segmentation fault in string to array conversion
| Bug #41813 | segmentation fault in string to array conversion | ||||
|---|---|---|---|---|---|
| Submitted: | 2007-06-26 15:23 UTC | Modified: | 2007-06-27 08:56 UTC | ||
| From: | jontsa at amigaone dot cc | Assigned: | dmitry (profile) | ||
| Status: | Closed | Package: | Scripting Engine problem | ||
| PHP Version: | 5.2.4-dev | OS: | Gentoo Linux | ||
| Private report: | No | CVE-ID: | None | ||
[2007-06-26 15:23 UTC] jontsa at amigaone dot cc
Description: ------------ If you convert a non-empty string to an array with object as value, you get a segmentation fault. Tested on Gentoo Linux and Solaris with Apache 2 and PHP 5.2.3. Theres no segmentation fault when converting for example a scalar variable but an error message as expected. Also tested from shell using: # echo '<?php $foo="50";$foo[0]->bar="xyz"; ?>' | /opt/php5/bin/php Segmentation fault Reproduce code: --------------- $foo="50"; $foo[0]->bar="xyz"; Expected result: ---------------- An error message of some sort. Actual result: -------------- From apache logs: [Tue Jun 26 18:03:23 2007] [notice] child pid 16155 exit signal Segmentation fault (11)
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2007-06-27 08:15 UTC] judas dot iscariote at gmail dot com
Index: Zend/zend_execute.c =================================================================== RCS file: /repository/ZendEngine2/zend_execute.c,v retrieving revision 1.716.2.12.2.20 diff -u -r1.716.2.12.2.20 zend_execute.c --- Zend/zend_execute.c 6 Jun 2007 08:35:23 -0000 1.716.2.12.2.20 +++ Zend/zend_execute.c 27 Jun 2007 08:14:40 -0000 @@ -530,6 +530,10 @@ zval *value = get_zval_ptr(value_op, Ts, &free_value, BP_VAR_R); zval **retval = &T(result->u.var).var.ptr; + if (!object_ptr) { + zend_error_noreturn(E_ERROR, "Cannot use string offset as an array"); + } + if (*object_ptr == EG(error_zval_ptr)) { FREE_OP(free_op2); if (!RETURN_VALUE_UNUSED(result)) {[2007-06-27 08:56 UTC] tony2001@php.net