Bug #50394 [Com]: Reference argument converted to value in __call

[dessander at gmail dot com]

Edit report at https://bugs.php.net/bug.php?id=50394&edit=1

 ID: 50394
 Comment by: dessander at gmail dot com
 Reported by:tstarling at wikimedia dot org
 Summary:Reference argument converted to value in __call
 Status: Closed
 Type:   Bug
 Package:Scripting Engine problem
 Operating System:   Linux
 PHP Version:5.3.1
 Assigned To:pajoye
 Block user comment: N
 Private report: N

 New Comment:

Still active bug.

My PHP Version:
PHP 5.4.14 (cli) (built: Apr 11 2013 19:13:00)

Code to reproduce:
notExistsFunction('test', $reference_var)
;

var_dump($reference_var);

Output:
PHP Warning:  Parameter 2 to TestForCall::myFunc() expected to be a reference, 
value given in /www/godudu.local/test.php on line 22

Warning: Parameter 2 to TestForCall::myFunc() expected to be a reference, value 
given in /www/godudu.local/test.php on line 22
NULL


Previous Comments:

[2010-10-22 07:58:58] john dot GTD at yahoo dot com

What are the exact steps to reproduce the problem?

I'm running MediaWiki on UniformServer with PHP 5.3.3 and didn't have any 
problems 
yet.


[2010-10-11 04:18:58] master33rd at yahoo dot com

I find it disturbing that the bug has been declared fixed, when it hasn't.

Starting Mediawiki with Xampp (even with the new beta of XAMPP)...the same 
error occurs.  "PHP 5.3.1 is not compatible with MediaWiki due to a bug 
involving reference parameters to __call. Upgrade to PHP 5.3.2 or higher, or 
downgrade to PHP 5.3.0 to fix this. ABORTING (see 
http://bugs.php.net/bug.php?id=50394 for details)"  Upgrading to PhP 5.3.3 
doesn't fix the problem.  

Let's stop passing the buck and fix this.


[2010-09-21 11:49:39] hugoniks at hotmail dot com

wtff


[2010-09-20 05:14:07] tstarling at wikimedia dot org

heis: yes, the behaviour changed in 5.3.0. I'm not saying it was a good idea, 
I'm just saying you should complain on some other bug report, preferably one 
that I'm not CC'ed on. 

The correct way to pass reference arguments to functions via 
call_user_func_array() hasn't changed, we've been doing it this way since PHP 
4. It's just that the impact of doing it the wrong way has changed. Previously, 
the argument was silently converted to a value. Now, a warning is shown and the 
function isn't called.


[2010-09-19 10:54:53] heis dot turtlemad at gmail dot com

Please note that the "user code" we are talking about was running as expected  
until php5.3 was released; and that downgrading to 5.2 solves the issue.

that means,  that the way to pass arrays as references in function args has 
changed since the 5.3 release ?




The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at

https://bugs.php.net/bug.php?id=50394


-- 
Edit this bug report at https://bugs.php.net/bug.php?id=50394&edit=1

Bug #62523 [Com]: php crashes with segfault when exif_read_data called

[dessander at gmail dot com]

Edit report at https://bugs.php.net/bug.php?id=62523&edit=1

 ID: 62523
 Comment by: dessander at gmail dot com
 Reported by:bigbug at mafia dot lv
 Summary:php crashes with segfault when exif_read_data called
 Status: Assigned
 Type:   Bug
 Package:Reproducible crash
 Operating System:   linux
 PHP Version:5.3Git-2012-07-10 (snap)
 Assigned To:rasmus
 Block user comment: N
 Private report: N

 New Comment:

Same situation with file:
http://dl.dropbox.com/u/7562584/Bugs/Php/bad_exif.jpeg


Previous Comments:

[2012-10-30 13:26:09] alex at bartl dot net

seeing the same issue on php-5.4.7-10.fc17.x86_64 (Fedora 17)


[2012-09-14 17:25:50] info at getid3 dot org

I am also seeing the same problem on Windows (7-64-pro) running
php-5.4.7-nts-Win32-VC9-x86 (and previously same thing on v5.4.4)

I have only encountered one of my own files that causes the crash:
http://getid3.org/temp/62523.jpg


[2012-07-11 03:35:59] larue...@php.net

Rasmus, could you please look at this one? I have no enough knowledge of the 
exif 
things :)


[2012-07-11 03:33:59] larue...@php.net

I can reproduce this only in  5.3, seems 5.3 and 5.4 have the same exif code, 
but can not reproduce this in 5.4.

