ID: 30457
User updated by: kameshj at fastmail dot fm
Reported By: kameshj at fastmail dot fm
-Status: Open
+Status: Closed
Bug Type: Reproducible crash
Operating System: Any Operating System
PHP Version: 5.0.2
New Comment:
I also did not get any eMail regarding this.
But The fix of mine is available in 1.598 in PHP5_1
1.567.2.11 in PHP5_0 of zend_compile.c.
Before this fix I got consistent crash in PHP5_1 HEAD which I got a
latest version on 2PM October 16 IST(GMT+5:30).
It crashes with PHP-5.0.2 too.
The code snippet which causes this segmentation fault
might sound funny. But it is the root cause of major functionality in
xoops application.
This will happen only with 7 character member arrays which is indexed
with non existent entry and function call is made on that.
Based on my study of the issue let me explain this,
$somenonexistentobject->sevench[0]()
$somenonexistentobject->sevench[0] this evaluates to Long.
While zend_do_begin_method_call
last_op_number = get_next_op_number(CG(active_op_array))-1;
last_op = &CG(active_op_array)->opcodes[last_op_number];
Assumes last_op's op2 to be string always which is incorrect in this
case.
As the same zendlval is used by the scanner to store and return to
parser
Earlier token 'sevench' of string type had a
zendlval->value.str.len=7.
Later token 0 evalues to Long and
zendlval->value.dval=0.
And earlier value of zendlval->value.str.len=7 still exists in memory.
This causes
if ((last_op->op2.op_type == IS_CONST)
&& (last_op->op2.u.constant.value.str.len ==
sizeof(ZEND_CLONE_FUNC_NAME)-1)
&&
!zend_binary_strcasecmp(
last_op->op2.u.constant.value.str.val,
last_op->op2.u.constant.value.str.len, ZEND_CLONE_FUNC_NAME,
sizeof(ZEND_CLONE_FUNC_NAME)-1))
This bug causes This condition to true.
(last_op->op2.u.constant.value.str.len ==
sizeof(ZEND_CLONE_FUNC_NAME)-1)
And hence zend_binary_strcasecmp is called with NULL and hence
segmentation fault.
With my check (last_op->op2.u.constant.type==IS_STRING) prior to
(last_op->op2.u.constant.value.str.len ==
sizeof(ZEND_CLONE_FUNC_NAME)-1)
makes sure that we are working with string only.
Hope I made the bug report clear.
Previous Comments:
------------------------------------------------------------------------
[2004-10-16 13:21:01] kameshj at fastmail dot fm
I have fixed it in cvs just an hour back.
This bug is preety much reproducible.
just execute this,
<?php
$obj->kameaps[0]();
?>
------------------------------------------------------------------------
[2004-10-16 13:07:39] [EMAIL PROTECTED]
I mean that this bug has already been fixed, so I see no sense in
creating this bug report.
If this bug still exists (though, I'm not able to reproduce it), I
don't understand what did you mean saying that it's been fixed.
------------------------------------------------------------------------
[2004-10-16 13:02:12] kameshj at fastmail dot fm
What you mean by bogus tony?
------------------------------------------------------------------------
[2004-10-16 12:32:22] [EMAIL PROTECTED]
No bug -> bogus.
------------------------------------------------------------------------
[2004-10-16 11:50:34] kameshj at fastmail dot fm
Fixed in both 5.1 HEAD and 5.0.2 tree using hyanantha's account
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/30457
--
Edit this bug report at http://bugs.php.net/?id=30457&edit=1
