ID: 42817 User updated by: victor dot stinner at inl dot fr Reported By: victor dot stinner at inl dot fr Status: Closed Bug Type: Scripting Engine problem Operating System: Linux PHP Version: 5.2.4 Assigned To: iliaa New Comment:
"Bug fixed in CVS", great! I saw that you added 3 unit tests: <?php $a = clone(null); array_push($a->b, $c); ?> <?php $foo = clone(array()); ?> <?php $a = clone 0; $a[0]->b = 0; ?> So there are more cases than just the one in my bug report :-) I hope that the next release will be released quickly because my error.log is full of segfault messages :-) Previous Comments: ------------------------------------------------------------------------ [2007-10-04 23:26:10] [EMAIL PROTECTED] This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. ------------------------------------------------------------------------ [2007-10-02 14:57:21] misc at inl dot fr I can also reproduce the problem on a box running mandriva 2007.0, with this version of php : apache-mod_php-5.1.6-2mdv2007.0 and i have this error in the log : [Tue Oct 02 16:51:35 2007] [error] [client 194.167.18.244] PHP Warning: __clone method called on non-object in /home/users/misc/public_html/test.php on line 1 [Tue Oct 02 16:51:35 2007] [error] [client 194.167.18.244] PHP Warning: array_push() [<a href='function.array-push'>function.array-push</a>]: First argument should be an array in /home/users/misc/public_html/test.php on line 1 [Tue Oct 02 16:51:36 2007] [notice] child pid 30185 exit signal Segmentation fault (11) ------------------------------------------------------------------------ [2007-10-02 14:56:32] victor dot stinner at inl dot fr Hum, I forget to specify PHP version: 5.2.4 (latest). I compiled it on source from source code with "./configure --enable-debug" to detect the overflow. Victor Stinner ------------------------------------------------------------------------ [2007-10-01 17:13:42] victor dot stinner at inl dot fr Description: ------------ Hi, I found a critical bug (security issue) in my web application. The code to reproduce it is quite simple (see above). With apache, the result is a line in error.log: [notice] child pid 14988 exit signal Segmentation fault (11). My config: Ubuntu Feisty on Intel Celeron M 420 (32-bit). Victor Stinner http://www.inl.fr/ Reproduce code: --------------- <?php $a = clone(null); array_push($a->b, $c); ?> Expected result: ---------------- no crash Actual result: -------------- Warning: array_push(): First argument should be an array in crash.php on line 3 --------------------------------------- /home/haypo/php-5.2.4/Zend/zend_variables.c(175) : Block 0x084774b8 status: /home/haypo/php-5.2.4/Zend/zend_execute.h(70) : Actual location (location was relayed) Beginning: Freed (magic=0x00000000, expected=0x99954317) Start: Overflown (magic=0x084774A4 instead of 0x496A04CC) At least 4 bytes overflown End: Overflown (magic=0x00000000 instead of 0x39D5CB7E) At least 4 bytes overflown --------------------------------------- ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=42817&edit=1
