From: morten-bugs dot php dot net at afdelingp dot dk Operating system: Red Hat Linux 7.3 PHP version: 4.3.4 PHP Bug Type: Scripting Engine problem Bug description: fixe for crash in PHP-4.3.4 / _convert_to_string()
Description: ------------ One of my co-workers, Brian Fløe, found that PHP could be crashed by passing an array to strip_tags() and other native functions expecting a string. I debugged the issue, and it turns out that the problem is in the way _convert_to_string() calls zend_error() to emit a notice about the conversion of an array or an object. It destructs op and sets the value to "Array" or "Object", calls zend_error() with the argument stack borked, and THEN sets op->type to IS_STRING. The problem is that any error handler looking at the output of debug_backtrace() will get wrong results, and in some situations crash PHP. This is a problem, because many sites run strip_tags() and other functions on variables from $_GET and $_POST, without explicitly casting them to strings - which should be safe. The problem can be solved by calling zend_error() before messing with op. See attached patch. The following code will show the (wrong) contents of ['args'] to the strip_tags() call, and crash at foreach without the patch. Reproduce code: --------------- function myErrorHandler() { $backtrace = debug_backtrace(); print_r($backtrace[1]['args']); foreach ($backtrace[1]['args'] as $arg) { print("# $arg #\n"); } } set_error_handler('myErrorHandler'); $tmp = array('a', 'b', 'c'); strip_tags($tmp); Expected result: ---------------- --- with the patch --- [EMAIL PROTECTED] cli]$ ./php st.php Array ( [0] => Array ( [0] => a [1] => b [2] => c ) ) # Array # Actual result: -------------- --- without the patch --- [EMAIL PROTECTED] cli]$ ./php st.php Array ( [0] => Array *RECURSION* ) Segmentation fault -- Edit bug report at http://bugs.php.net/?id=26148&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=26148&r=trysnapshot4 Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=26148&r=trysnapshot5 Fixed in CVS: http://bugs.php.net/fix.php?id=26148&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=26148&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=26148&r=needtrace Try newer version: http://bugs.php.net/fix.php?id=26148&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=26148&r=support Expected behavior: http://bugs.php.net/fix.php?id=26148&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=26148&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=26148&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=26148&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=26148&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=26148&r=dst IIS Stability: http://bugs.php.net/fix.php?id=26148&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=26148&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=26148&r=float