#26696 [Ver->Ctl]: Using string index in a switch() crashes

iliaa Tue, 06 Jan 2004 10:17:45 -0800

 ID:               26696
 Updated by:       [EMAIL PROTECTED]
 Reported By:      saruman at northernhacking dot org
-Status:           Verified
+Status:           Critical
 Bug Type:         Zend Engine 2 problem
 Operating System: *
 PHP Version:      5CVS-2004-01-02
 New Comment:


 


Previous Comments:
------------------------------------------------------------------------

[2004-01-02 10:43:39] [EMAIL PROTECTED]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 20298)]
0x08357f99 in zend_pzval_unlock_func (z=0x1) at
/usr/src/web/php/php5/Zend/zend_execute.c:64
64              z->refcount--;
(gdb) bt
#0  0x08357f99 in zend_pzval_unlock_func (z=0x1) at
/usr/src/web/php/php5/Zend/zend_execute.c:64
#1  0x08358499 in zend_switch_free (opline=0x40e491f8, Ts=0xbfffd640)
at /usr/src/web/php/php5/Zend/zend_execute.c:198
#2  0x083545d6 in zend_switch_free_handler (execute_data=0xbfffd7a0,
op_array=0x40e48704)
    at /usr/src/web/php/php5/Zend/zend_execute.c:3072
#3  0x0834efd8 in execute (op_array=0x40e48704) at
/usr/src/web/php/php5/Zend/zend_execute.c:1260
#4  0x0832d924 in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /usr/src/web/php/php5/Zend/zend.c:1050
#5  0x082eac2c in php_execute_script (primary_file=0xbffffba0) at
/usr/src/web/php/php5/main/main.c:1642
#6  0x08367237 in main (argc=2, argv=0xbffffc34) at
/usr/src/web/php/php5/sapi/cli/php_cli.c:924


------------------------------------------------------------------------

[2003-12-22 17:22:03] saruman at northernhacking dot org

This bug is very similar to #26281, in fact, it's probably the same.

------------------------------------------------------------------------

[2003-12-22 17:00:20] [EMAIL PROTECTED]

Maybe related to bug #17997

------------------------------------------------------------------------

[2003-12-22 14:51:55] saruman at northernhacking dot org

case '?': is the culprit.

------------------------------------------------------------------------

[2003-12-22 14:33:53] saruman at northernhacking dot org

Description:
------------
The ONLY change I'd done is install php-5.0.0b3 with the same config as
the php-5.0.0b2 it replaced.

Config vars:

Configure Command  './configure' '--with-pear' '--with-pgsql'
'--with-apxs=/usr/local/apache/bin/apxs' '--enable-mbstring'
'--prefix=/usr/local/php5' '--with-libxml-dir=/usr'

Using this with php-5.0.0b2 works as expected. This behavior of a
string is required by DB.php in PEAR, amongst others.

Reproduce code:
---------------
<?php

//$str = Array('a', 's', 'd', 'd', '/', '?');
$str = 'asdd/?';
$len = strlen($str);
for ($i = 0; $i < $len; $i++) {
        switch ($str[$i]) {
                case '?':
                        echo '?';
                        break;
        }
}

?>
Did not crash.

Expected result:
----------------
?Did not crash.

Actual result:
--------------
>From error_log:
[Mon Dec 22 14:15:38 2003] [notice] child pid 30170 exit signal
Segmentation fault (11)
[Mon Dec 22 14:15:38 2003] [notice] child pid 30187 exit signal
Segmentation fault (11)

The two response are because MSIE seems to do a second query when the
first one unexpectedly close.


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=26696&edit=1

#26696 [Ver->Ctl]: Using string index in a switch() crashes

Reply via email to