Edit report at https://bugs.php.net/bug.php?id=63173&edit=1
ID: 63173 Updated by: ni...@php.net Reported by: bugs dot php dot net at majkl578 dot cz -Summary: Crash when invoking invalid callback +Summary: Crash when invoking invalid array callback Status: Closed Type: Bug Package: Reproducible crash Operating System: Linux & Windows PHP Version: 5.4.7 -Assigned To: +Assigned To: nikic Block user comment: N Private report: N New Comment: Thanks for the report, this is now fixed in the repo. Two more notes: * For call_user_func the call with go through zend_is_callable_ex where the check is properly done (see http://lxr.php.net/xref/PHP_5_3/Zend/zend_API.c#2771), so this bug doesn't apply to it (or an other function with f zpp) * Calling array callbacks using $callback() is only supported since 5.4, so this does not apply to PHP 5.3. Previous Comments: ------------------------------------------------------------------------ [2012-09-27 16:48:37] ni...@php.net Automatic comment on behalf of nikic Revision: http://git.php.net/?p=php-src.git;a=commit;h=592b232e834ed2698fa97ad4dd58e5ab21f257be Log: Fix bug #63173: Crash when invoking invalid array callback ------------------------------------------------------------------------ [2012-09-27 16:11:53] bugs dot php dot net at majkl578 dot cz Description: ------------ PHP crashes when the callback (defined as an array) is invalid. Test script: --------------- $foo = [ 1 => 0, 2 => 0, ]; $foo(); Expected result: ---------------- PHP Fatal error Actual result: -------------- Segmentation fault; backtrace: Program received signal SIGSEGV, Segmentation fault. 0x0000000000a53ddf in ZEND_INIT_FCALL_BY_NAME_SPEC_CV_HANDLER (execute_data=0x7ffff7f740e8) at /storage/build/php/5.4/php-5.4.7/Zend/zend_vm_execute.h:1922 1922 if (Z_TYPE_PP(obj) != IS_STRING && Z_TYPE_PP(obj) != IS_OBJECT) { (gdb) bt #0 0x0000000000a53ddf in ZEND_INIT_FCALL_BY_NAME_SPEC_CV_HANDLER (execute_data=0x7ffff7f740e8) at /storage/build/php/5.4/php-5.4.7/Zend/zend_vm_execute.h:1922 #1 0x0000000000a4cb52 in execute (op_array=0x7ffff7fab698) at /storage/build/php/5.4/php-5.4.7/Zend/zend_vm_execute.h:410 #2 0x0000000000a1064a in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /storage/build/php/5.4/php-5.4.7/Zend/zend.c:1286 #3 0x0000000000987c90 in php_execute_script (primary_file=0x7fffffffdfc0) at /storage/build/php/5.4/php-5.4.7/main/main.c:2473 #4 0x0000000000b569ea in do_cli (argc=2, argv=0x7fffffffe368) at /storage/build/php/5.4/php-5.4.7/sapi/cli/php_cli.c:988 #5 0x0000000000b579a5 in main (argc=2, argv=0x7fffffffe368) at /storage/build/php/5.4/php-5.4.7/sapi/cli/php_cli.c:1364 ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=63173&edit=1