ID: 44046 Updated by: [EMAIL PROTECTED] Reported By: victor dot stinner at haypocalc dot com -Status: Open +Status: Closed Bug Type: Arrays related Operating System: Linux (Ubuntu Gutsy) on i386 PHP Version: 5.2.5 New Comment:
This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. Previous Comments: ------------------------------------------------------------------------ [2008-02-05 00:45:57] [EMAIL PROTECTED] My suggestion: http://ecl.mediain.com.br/diff/bug44046.diff In .phpt for array_slice, the expected result treats 0 as NULL. Then, i guess that using long rather than zval could be used... ------------------------------------------------------------------------ [2008-02-04 22:53:28] victor dot stinner at haypocalc dot com gdb session: * $input type in array_slice() entry: (gdb) print (**input).type $1 = 4 '\004' # IS_ARRAY * $input type after execution of convert_to_long_ex() or convert_to_boolean_ex() : (gdb) print (**input).type $4 = 1 '\001' # IS_LONG * Execution of « num_in = zend_hash_num_elements(Z_ARRVAL_PP(input)) » : Program received signal SIGSEGV, Segmentation fault. (gdb) where #0 0x083281ad in _zend_is_inconsistent (ht=0x1, file=0x8451248 "/home/haypo/php-5.2.5/Zend/zend_hash.c", line=1015) at /home/haypo/php-5.2.5/Zend/zend_hash.c:53 #1 0x0832ae37 in zend_hash_num_elements (ht=0x1) at /home/haypo/php-5.2.5/Zend/zend_hash.c:1015 #2 0x08226ff2 in zif_array_slice (ht=3, return_value=0x853e928, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0) at /home/haypo/php-5.2.5/ext/standard/array.c:2253 (...) (gdb) frame 2 #2 0x08226ff2 in zif_array_slice (ht=3, return_value=0x853e928, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0) at /home/haypo/php-5.2.5/ext/standard/array.c:2253 2253 num_in = zend_hash_num_elements(Z_ARRVAL_PP(input)); (gdb) print (**input).type $2 = 1 '\001' ------------------------------------------------------------------------ [2008-02-04 22:31:23] victor dot stinner at haypocalc dot com Description: ------------ Code to crash PHP5 : * « $input = Array("array"); array_slice(&$input, &$input); » * « $input = Array("array"); array_slice(&$input, 0, &$input); » * « $input = Array("array"); array_slice(&$input, 0, 0, &$input); » array_slice() first checks first argument ($input) and then converts other arguments ($offset to long, $length to long, $preverse_keys to boolean). If arguments are shared as reference, $input type can change (to long or boolean). Crash occurs in instruction « num_in = zend_hash_num_elements(Z_ARRVAL_PP(input)) » : it reads ((HashTable*)input)->inconsistent. If input is 0 or 1, input read does crash with segmentation fault. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=44046&edit=1