From: morten-bugs dot php dot net at afdelingp dot dk
Operating system: Red Hat Linux 7.3
PHP version: 4.3.4
PHP Bug Type: Scripting Engine problem
Bug description: fixe for crash in PHP-4.3.4 / _convert_to_string()
Description:
------------
One of my co-workers, Brian Fløe, found that PHP could be crashed by
passing an array to strip_tags() and other native functions expecting a
string.
I debugged the issue, and it turns out that the problem is in the way
_convert_to_string() calls zend_error() to emit a notice about the
conversion of an array or an object. It destructs op and sets the value to
"Array" or "Object", calls zend_error() with the argument stack borked,
and THEN sets op->type to IS_STRING.
The problem is that any error handler looking at the output of
debug_backtrace() will get wrong results, and in some situations crash
PHP. This is a problem, because many sites run strip_tags() and other
functions on variables from $_GET and $_POST, without explicitly casting
them to strings - which should be safe.
The problem can be solved by calling zend_error() before messing with op.
See attached patch.
The following code will show the (wrong) contents of ['args'] to the
strip_tags() call, and crash at foreach without the patch.
Reproduce code:
---------------
function myErrorHandler()
{
$backtrace = debug_backtrace();
print_r($backtrace[1]['args']);
foreach ($backtrace[1]['args'] as $arg) {
print("# $arg #\n");
}
}
set_error_handler('myErrorHandler');
$tmp = array('a', 'b', 'c');
strip_tags($tmp);
Expected result:
----------------
--- with the patch ---
[EMAIL PROTECTED] cli]$ ./php st.php
Array
(
[0] => Array
(
[0] => a
[1] => b
[2] => c
)
)
# Array #
Actual result:
--------------
--- without the patch ---
[EMAIL PROTECTED] cli]$ ./php st.php
Array
(
[0] => Array
*RECURSION*
)
Segmentation fault
--
Edit bug report at http://bugs.php.net/?id=26148&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=26148&r=trysnapshot4
Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=26148&r=trysnapshot5
Fixed in CVS: http://bugs.php.net/fix.php?id=26148&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=26148&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=26148&r=needtrace
Try newer version: http://bugs.php.net/fix.php?id=26148&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=26148&r=support
Expected behavior: http://bugs.php.net/fix.php?id=26148&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=26148&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=26148&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=26148&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=26148&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=26148&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=26148&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=26148&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=26148&r=float
