E: expand_filepath (in /usr/local/bin/php)
12.
==11388== by 0x80F5ECC: php_execute_script (in
/usr/local/bin/php)
13.
==11388==
14.
==11388== Conditional jump or move depends on uninitialised
value(s)
15.
==11388== at 0x8121CC8: _zval_ptr_dtor (in /usr/local/bin/php)
16.
==11388== by 0x8149002: zend_assign_to_variable (in
/usr/local/bin/php)
17.
==11388== by 0x8193CE3: ZEND_ASSIGN_DIM_SPEC_CV_CONST_HANDLER (in
/usr/local/bin/php)
18.
==11388== by 0x8149E88: execute (in /usr/local/bin/php)
19.
==11388==
20.
==11388== Conditional jump or move depends on uninitialised
value(s)
21.
==11388== at 0x8121CE5: _zval_ptr_dtor (in /usr/local/bin/php)
22.
==11388== by 0x8149002: zend_assign_to_variable (in
/usr/local/bin/php)
23.
==11388== by 0x8193CE3: ZEND_ASSIGN_DIM_SPEC_CV_CONST_HANDLER (in
/usr/local/bin/php)
24.
==11388== by 0x8149E88: execute (in /usr/local/bin/php)
25.
array(3) {
26.
["category"]=>
27.
object(stdClass)#2 (4) {
28.
["name"]=>
29.
string(8) "category"
30.
["object_type"]=>
31.
string(4) "post"
32.
["hierarchical"]=>
33.
bool(true)
34.
["update_count_callback"]=>
35.
string(23) "_update_post_term_count"
36.
}
37.
["post_tag"]=>
38.
object(stdClass)#4 (4) {
39.
["name"]=>
40.
string(8) "post_tag"
41.
["object_type"]=>
42.
string(4) "post"
43.
["hierarchical"]=>
44.
bool(false)
45.
["update_count_callback"]=>
46.
string(23) "_update_post_term_count"
47.
}
48.
["link_category"]=>
49.
object(stdClass)#6 (3) {
50.
["name"]=>
51.
string(13) "link_category"
52.
["object_type"]=>
53.
string(4) "link"
54.
["hierarchical"]=>
55.
bool(false)
56.
}
57.
}
58.
==11388==
59.
==11388== ERROR SUMMARY: 7 errors from 3 contexts (suppressed: 0
from 0)
60.
==11388== malloc/free: in use at exit: 7873 bytes in 60 blocks.
61.
==11388== malloc/free: 20131 allocs, 20071 frees, 2022373 bytes
allocated.
62.
==11388== For a detailed leak analysis, rerun with:
--leak-check=yes
63.
==11388== For counts of detected errors, rerun with: -v
--
Edit bug report at http://bugs.php.net/?id=44323&edit=1
--
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=44323&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=44323&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=44323&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=44323&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=44323&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=44323&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=44323&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=44323&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=44323&r=support
Expected behavior: http://bugs.php.net/fix.php?id=44323&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=44323&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=44323&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=44323&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=44323&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=44323&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=44323&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=44323&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=44323&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=44323&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=44323&r=mysqlcfg
