#41813 [Asn->Csd]: segmentation fault in string to array conversion

tony2001 Wed, 27 Jun 2007 20:11:54 -0700

 ID:               41813
 Updated by:       [EMAIL PROTECTED]
 Reported By:      jontsa at amigaone dot cc
-Status:           Assigned
+Status:           Closed
 Bug Type:         Scripting Engine problem
 Operating System: Gentoo Linux
 PHP Version:      5.2.4-dev
 Assigned To:      dmitry
 New Comment:


This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.




Previous Comments:
------------------------------------------------------------------------

[2007-06-27 08:15:18] judas dot iscariote at gmail dot com

Index: Zend/zend_execute.c
===================================================================
RCS file: /repository/ZendEngine2/zend_execute.c,v
retrieving revision 1.716.2.12.2.20
diff -u -r1.716.2.12.2.20 zend_execute.c
--- Zend/zend_execute.c 6 Jun 2007 08:35:23 -0000      
1.716.2.12.2.20
+++ Zend/zend_execute.c 27 Jun 2007 08:14:40 -0000
@@ -530,6 +530,10 @@
        zval *value = get_zval_ptr(value_op, Ts, &free_value,
BP_VAR_R);
        zval **retval = &T(result->u.var).var.ptr;

+       if (!object_ptr) {
+               zend_error_noreturn(E_ERROR, "Cannot use string offset
as an array");
+       }
+
        if (*object_ptr == EG(error_zval_ptr)) {
                FREE_OP(free_op2);
                if (!RETURN_VALUE_UNUSED(result)) {

------------------------------------------------------------------------

[2007-06-26 15:53:29] [EMAIL PROTECTED]

Verified.

------------------------------------------------------------------------

[2007-06-26 15:23:35] jontsa at amigaone dot cc

Description:
------------
If you convert a non-empty string to an array with object as value, you
get a segmentation fault. Tested on Gentoo Linux and Solaris with Apache
2 and PHP 5.2.3. Theres no segmentation fault when converting for
example a scalar variable but an error message as expected.

Also tested from shell using:

 # echo '<?php $foo="50";$foo[0]->bar="xyz"; ?>' | /opt/php5/bin/php
 Segmentation fault

Reproduce code:
---------------
$foo="50";
$foo[0]->bar="xyz";

Expected result:
----------------
An error message of some sort.

Actual result:
--------------
>From apache logs:

[Tue Jun 26 18:03:23 2007] [notice] child pid 16155 exit signal
Segmentation fault (11)


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=41813&edit=1

#41813 [Asn->Csd]: segmentation fault in string to array conversion

Reply via email to