From:             Markus dot Lidel at shadowconnect dot com
Operating system: Linux
PHP version:      Irrelevant
PHP Bug Type:     Reproducible crash
Bug description:  zend_fetch_list_dtor_id() doesn't check NULL strings

Description:
------------
If you use the zend_fetch_list_dtor_id function, and you have for example
loaded the "crack" extension (which registers a destructor using the
function register_list_destructors()), php crashes. The source of the
problem is this line:

if (strcmp(type_name, lde->type_name) == 0) {

The register_list_destructors() set lde->type_name to NULL. If you replace
the code with

if (lde->type_name && (strcmp(type_name, lde->type_name) == 0)) {

the function works fine.

Reproduce code:
---------------
int id = zend_fetch_list_dtor_id function("foo");


-- 
Edit bug report at http://bugs.php.net/?id=26753&edit=1
-- 
Try a CVS snapshot (php4):  http://bugs.php.net/fix.php?id=26753&r=trysnapshot4
Try a CVS snapshot (php5):  http://bugs.php.net/fix.php?id=26753&r=trysnapshot5
Fixed in CVS:               http://bugs.php.net/fix.php?id=26753&r=fixedcvs
Fixed in release:           http://bugs.php.net/fix.php?id=26753&r=alreadyfixed
Need backtrace:             http://bugs.php.net/fix.php?id=26753&r=needtrace
Need Reproduce Script:      http://bugs.php.net/fix.php?id=26753&r=needscript
Try newer version:          http://bugs.php.net/fix.php?id=26753&r=oldversion
Not developer issue:        http://bugs.php.net/fix.php?id=26753&r=support
Expected behavior:          http://bugs.php.net/fix.php?id=26753&r=notwrong
Not enough info:            http://bugs.php.net/fix.php?id=26753&r=notenoughinfo
Submitted twice:            http://bugs.php.net/fix.php?id=26753&r=submittedtwice
register_globals:           http://bugs.php.net/fix.php?id=26753&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=26753&r=php3
Daylight Savings:           http://bugs.php.net/fix.php?id=26753&r=dst
IIS Stability:              http://bugs.php.net/fix.php?id=26753&r=isapi
Install GNU Sed:            http://bugs.php.net/fix.php?id=26753&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=26753&r=float

Reply via email to