Edit report at http://bugs.php.net/bug.php?id=54262&edit=1
ID: 54262
Comment by: s...@php.net
Reported by: s...@php.net
Summary: Crash when assigning value to a dimension in a
non-array
Status: Open
Type: Bug
Package: Reproducible crash
Operating System: MacOS X 10.6.6
PHP Version: 5.3SVN-2011-03-16 (SVN)
Block user comment: N
Private report: N
New Comment:
Looks like SEND_REF in preg_match() line makes error_zval_ptr not point
to
error_zval, which may be the source of the problem...
Previous Comments:
------------------------------------------------------------------------
[2011-03-16 01:48:50] s...@php.net
Description:
------------
Reported by Christian Holler on mailing list, test named
'crashMemCorruptionZvalDtorFunc', produces the following on valgrind:
==71892== Invalid read of size 4
==71892== at 0x51D7EA: zend_hash_destroy (in /Users/smalyshev/mphp)
==71892== by 0x50DFCC: _zval_dtor_func (in /Users/smalyshev/mphp)
==71892== by 0x4FFB62: _zval_dtor (in /Users/smalyshev/mphp)
==71892== by 0x4FFEB6: _zval_ptr_dtor (in /Users/smalyshev/mphp)
==71892== by 0x5B0982: ZEND_ASSIGN_DIM_SPEC_CV_CONST_HANDLER (in
/Users/smalyshev/mphp)
==71892== by 0x53AB23: execute (in /Users/smalyshev/mphp)
==71892== by 0x510794: zend_execute_scripts (in
/Users/smalyshev/mphp)
==71892== by 0x49D228: php_execute_script (in /Users/smalyshev/mphp)
==71892== by 0x5D2CDD: main (in /Users/smalyshev/mphp)
==71892== Address 0x5c is not stack'd, malloc'd or (recently) free'd
The bug seems to be because in ZEND_ASSIGN_DIM_SPEC_CV_CONST_HANDLER,
error_zval_ptr is used to assign to it as if it were array, which seems
to lead
to unexpected consequences.
Test script:
---------------
$a = '0';
var_dump(isset($a['b']));
$simpleString = preg_match('//', '', $a->a);
$simpleString["wrong"] = "f";
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/bug.php?id=54262&edit=1
