Edit report at https://bugs.php.net/bug.php?id=52719&edit=1
ID: 52719
Updated by: ni...@php.net
Reported by: apouch at woozworld dot com
Summary: array_walk_recursive crashes if third param of the
function is by reference
-Status: Re-Opened
+Status: Closed
Type: Bug
Package: Arrays related
Operating System: Linux
PHP Version: 5.3.3
-Assigned To:
+Assigned To: nikic
Block user comment: N
Private report: N
New Comment:
This bug has been fixed in SVN.
Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
For Windows:
http://windows.php.net/snapshots/
Thank you for the report, and for helping us make PHP better.
Previous Comments:
------------------------------------------------------------------------
[2012-03-02 18:05:32] ni...@php.net
Automatic comment from SVN on behalf of nikic
Revision: http://svn.php.net/viewvc/?view=revision&revision=323837
Log: Fix bug #52719: array_walk_recursive crashes if third param of the
function is by reference
------------------------------------------------------------------------
[2012-01-27 13:10:26] ni...@php.net
I added a patch that fixes the issue.
Now the function works on the userdata as zval* instead of zval**. This fixes
the
issue because zend_call_func changes the zval** for a by-ref var and thus
zval_ptr_dtor() is called on a different zval than Z_ADDREF_PP() was called on.
------------------------------------------------------------------------
[2012-01-27 13:06:42] ni...@php.net
The following patch has been added/updated:
Patch Name: array_walk_recursive.patch
Revision: 1327669602
URL:
https://bugs.php.net/patch-display.php?bug=52719&patch=array_walk_recursive.patch&revision=1327669602
------------------------------------------------------------------------
[2011-12-23 11:42:08] nikita dot ppv at googlemail dot com
This issue was caused by
http://svn.php.net/viewvc?view=revision&revision=300371 which was commited as a
fix for https://bugs.php.net/bug.php?id=51552.
Basically for a recursive array walk the zval will be zval_ptr_dtor'd
prematurely and multiple times (every time it leaves one recursive array_walk
call). This leads to the memory corruption and in some cases to a segfault.
I'm not exactly sure what purpose that change served, at least the respective
phpt test runs cleanly if I revert the changeset.
------------------------------------------------------------------------
[2011-12-21 16:16:47] ni...@php.net
Another test case: http://codepad.viper-7.com/Mw3DhS. You can observe the
memory corruption in the values that are output. Also you can simply toggle the
crash be removing the 'alpha' elements: http://codepad.viper-7.com/luVZw5 will
crash.
By the way, I could not reproduce the crash on a debug build (I get only leaks
there, too).
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=52719
--
Edit this bug report at https://bugs.php.net/bug.php?id=52719&edit=1
