PHP :: Bug #74361 :: Compaction in array

Bug #74361	Compaction in array_rand() violates COW
Submitted:	2017-04-02 10:56 UTC	Modified:	-
From:	[email protected]	Assigned:
Status:	Closed	Package:	Arrays related
PHP Version:	7.1.4RC1	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

[2017-04-02 10:56 UTC] [email protected]

Description:
------------
From http://stackoverflow.com/questions/43162831/zend-mm-heap-corrupted-with-php-7-1.

If numUsed occupancy is <= 3/4 array_rand() compacts the array prior to sampling. This is done on a potentially shared array.

This may lead to SHM corruption, for example:

$array = [1 => 1, 2 => 2];
var_dump(array_rand($array));

Crashes on opcache.

It can also have other side effects:

<?php

$array = range(0, 100);
for ($i = 0; $i < 50; $i++) {
    unset($array[$i]);
}

foreach ($array as $x) {
    var_dump($x);
    if ($x == 55) {
        array_rand($array, 1);
    }
}

Here the array is resized during the loop, leaving a dangling pointer.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-04-02 11:20 UTC] [email protected]

Automatic comment on behalf of [email protected]
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c8034514edadbafc4376f107e2a4ba52b7b17ff4
Log: Fixed bug #74361

[2017-04-02 11:20 UTC] [email protected]

-Status: Open +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2026 The PHP Group All rights reserved.	Last updated: Tue Mar 17 11:00:01 2026 UTC