ID: 31158
Updated by: [EMAIL PROTECTED]
Reported By: postings-php-bug at hans-spath dot de
-Status: Assigned
+Status: Closed
Bug Type: Reproducible crash
Operating System: *
PHP Version: 5CVS, 4CVS (2005-02-21)
Assigned To: dmitry
New Comment:
Fixed in CVS PHP_4_4 too.
Previous Comments:
------------------------------------------------------------------------
[2005-07-04 13:14:48] [EMAIL PROTECTED]
Let's keep it open for now, so that we don't forget to backport it to
4.4.1 as soon as 4.4.0 is out.
------------------------------------------------------------------------
[2005-07-04 12:11:58] [EMAIL PROTECTED]
Fixed in CVS HEAD and PHP_5_0.
------------------------------------------------------------------------
[2004-12-18 17:31:41] postings-php-bug at hans-spath dot de
<0>[EMAIL PROTECTED]:~/compile/php-4.3.10/sapi/cli% cat ~/test/killer.php
<?
function __(){array_splice($GLOBALS,0,count($GLOBALS));}__();
<0>[EMAIL PROTECTED]:~/compile/php-4.3.10/sapi/cli% gdb php
[...]
This GDB was configured as "i386-linux"...Using host libthread_db
library "/lib/libthread_db.so.1".
(gdb) run ~/test/killer.php
Starting program: /home/stob/compile/php-4.3.10/sapi/cli/php
~/test/killer.php
[Sat Dec 18 17:28:35 2004] Script: '/home/stob/test/killer.php'
---------------------------------------
/home/stob/compile/php-4.3.10/ext/standard/array.c(1897) : Block
0x081C2B28 status:
Beginning: Overrun (magic=0x00000000, expected=0x7312F8DC)
Program received signal SIGSEGV, Segmentation fault.
0xb7ec81c3 in memcpy () from /lib/libc.so.6
(gdb) bt
#0 0xb7ec81c3 in memcpy () from /lib/libc.so.6
#1 0x0814ace4 in _mem_block_check (ptr=0x81c2b4c, silent=0,
__zend_filename=0x817ef80
"/home/stob/compile/php-4.3.10/ext/standard/array.c",
__zend_lineno=1897, __zend_orig_filename=0x0, __zend_orig_lineno=0)
at /home/stob/compile/php-4.3.10/Zend/zend_alloc.c:675
#2 0x0814aca5 in _mem_block_check (ptr=0x81c2b4c, silent=1,
__zend_filename=0x817ef80
"/home/stob/compile/php-4.3.10/ext/standard/array.c",
__zend_lineno=1897, __zend_orig_filename=0x0, __zend_orig_lineno=0)
at /home/stob/compile/php-4.3.10/Zend/zend_alloc.c:667
#3 0x08149feb in _efree (ptr=0x81c2b4c, __zend_filename=0x817ef80
"/home/stob/compile/php-4.3.10/ext/standard/array.c",
__zend_lineno=1897,
__zend_orig_filename=0x0, __zend_orig_lineno=0) at
/home/stob/compile/php-4.3.10/Zend/zend_alloc.c:243
#4 0x080a2b90 in zif_array_splice (ht=3, return_value=0x81f6af4,
this_ptr=0x0, return_value_used=0)
at /home/stob/compile/php-4.3.10/ext/standard/array.c:1897
#5 0x0816eeb3 in execute (op_array=0x81f69b8) at
/home/stob/compile/php-4.3.10/Zend/zend_execute.c:1642
#6 0x0816f0b1 in execute (op_array=0x81f15bc) at
/home/stob/compile/php-4.3.10/Zend/zend_execute.c:1686
#7 0x0815be29 in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /home/stob/compile/php-4.3.10/Zend/zend.c:900
#8 0x08127f54 in php_execute_script (primary_file=0xbffffa60) at
/home/stob/compile/php-4.3.10/main/main.c:1736
#9 0x0817507b in main (argc=2, argv=0xbffffae4) at
/home/stob/compile/php-4.3.10/sapi/cli/php_cli.c:822
------------------------------------------------------------------------
[2004-12-17 20:41:04] postings-php-bug at hans-spath dot de
Description:
------------
PHP doesn't handle an attempt of clearing $GLOBALS correctly.
Reproduce code:
---------------
function __(){array_splice($GLOBALS,0,count($GLOBALS));}__();
Expected result:
----------------
$GLOBALS should be empty or an error message should be printed.
Actual result:
--------------
My tests:
PHP 4.3.8 cli/cgi, 4.3.10 cli, Linux 2.6:
segmentation fault
PHP 4.3.8 apache2sapi, Windows XP SP2:
Apache2 log: Parent: child process exited with status 3221225477 --
Restarting.
PHP 5.0.1 cli, Windows XP SP2:
array_splice works, but then crashes on script end (probably during
cleanups) or on phpinfo();
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=31158&edit=1
