Crash on using unitialized vals and __get/__set
| Bug #43201 | Crash on using unitialized vals and __get/__set | ||||
|---|---|---|---|---|---|
| Submitted: | 2007-11-05 18:15 UTC | Modified: | 2007-11-09 09:28 UTC | ||
| From: | stas at zend dot com | Assigned: | dmitry (profile) | ||
| Status: | Closed | Package: | Scripting Engine problem | ||
| PHP Version: | 5.2CVS-2007-11-05 (CVS) | OS: | * | ||
| Private report: | No | CVE-ID: | None | ||
[2007-11-05 18:15 UTC] stas at zend dot com
Description:
------------
Code modifying the result of __get (erroneously) and using undefined variables crashes, apparently because of unitialized_zval being freed.
Reproduce code:
---------------
<?php
class Foo {
function __get($k) {
return null;
}
function __set($k, $v) {
$this->$k = $v;
}
}
$c = new Foo();
$c->arr[0]["k"] = 1;
$c->arr[0]["k2"] = $ref;
for($cnt=0;$cnt<6;$cnt++) {
$ref = chop($undef);
$c->arr[$cnt]["k2"] = $ref;
}
?>
Expected result:
----------------
No crash :)
Actual result:
--------------
On windows - crash
On Unix debug -
php5/Zend/zend_hash.c(517) : ht=0xa533520 is being destroyed
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2007-11-05 18:20 UTC] stas@php.net
Shorter version: <?php class Foo { function __get($k) { return null; } } $c = new Foo(); $c->arr[0]["k"] = 1; $c->arr[0]["k2"] = $undef; for($cnt=0;$cnt<6;++$cnt) { $c->arr[$cnt]["k2"] = chop($undef); } ?>[2007-11-09 09:28 UTC] dmitry@php.net