Missing WARNING in array_push where next index is used.
| Bug #41685 | Missing WARNING in array_push where next index is used. | ||||
|---|---|---|---|---|---|
| Submitted: | 2007-06-14 08:22 UTC | Modified: | 2007-06-24 17:37 UTC | ||
| From: | rob_nicholson at uk dot ibm dot com | Assigned: | |||
| Status: | Closed | Package: | Arrays related | ||
| PHP Version: | 5.2.3 | OS: | all | ||
| Private report: | No | CVE-ID: | None | ||
[2007-06-14 08:22 UTC] rob_nicholson at uk dot ibm dot com
Description:
------------
This testcase produces a warning:
<?php
$arr = array();
$arr[0x80000000]=8;
$arr[0x7FFFFFFF]=1;
$arr[]="foo";
?>
Output is:
WARNING: Cannot add element to the array as the next element is already occupied in g:\foo.php on line 6.
This equivalent testcase produces no warning.
<?php
$arr = array();
$arr[0x80000000]=8;
$arr[0x7FFFFFFF]=1;
array_push ($arr,"foo","bar");
var_dump($arr);
?>
Reproduce code:
---------------
<?php
$arr = array();
$arr[0x80000000]=8;
$arr[0x7FFFFFFF]=1;
array_push ($arr,"foo","bar");
var_dump($arr);
?>
Expected result:
----------------
WARNING: Cannot add element to the array as the next element is already occupied in g:\foo.php on line 6.
array(2) {
[-2147483648]=>
int(8)
[2147483647]=>
int(1)
}
Actual result:
--------------
array(2) {
[-2147483648]=>
int(8)
[2147483647]=>
int(1)
}
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2007-06-14 15:51 UTC] zoe@php.net
In case this helps - I think I can see where the problem is in the code: In zend_fetch_dimension_address in zend_execute.c the following code snippet: case IS_ARRAY: if ((type==BP_VAR_W || type==BP_VAR_RW) && container->refcount>1 && !PZVAL_IS_REF(container)) { SEPARATE_ZVAL(container_ptr); container = *container_ptr; } if (dim == NULL) { zval *new_zval = &EG(uninitialized_zval); new_zval->refcount++; if (zend_hash_next_index_insert(Z_ARRVAL_P(container), &new_zval, sizeof(zval *), (void **) &retval) == FAILURE) { zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied"); retval = &EG(error_zval_ptr); new_zval->refcount--; } But in array_push in ext/standard/array.c is the following code: /* For each subsequent argument, make it a reference, increase refcount, and add it to the end of the array */ for (i=1; i<argc; i++) { new_var = *args[i]; new_var->refcount++; zend_hash_next_index_insert(Z_ARRVAL_P(stack), &new_var, sizeof(zval *), NULL); } It looks as though this code should be checking the return code from zend_hash_next_index_insert and reporting the error.[2007-06-24 17:37 UTC] iliaa@php.net