From: dave at ramenlabs dot com
Operating system: Linux
PHP version: 5CVS-2006-10-30 (CVS)
PHP Bug Type: Reproducible crash
Bug description: Segmentation fault with list unpacking of string offset
Description:
------------
In a function expecting an array parameter, I accidentally passed in a
string instead. For some reason related to the particular way I used list
unpacking of an array offset, it caused PHP to crash with a segmentation
fault.
I have observed this problem in PHP 4.4.2 as well as PHP 5, freshly
downloaded and compiled from CVS.
Reproduce code:
---------------
<?php $s = ""; list($a, $b) = $s[0]; ?>
Expected result:
----------------
Fatal error: Cannot use string offset as an array
Actual result:
--------------
Segmentation fault
[EMAIL PROTECTED]:~/tmp/php5/sapi/cli$ echo '<?php $s = ""; list($a, $b) =
$s[0]; ?>' | php
Segmentation fault (core dumped)
[EMAIL PROTECTED]:~/tmp/php5/sapi/cli$ gdb ./php core
GNU gdb 6.4.90-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i486-linux-gnu"...Using host libthread_db
library "/lib/tls/libthread_db.so.1".
Core was generated by `php'.
Program terminated with signal 11, Segmentation fault.
#0 0x082b8429 in ZEND_SR_SPEC_VAR_VAR_HANDLER (execute_data=0xbfcf925c)
at /home/ramen/tmp/php5/Zend/zend_vm_execute.h:11516
11516 shift_right_function(&EX_T(opline->result.u.var).tmp_var,
(gdb) bt
#0 0x082b8429 in ZEND_SR_SPEC_VAR_VAR_HANDLER (execute_data=0xbfcf925c)
at /home/ramen/tmp/php5/Zend/zend_vm_execute.h:11516
#1 0x082a1a98 in zif_each (ht=140604596, return_value=0x851b960,
return_value_ptr=0x20, this_ptr=0xbfcf9370, return_value_used=4)
at /home/ramen/tmp/php5/Zend/zend_builtin_functions.c:417
#2 0x082821ee in zend_u_str_tolower_dup (type=0 '\0', source=
{s = 0xbfcfb674 "\002", u = 0xbfcfb674, v = 0xbfcfb674},
length=139127824) at /home/ramen/tmp/php5/Zend/zend_operators.c:2384
#3 0x08240352 in php_module_startup (sf=0xbfcfb674,
additional_modules=0x83112d0, num_additional_modules=139120832)
at /home/ramen/tmp/php5/main/main.c:1554
#4 0x08311219 in ZEND_SL_SPEC_CONST_VAR_HANDLER (execute_data=0x0)
at /home/ramen/tmp/php5/Zend/zend_execute.c:78
#5 0xb79ceea8 in ?? ()
#6 0x00000000 in ?? ()
(gdb)
--
Edit bug report at http://bugs.php.net/?id=39304&edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=39304&r=trysnapshot44
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=39304&r=trysnapshot52
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=39304&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=39304&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=39304&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=39304&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=39304&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=39304&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=39304&r=support
Expected behavior: http://bugs.php.net/fix.php?id=39304&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=39304&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=39304&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=39304&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=39304&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=39304&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=39304&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=39304&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=39304&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=39304&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=39304&r=mysqlcfg
