Home Original page

strtr with empty array crashes

Bug #67151 strtr with empty array crashes
Submitted: 2014-04-29 16:34 UTC Modified: 2014-05-05 21:58 UTC
From: nikic@php.net Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 5.6.0beta1 OS:
Private report: No CVE-ID: None

 [2014-04-29 16:34 UTC] nikic@php.net

Description:
------------
<?php
var_dump(strtr("foo", []));

Valgrind:

==24828== Invalid read of size 1
==24828==    at 0x817D0EA: php_strtr_hash (string.c:2836)
==24828==    by 0x817DC37: php_strtr_array_do_repl (string.c:3049)
==24828==    by 0x817E255: php_strtr_array (string.c:3113)
==24828==    by 0x817E412: zif_strtr (string.c:3144)
==24828==    by 0x82A7E96: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:558)
==24828==    by 0x82AD85B: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2585)
==24828==    by 0x82A7392: execute_ex (zend_vm_execute.h:363)
==24828==    by 0x82A7447: zend_execute (zend_vm_execute.h:388)
==24828==    by 0x8266A15: zend_execute_scripts (zend.c:1330)
==24828==    by 0x81C77A3: php_execute_script (main.c:2549)
==24828==    by 0x831669C: do_cli (php_cli.c:994)
==24828==    by 0x8317BF6: main (php_cli.c:1378)
==24828==  Address 0x43fb16d is 3 bytes before a block of size 4 alloc'd
==24828==    at 0x402BE68: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==24828==    by 0x822C278: _emalloc (zend_alloc.c:2427)
==24828==    by 0x822C795: _estrndup (zend_alloc.c:2650)
==24828==    by 0x82624DD: _zval_copy_ctor_func (zend_variables.c:126)
==24828==    by 0x82A1BF1: _zval_copy_ctor (zend_variables.h:45)
==24828==    by 0x82ADC3E: ZEND_SEND_VAL_SPEC_CONST_HANDLER (zend_vm_execute.h:2754)
==24828==    by 0x82A7392: execute_ex (zend_vm_execute.h:363)
==24828==    by 0x82A7447: zend_execute (zend_vm_execute.h:388)
==24828==    by 0x8266A15: zend_execute_scripts (zend.c:1330)
==24828==    by 0x81C77A3: php_execute_script (main.c:2549)
==24828==    by 0x831669C: do_cli (php_cli.c:994)
==24828==    by 0x8317BF6: main (php_cli.c:1378)
==24828== 
string(3) "foo"
==24828== 
==24828== HEAP SUMMARY:
==24828==     in use at exit: 0 bytes in 0 blocks
==24828==   total heap usage: 12,026 allocs, 12,026 frees, 1,114,247 bytes allocated
==24828== 
==24828== All heap blocks were freed -- no leaks are possible
==24828== 
==24828== For counts of detected and suppressed errors, rerun with: -v
==24828== ERROR SUMMARY: 2 errors from 1 contexts (suppressed: 0 from 0)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2014-05-05 21:57 UTC] tyrael@php.net

I can't reproduce the script, could you tell me which platform did you experience it, and your exact configure line?

 [2014-06-17 10:44 UTC] jocelyn dot fournier at gmail dot com

Hi,

Don't know if it's related, but I also have an issue with strtr reported by valgrind, on php 5.5.13 : 

==11275== Use of uninitialised value of size 8
==11275==    at 0x8DC69D4: php_strtr_array_do_repl (string.c:3055)
==11275==    by 0x8DC70D1: php_strtr_array (string.c:3118)
==11275==    by 0x8DC72AC: zif_strtr (string.c:3149)
==11275==    by 0x8FD2F28: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:550)
==11275==    by 0x8FD39BD: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:685)
==11275==    by 0x8FD225A: execute_ex (zend_vm_execute.h:363)
==11275==    by 0x8FD2340: zend_execute (zend_vm_execute.h:388)
==11275==    by 0x8F75963: zend_call_function (zend_execute_API.c:939)
==11275==    by 0x8D8023C: zif_call_user_func_array (basic_functions.c:4806)
==11275==    by 0x8FD2F28: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:550)
==11275==    by 0x8FD39BD: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:685)
==11275==    by 0x8FD225A: execute_ex (zend_vm_execute.h:363)
==11275== 

Thanks and regards,
  Jocelyn Fournier

 [2014-07-02 20:37 UTC] nikic@php.net

-Status: Feedback +Status: Closed