Crash when assigning value to a dimension in a non-array
| Bug #54262 | Crash when assigning value to a dimension in a non-array | ||||
|---|---|---|---|---|---|
| Submitted: | 2011-03-16 01:48 UTC | Modified: | 2019-09-26 09:34 UTC | ||
| From: | stas@php.net | Assigned: | dmitry (profile) | ||
| Status: | Closed | Package: | Reproducible crash | ||
| PHP Version: | 5.3SVN-2011-03-16 (SVN) | OS: | MacOS X 10.6.6 | ||
| Private report: | No | CVE-ID: | None | ||
[2011-03-16 01:48 UTC] stas@php.net
Description:
------------
Reported by Christian Holler on mailing list, test named
'crashMemCorruptionZvalDtorFunc', produces the following on valgrind:
==71892== Invalid read of size 4
==71892== at 0x51D7EA: zend_hash_destroy (in /Users/smalyshev/mphp)
==71892== by 0x50DFCC: _zval_dtor_func (in /Users/smalyshev/mphp)
==71892== by 0x4FFB62: _zval_dtor (in /Users/smalyshev/mphp)
==71892== by 0x4FFEB6: _zval_ptr_dtor (in /Users/smalyshev/mphp)
==71892== by 0x5B0982: ZEND_ASSIGN_DIM_SPEC_CV_CONST_HANDLER (in
/Users/smalyshev/mphp)
==71892== by 0x53AB23: execute (in /Users/smalyshev/mphp)
==71892== by 0x510794: zend_execute_scripts (in /Users/smalyshev/mphp)
==71892== by 0x49D228: php_execute_script (in /Users/smalyshev/mphp)
==71892== by 0x5D2CDD: main (in /Users/smalyshev/mphp)
==71892== Address 0x5c is not stack'd, malloc'd or (recently) free'd
The bug seems to be because in ZEND_ASSIGN_DIM_SPEC_CV_CONST_HANDLER,
error_zval_ptr is used to assign to it as if it were array, which seems to lead
to unexpected consequences.
Test script:
---------------
$a = '0';
var_dump(isset($a['b']));
$simpleString = preg_match('//', '', $a->a);
$simpleString["wrong"] = "f";
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2011-03-16 03:08 UTC] stas@php.net
[2011-03-16 06:05 UTC] stas@php.net
-Type: Bug +Type: Security -Private report: N +Private report: Y
[2011-03-16 12:15 UTC] dmitry@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: dmitry
[2011-03-16 12:15 UTC] dmitry@php.net