ID: 42817 Updated by: [EMAIL PROTECTED] Reported By: victor dot stinner at inl dot fr -Status: Open +Status: Assigned Bug Type: Scripting Engine problem Operating System: Linux PHP Version: 5.2.4 -Assigned To: +Assigned To: dmiry
Previous Comments: ------------------------------------------------------------------------ [2007-10-02 14:57:21] misc at inl dot fr I can also reproduce the problem on a box running mandriva 2007.0, with this version of php : apache-mod_php-5.1.6-2mdv2007.0 and i have this error in the log : [Tue Oct 02 16:51:35 2007] [error] [client 194.167.18.244] PHP Warning: __clone method called on non-object in /home/users/misc/public_html/test.php on line 1 [Tue Oct 02 16:51:35 2007] [error] [client 194.167.18.244] PHP Warning: array_push() [<a href='function.array-push'>function.array-push</a>]: First argument should be an array in /home/users/misc/public_html/test.php on line 1 [Tue Oct 02 16:51:36 2007] [notice] child pid 30185 exit signal Segmentation fault (11) ------------------------------------------------------------------------ [2007-10-02 14:56:32] victor dot stinner at inl dot fr Hum, I forget to specify PHP version: 5.2.4 (latest). I compiled it on source from source code with "./configure --enable-debug" to detect the overflow. Victor Stinner ------------------------------------------------------------------------ [2007-10-01 17:13:42] victor dot stinner at inl dot fr Description: ------------ Hi, I found a critical bug (security issue) in my web application. The code to reproduce it is quite simple (see above). With apache, the result is a line in error.log: [notice] child pid 14988 exit signal Segmentation fault (11). My config: Ubuntu Feisty on Intel Celeron M 420 (32-bit). Victor Stinner http://www.inl.fr/ Reproduce code: --------------- <?php $a = clone(null); array_push($a->b, $c); ?> Expected result: ---------------- no crash Actual result: -------------- Warning: array_push(): First argument should be an array in crash.php on line 3 --------------------------------------- /home/haypo/php-5.2.4/Zend/zend_variables.c(175) : Block 0x084774b8 status: /home/haypo/php-5.2.4/Zend/zend_execute.h(70) : Actual location (location was relayed) Beginning: Freed (magic=0x00000000, expected=0x99954317) Start: Overflown (magic=0x084774A4 instead of 0x496A04CC) At least 4 bytes overflown End: Overflown (magic=0x00000000 instead of 0x39D5CB7E) At least 4 bytes overflown --------------------------------------- ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=42817&edit=1