#26053 [NEW]: returning references crash

[ikaraszi at prim dot hu]

From:             ikaraszi at prim dot hu
Operating system: Debian GNU/Linux unstable
PHP version:      4.3.3
PHP Bug Type:     Reproducible crash
Bug description:  returning references crash

Description:
------------
Our scripts (both mod_php and CGI/command line version) segfaulted.
Tracing the problem showed that the errors occured after a return()
statement. (The program ran ok until the return statement, but it never
did return into the function calling it.)

We have been able to reproduce the possible basis of the problem, see the
attached code. This code doesn't segfault, but does display an error. We
think that more complex usage leads to segfaults.

The following backtrace has been produced with one of our complex scripts,
not the one attached, so it's only provided for reference.
---------------------------------------------------
Program received signal SIGSEGV, Segmentation fault.
0x081455c9 in _mem_block_check (ptr=0x81ceaa4, silent=0,
    __zend_filename=0x81aff00 "/root/php4-4.3.3/Zend/zend_execute.c",
__zend_lineno=271,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at
/root/php4-4.3.3/Zend/zend_alloc.c:675
675             memcpy(&end_magic, (((char *)
p)+sizeof(zend_mem_header)+MEM_HEADER_PADDING+p->size), sizeof(long));
(gdb) bt
#0  0x081455c9 in _mem_block_check (ptr=0x81ceaa4, silent=0,
    __zend_filename=0x81aff00 "/root/php4-4.3.3/Zend/zend_execute.c",
__zend_lineno=271,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at
/root/php4-4.3.3/Zend/zend_alloc.c:675
#1  0x081456ce in _mem_block_check (ptr=0x81ceaa4, silent=1,
    __zend_filename=0x81aff00 "/root/php4-4.3.3/Zend/zend_execute.c",
__zend_lineno=271,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at
/root/php4-4.3.3/Zend/zend_alloc.c:683
#2  0x08144b42 in _efree (ptr=0x81ceaa4,
    __zend_filename=0x3ffff038 <Address 0x3ffff038 out of bounds>,
__zend_lineno=1073737784,
    __zend_orig_filename=0x3ffff038 <Address 0x3ffff038 out of bounds>,
    __zend_orig_lineno=1073737784) at
/root/php4-4.3.3/Zend/zend_alloc.c:243
#3  0x081609f0 in zend_assign_to_variable_reference (result=0x83cfa18,
variable_ptr_ptr=0x847aef8,
    value_ptr_ptr=0x83d95e0, Ts=0xbfffe6cc) at
/root/php4-4.3.3/Zend/zend_execute.c:271
#4  0x08162845 in execute (op_array=0x83cdfa8) at
/root/php4-4.3.3/Zend/zend_execute.c:163
#5  0x0814c72f in call_user_function_ex (function_table=0x0,
object_pp=0x0, function_name=0x0,
    retval_ptr_ptr=0xbffff038, param_count=0, params=0x8344c7c,
no_separation=1, symbol_table=0x0)
    at /root/php4-4.3.3/Zend/zend_execute_API.c:567
#6  0x0814c152 in call_user_function (function_table=0x3ffff038,
object_pp=0x3ffff038,
    function_name=0x3ffff038, retval_ptr=0xbffff070, param_count=0,
params=0x83d93d0)
    at /root/php4-4.3.3/Zend/zend_execute_API.c:409
#7  0x080bd610 in user_shutdown_function_call
(shutdown_function_entry=0x83d8d74)
    at /root/php4-4.3.3/ext/standard/basic_functions.c:2007
#8  0x08159c88 in zend_hash_apply (ht=0x833be3c, apply_func=0x80bd5d0
<user_shutdown_function_call>)
    at /root/php4-4.3.3/Zend/zend_hash.c:698
#9  0x080bd929 in php_call_shutdown_functions ()
    at /root/php4-4.3.3/ext/standard/basic_functions.c:2088
#10 0x08124da2 in php_request_shutdown (dummy=0x0) at
/root/php4-4.3.3/main/main.c:980
#11 0x08168bf0 in main (argc=4, argv=0xbffff804) at
/root/php4-4.3.3/sapi/cli/php_cli.c:869



Reproduce code:
---------------
<?php
class Test {
        var $testarray = array();
                                                                          
                           
        function testCase() {
                $x =& $this->getNull();
                var_dump($x);
                if (is_object($x['element'])) {
                        return(true);
                }
                return(false);
        }
                                                                          
                           
        function &getNull() {
                /**
                 * uncomment following (two) lines to work around the
problem
                 */
                //if (isset($testarray['test']))
return($testarray['test']);
                //return(NULL);
                                                                          
                           
                return($testarray['test']);
        }
}
                                                                          
                           
$t = new Test();
$t->testCase();
?>

Expected result:
----------------
NULL

Actual result:
--------------
NULL
/root/php4-4.3.3/Zend/zend_execute.c(1711) :  Freeing 0x0820E0C4 (12
bytes), script=test-case2.php


-- 
Edit bug report at http://bugs.php.net/?id=26053&edit=1
-- 
Try a CVS snapshot (php4):  http://bugs.php.net/fix.php?id=26053&r=trysnapshot4
Try a CVS snapshot (php5):  http://bugs.php.net/fix.php?id=26053&r=trysnapshot5
Fixed in CVS:               http://bugs.php.net/fix.php?id=26053&r=fixedcvs
Fixed in release:           http://bugs.php.net/fix.php?id=26053&r=alreadyfixed
Need backtrace:             http://bugs.php.net/fix.php?id=26053&r=needtrace
Try newer version:          http://bugs.php.net/fix.php?id=26053&r=oldversion
Not developer issue:        http://bugs.php.net/fix.php?id=26053&r=support
Expected behavior:          http://bugs.php.net/fix.php?id=26053&r=notwrong
Not enough info:            http://bugs.php.net/fix.php?id=26053&r=notenoughinfo
Submitted twice:            http://bugs.php.net/fix.php?id=26053&r=submittedtwice
register_globals:           http://bugs.php.net/fix.php?id=26053&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=26053&r=php3
Daylight Savings:           http://bugs.php.net/fix.php?id=26053&r=dst
IIS Stability:              http://bugs.php.net/fix.php?id=26053&r=isapi
Install GNU Sed:            http://bugs.php.net/fix.php?id=26053&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=26053&r=float