Bug #52001 [Com]: Memory allocation problems after using variable variables

Sun, 06 Jun 2010 02:24:04 -0700 

Edit report at http://bugs.php.net/bug.php?id=52001&edit=1

 ID:               52001
 Comment by:       boldin dot pavel at gmail dot com
 Reported by:      lisio at bk dot ru
 Summary:          Memory allocation problems after using variable
                   variables
 Status:           Open
 Type:             Bug
 Package:          Scripting Engine problem
 Operating System: Linux
 PHP Version:      5.3.2

 New Comment:

Here is the problem: Zend/zend_execution.c line 703 (version 5.3.2):
incorrect reference count (== 1) in case of bug. Should be == 3 and copy
data in 'else' branch.


Previous Comments:
------------------------------------------------------------------------
[2010-06-06 10:36:36] boldin dot pavel at gmail dot com

More detailed: when you pass off the function, _get_zval_cv_lookup no
longer able to find your CVs, and they are missed. _get_zval_cv_lookup
then returns pointer EG(uninitialized_zval_ptr), which is shared among a
set of values.



So two values are stored in same place. It is essential that this
happens only if you call it with ZEND_FCALL_BY_NAME (i.e. declare after
using) and only if dereferenced value is not first.

------------------------------------------------------------------------
[2010-06-06 10:30:54] boldin dot pavel at gmail dot com

Even more:

f($$var, 0) will also work.

If you declare function before calling it will work too.



Seems like bug in zend_do_pass_params or so on, causing to corruption of
buffer.



These CVs are just missing from the scope (active_symbol_table) after
calling function. Seems like they are removed in middle of code
execution.

------------------------------------------------------------------------
[2010-06-06 09:10:39] akorolyov at gmail dot com

<?php

$test = 0;

$var = 'test';

f(0, $$var);

$x = 1;

$y = 2;

echo $x;

function f($a, $b) {}

?>



In this case I receive correct result.

------------------------------------------------------------------------
[2010-06-05 17:14:28] lisio at bk dot ru

Description:
------------
After calling the function using a non-defined variable variable as a
second parameter the interpreter goes crazy. Just reproduce the script
on any of 5.3.* versions of PHP.

Test script:
---------------
<?php

a(0,$$var);



$temp1=1;

$temp2=2;

echo $temp1;



function a($b,$c) {}

?>

Expected result:
----------------
1

Actual result:
--------------
2


------------------------------------------------------------------------



-- 
Edit this bug report at http://bugs.php.net/bug.php?id=52001&edit=1

Reply via email to