Using string index in a switch() crashes with multiple matches

Bug #26696

Submitted:

2003-12-22 14:33 UTC

Modified:

2004-01-19 19:20 UTC

Votes:	8
Avg. Score:	5.0 ± 0.0
Reproduced:	7 of 7 (100.0%)
Same Version:	7 (100.0%)
Same OS:	6 (85.7%)

From:

saruman at northernhacking dot org

Assigned:

Status:

Closed

Package:

Scripting Engine problem

PHP Version:

5CVS-2004-01-02

OS:

Private report:

CVE-ID:

None

[2003-12-22 14:33 UTC] saruman at northernhacking dot org

Description:
------------
The ONLY change I'd done is install php-5.0.0b3 with the same config as the php-5.0.0b2 it replaced.

Config vars:

Configure Command  './configure' '--with-pear' '--with-pgsql' '--with-apxs=/usr/local/apache/bin/apxs' '--enable-mbstring' '--prefix=/usr/local/php5' '--with-libxml-dir=/usr'

Using this with php-5.0.0b2 works as expected. This behavior of a string is required by DB.php in PEAR, amongst others.

Reproduce code:
---------------
<?php

//$str = Array('a', 's', 'd', 'd', '/', '?');
$str = 'asdd/?';
$len = strlen($str);
for ($i = 0; $i < $len; $i++) {
	switch ($str[$i]) {
		case '?':
			echo '?';
			break;
	}
}

?>
Did not crash.

Expected result:
----------------
?Did not crash.

Actual result:
--------------
From error_log:
[Mon Dec 22 14:15:38 2003] [notice] child pid 30170 exit signal Segmentation fault (11)
[Mon Dec 22 14:15:38 2003] [notice] child pid 30187 exit signal Segmentation fault (11)

The two response are because MSIE seems to do a second query when the first one unexpectedly close.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-12-22 14:51 UTC] saruman at northernhacking dot org

case '?': is the culprit.

[2003-12-22 17:22 UTC] saruman at northernhacking dot org

This bug is very similar to #26281, in fact, it's probably the same.

[2004-01-02 10:43 UTC] sniper@php.net

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 20298)]
0x08357f99 in zend_pzval_unlock_func (z=0x1) at /usr/src/web/php/php5/Zend/zend_execute.c:64
64              z->refcount--;
(gdb) bt
#0  0x08357f99 in zend_pzval_unlock_func (z=0x1) at /usr/src/web/php/php5/Zend/zend_execute.c:64
#1  0x08358499 in zend_switch_free (opline=0x40e491f8, Ts=0xbfffd640) at /usr/src/web/php/php5/Zend/zend_execute.c:198
#2  0x083545d6 in zend_switch_free_handler (execute_data=0xbfffd7a0, op_array=0x40e48704)
    at /usr/src/web/php/php5/Zend/zend_execute.c:3072
#3  0x0834efd8 in execute (op_array=0x40e48704) at /usr/src/web/php/php5/Zend/zend_execute.c:1260
#4  0x0832d924 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/web/php/php5/Zend/zend.c:1050
#5  0x082eac2c in php_execute_script (primary_file=0xbffffba0) at /usr/src/web/php/php5/main/main.c:1642
#6  0x08367237 in main (argc=2, argv=0xbffffc34) at /usr/src/web/php/php5/sapi/cli/php_cli.c:924

[2004-01-18 23:06 UTC] kennyt@php.net

Confirmed in recent cvs. It only happens with a default: block before which there is an applicable case ending in a break; statement.

<?php
$line = '*';
switch ($line{0}) { // crashes also with $line[0]
 case '*';
  echo '* RAN!';
  ob_flush();
  break;
 default:
  echo 'Default RAN!';
  ob_flush();
}
?>

This results in '* RAN!Segmentation Fault'. :(

BTW, I discovered this bug because it breaks Wakka.

[2004-01-19 19:20 UTC] sniper@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.