ID: 46893 Updated by: fel...@php.net Reported By: steffen dot weber at gmail dot com Status: Assigned Bug Type: Reproducible crash Operating System: * PHP Version: 5CVS, 6CVS (2008-12-18) Assigned To: lbarnaud New Comment:
*Arnaud I suppose http://cvs.php.net/viewvc.cgi/php-src/ext/standard/array.c?r1=1.308.2.21.2.58&r2=1.308.2.21.2.59 (Fixed bugs #44181 & #44182 (extract() and references)) Previous Comments: ------------------------------------------------------------------------ [2008-12-26 11:54:18] fel...@php.net Hi Arnald, that patch broken this. ------------------------------------------------------------------------ [2008-12-23 10:00:02] matthieu at brunet-prod dot com Same error here (5.2.8), but only if the array name is longer than 4 cars. So the supplied code works for me, but : $foooo = array('foooo' => 1, 'bar' => 2, 'test' => 3); will crash. And it will crash only if there is one or more element after the element with the same name of the array. So $foooo = array('foooo' => 1, 'bar' => 2); will crash, but $foooo = array('bar' => 1, 'foooo' => 2); will work. hth ------------------------------------------------------------------------ [2008-12-18 13:44:14] crrodriguez at opensuse dot org Related to/Duplicated of Bug #46873 ? ------------------------------------------------------------------------ [2008-12-18 12:25:40] j...@php.net It fails "silently" because it crashes. :) #0 0x083437ad in _zend_is_inconsistent (ht=0x1, file=0x85ffca4 "/home/jani/src/php-5.2/Zend/zend_hash.c", line=1083) at /home/jani/src/php-5.2/Zend/zend_hash.c:53 #1 0x083465be in zend_hash_move_forward_ex (ht=0x1, pos=0xbfffcd98) at /home/jani/src/php-5.2/Zend/zend_hash.c:1083 #2 0x082435a0 in zif_extract (ht=1, return_value=0x86e16f8, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0) at /home/jani/src/php-5.2/ext/standard/array.c:1491 #3 0x0835e8bf in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffcfa8) at /home/jani/src/php-5.2/Zend/zend_vm_execute.h:200 #4 0x083641f9 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbfffcfa8) at /home/jani/src/php-5.2/Zend/zend_vm_execute.h:1729 #5 0x0835e43c in execute (op_array=0x86e1088) at /home/jani/src/php-5.2/Zend/zend_vm_execute.h:92 #6 0x083397aa in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/jani/src/php-5.2/Zend/zend.c:1134 #7 0x082e831a in php_execute_script (primary_file=0xbffff324) at /home/jani/src/php-5.2/main/main.c:2023 #8 0x083b4bc9 in main (argc=2, argv=0xbffff464) at /home/jani/src/php-5.2/sapi/cli/php_cli.c:1133 ------------------------------------------------------------------------ [2008-12-17 23:06:57] steffen dot weber at gmail dot com Description: ------------ Execute the following script and observe that $bar is set to a random integer (*). Furthermore $test is not set at all. This problem did not occur with PHP 5.2.6. (*) Could this have security implications? Reproduce code: --------------- <?php $foo = array('foo' => 1, 'bar' => 2, 'test' => 3); extract($foo); var_dump($foo, $bar, $test); ?> Expected result: ---------------- int(1) int(2) int(3) Actual result: -------------- Notice: Undefined variable: test in extract-bug.php on line 4 int(1) int(RANDOM_NUMBER) NULL ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=46893&edit=1
