From: cluby at omniture dot com
Operating system: Linux
PHP version: 4CVS-2003-10-13 (stable)
PHP Bug Type: Reproducible crash
Bug description: Segfault when copying uninitialized variable into array sub-index
Description:
------------
The following snippet will cause a segfault in the CGI binary 4.3.1 and up
including the latest snapshot using the default configure. It seemed to
work fine in 4.1.2. When testing with the latest snapshot no changes were
made to php.ini:
<?
$data = array();
for ($i = 0;$i < 70000;$i++) {
$data[$i][1] = $x; // $x is undefined
}
?>
It segfaults when $i = 65533. It seems to be tied to the fact that it is
copying the value of an uninitialized variable into a sub-index of an
array. If you change the copy line to this:
$y = 'foo';
...
$data[$i][1] = $y;
or this:
$data[$i] = $x;
It will not segfault.
Reproduce code:
---------------
<?
$data = array();
for ($i = 0;$i < 70000;$i++) {
$data[$i][1] = $x; // $x is undefined
}
?>
Expected result:
----------------
Not segfault. Possibly fill sub-index 1 with "undefines" or not modify
the array at all because there is nothing to copy.
Actual result:
--------------
Segfault when $i = 65533
GDB backtrace on CGI binary and core file:
#0 0x0810e2bd in zend_hash_index_find (ht=0x0, h=1, pData=0x0) at
/usr/local/src/php4-STABLE-200310131730/Zend/zend_hash.c:962
#1 0x08117f61 in zend_fetch_dimension_address_inner (ht=0x910dbc4,
op2=0x8191c78, Ts=0xbfffd3f0, type=1) at
/usr/local/src/php4-STABLE-200310131730/Zend/zend_execute.c:665
#2 0x08112b41 in zend_fetch_dimension_address (result=0x8191c58,
op1=0x815f024, op2=0x8191c78, Ts=0xbfffd3f0, type=1) at
/usr/local/src/php4-STABLE-200310131730/Zend/zend_execute.c:787
#3 0x08116c01 in execute (op_array=0x818d7f4) at
/usr/local/src/php4-STABLE-200310131730/Zend/zend_execute.c:1287
#4 0x0810a313 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at /usr/local/src/php4-STABLE-200310131730/Zend/zend.c:885
#5 0x080e9097 in php_execute_script (primary_file=0xbffff9b0) at
/usr/local/src/php4-STABLE-200310131730/main/main.c:1729
#6 0x081192da in main (argc=2, argv=0xbffffa34) at
/usr/local/src/php4-STABLE-200310131730/sapi/cgi/cgi_main.c:1578
#7 0x420158d4 in __libc_start_main () from /lib/i686/libc.so.6
--
Edit bug report at http://bugs.php.net/?id=25856&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=25856&r=trysnapshot4
Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=25856&r=trysnapshot5
Fixed in CVS: http://bugs.php.net/fix.php?id=25856&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=25856&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=25856&r=needtrace
Try newer version: http://bugs.php.net/fix.php?id=25856&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=25856&r=support
Expected behavior: http://bugs.php.net/fix.php?id=25856&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=25856&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=25856&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=25856&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=25856&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=25856&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=25856&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=25856&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=25856&r=float