#0  0x2b6649bdd8fe in php_ifd_get16u (value=0xcc675e60, 
motorola_intel=0)
at /home/huixinchen/opensource/php-5.3/ext/exif/exif.c:1095
1095return (((uchar *)value)[1] << 8) | ((uchar *)value)[0];
(gdb) bt
#0  0x2b6649bdd8fe in php_ifd_get16u (value=0xcc675e60, 
motorola_intel=0)
at /home/huixinchen/opensource/php-5.3/ext/exif/exif.c:1095
#1  0x2b6649bdeba8 in exif_iif_add_value (image_info=0x7fff7b6ec450, 
section_index=13, name=0x7fff7b6ebbb0 "CustomFunctions", tag=15, 
format=3, length=12, value=0xcc675e60, motorola_intel=0) at 
/home/huixinchen/opensource/php-5.3/ext/exif/exif.c:1762
#2  0x2b6649bded63 in exif_iif_add_tag (image_info=0x7fff7b6ec450, 
section_index=13, name=0x7fff7b6ebbb0 "CustomFunctions", tag=15, 
format=3, length=12, value=0xcc675e60) at 
/home/huixinchen/opensource/php-5.3/ext/exif/exif.c:1812
#3  0x2b6649be23e3 in exif_process_IFD_TAG (ImageInfo=0x7fff7b6ec450, 
dir_entry=0x1eb512d8 "\017", 
offset_base=0xcc67493c , 
IFDlength=13482, displacement=30, section_index=13, 
ReadNextIFD=0, tag_table=0x2b6649de9b00) at /home/huixinchen/opensource/php-
5.3/ext/exif/exif.c:3135
#4  0x2b6649be123b in exif_process_IFD_in_MAKERNOTE 
(ImageInfo=0x7fff7b6ec450, value_ptr=0x1eb512ca "\027", value_len=3476, 
offset_base=0xcc67493c , 
IFDlength=13482, displacement=30)
at /home/huixinchen/opensource/php-5.3/ext/exif/exif.c:2813
#5  0x2b6649be221f in exif_process_IFD_TAG (ImageInfo=0x7fff7b6ec450, 
dir_entry=0x1eb5085c "|\222\a", offset_base=0x1eb4fec0 "II*", 
IFDlength=13482, displacement=30, section_index=7, ReadNextIFD=1, 
tag_table=0x2b6649de88e0)
at /home/huixinchen/opensource/php-5.3/ext/exif/exif.c:3089
#6  0x2b6649be256f in exif_process_IFD_in_JPEG (ImageInfo=0x7fff7b6ec450, 
dir_start=0x1eb507b2 "\037", offset_base=0x1eb4fec0 "II*", 
IFDlength=13482, displacement=30, section_index=7) at 
/home/huixinchen/opensource/php-5.3/ext/exif/exif.c:3163
#7  0x2b6649be2385 in exif_process_IFD_TAG (ImageInfo=0x7fff7b6ec450, 
dir_entry=0x1eb4ff36 "i\207\004", offset_base=0x1eb4fec0 "II*", 
IFDlength=13482, displacement=30, section_index=3, ReadNextIFD=1, 
tag_table=0x2b6649de88e0)
at /home/huixinchen/opensource/php-5.3/ext/exif/exif.c:3126
#8  0x2b6649be256f in exif_process_IFD_in_JPEG (ImageInfo=0x7fff7b6ec450, 
dir_start=0x1eb4fec8 "\v", offset_base=0x1eb4fec0 "II*", 
IFDlength=13482, displacement=30, section_index=3) at 
/home/huixinchen/opensource/php-5.3/ext/exif/exif.c:3163
#9  0x2b6649be285a in exif_process_TIFF_in_JPEG (ImageInfo=0x7fff7b6ec450, 
CharBuf=0x1eb4fec0 "II*", length=13482, displacement=30)
at /home/huixinchen/opensource/php-5.3/ext/exif/exif.c:3240
#10 0x2b6649be298c in exif_process_APP1 (ImageInfo=0x7fff7b6ec450, 
CharBuf=0x1eb4feb8 "4²Exif", length=13490, displacement=22)
at /home/huixinchen/opensource/php-5.3/ext/exif/exif.c:3265
#11 0x2b6649be2f1d in exif_scan_JPEG_header (ImageInfo=0x7fff7b6ec450) at 
/home/huixinchen/opensource/php-5.3/ext/exif/exif.c:3410
#12 0x2b6649be3ffd in exif_scan_FILE_header (ImageInfo=0x7fff7b6ec450) at 
/home/huixinchen/opensource/php-5.3/ext/exif/exif.c:3792