ID: 41813
Comment by: judas dot iscariote at gmail dot com
Reported By: jontsa at amigaone dot cc
Status: Open
Bug Type: Scripting Engine problem
Operating System: Gentoo Linux
PHP Version: 5.2.4-dev
New Comment:
Index: Zend/zend_execute.c
===================================================================
RCS file: /repository/ZendEngine2/zend_execute.c,v
retrieving revision 1.716.2.12.2.20
diff -u -r1.716.2.12.2.20 zend_execute.c
--- Zend/zend_execute.c 6 Jun 2007 08:35:23 -0000
1.716.2.12.2.20
+++ Zend/zend_execute.c 27 Jun 2007 08:14:40 -0000
@@ -530,6 +530,10 @@
zval *value = get_zval_ptr(value_op, Ts, &free_value,
BP_VAR_R);
zval **retval = &T(result->u.var).var.ptr;
+ if (!object_ptr) {
+ zend_error_noreturn(E_ERROR, "Cannot use string offset
as an array");
+ }
+
if (*object_ptr == EG(error_zval_ptr)) {
FREE_OP(free_op2);
if (!RETURN_VALUE_UNUSED(result)) {
Previous Comments:
------------------------------------------------------------------------
[2007-06-26 15:53:29] [EMAIL PROTECTED]
Verified.
------------------------------------------------------------------------
[2007-06-26 15:23:35] jontsa at amigaone dot cc
Description:
------------
If you convert a non-empty string to an array with object as value, you
get a segmentation fault. Tested on Gentoo Linux and Solaris with Apache
2 and PHP 5.2.3. Theres no segmentation fault when converting for
example a scalar variable but an error message as expected.
Also tested from shell using:
# echo '<?php $foo="50";$foo[0]->bar="xyz"; ?>' | /opt/php5/bin/php
Segmentation fault
Reproduce code:
---------------
$foo="50";
$foo[0]->bar="xyz";
Expected result:
----------------
An error message of some sort.
Actual result:
--------------
>From apache logs:
[Tue Jun 26 18:03:23 2007] [notice] child pid 16155 exit signal
Segmentation fault (11)
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=41813&edit=1
