PHP :: Bug #24639 :: segmentation fault with old code

Bug #24639	segmentation fault with old code
Submitted:	2003-07-13 19:14 UTC	Modified:	2003-07-14 17:55 UTC
From:	nospam at rshell dot org	Assigned:
Status:	Not a bug	Package:	Apache related
PHP Version:	4.3.3RC2-dev	OS:	linux
Private report:	No	CVE-ID:	None

View Developer Edit

[2003-07-13 19:14 UTC] nospam at rshell dot org

Description:
------------
when someone access an old forum page (modify old phpbb version), we get segmentation fault in apache error log and the user get a blank page. The funny thing is that when I try with --enable-debug the forum loads.

php compiled with:
--with-apxs=/usr/local/apache/bin/apxs --with-xml --enable-ftp --with-gd --with-jpeg-dir=/usr/local --with-png-dir=/usr --with-xpm-dir=/usr/X11R6 --with-mcrypt --with-mysql=/usr/local/mysql --with-ttf --with-freetype-dir=/usr --enable-gd-native-ttf --with-gettext --with-mhash --with-imap --with-kerberos
--enable-inline-optimization --with-zlib-dir --with-openssl --with-pear --enable-sockets --enable-track-vars --enable-magic-quotes --with-curl


here is the backtrace (no debug info, see above)

Program received signal SIGSEGV, Segmentation fault.
0x2c84ef76 in chunk_free () from /lib/i686/libc.so.6
(gdb) bt
#0  0x2c84ef76 in chunk_free () from /lib/i686/libc.so.6
#1  0x2c84ed24 in free () from /lib/i686/libc.so.6
#2  0x2cbd22dc in _efree (ptr=0x88a1814)
    at /home/rcs/php-4.3.2/Zend/zend_alloc.c:265
#3  0x2cbe99c2 in zend_restore_ini_entry_cb (ini_entry=0x831f7d8, stage=8)
    at /home/rcs/php-4.3.2/Zend/zend_ini.c:53
#4  0x2cbe55bb in zend_hash_apply_with_argument (ht=0x82bd798,
    apply_func=0x2cbe997c <zend_restore_ini_entry_cb>, argument=0x8)
    at /home/rcs/php-4.3.2/Zend/zend_hash.c:707
#5  0x2cbe9aa0 in zend_ini_deactivate ()
    at /home/rcs/php-4.3.2/Zend/zend_ini.c:87
#6  0x2cbe0bb0 in zend_deactivate () at /home/rcs/php-4.3.2/Zend/zend.c:656
#7  0x2cbb8bff in php_request_shutdown (dummy=0x0)
    at /home/rcs/php-4.3.2/main/main.c:985
#8  0x2cbfabb5 in apache_php_module_main (r=0x82258cc, display_source_mode=0)
#9  0x2cbfb732 in send_php (r=0x82258cc, display_source_mode=0, filename=0x0)
    at /home/rcs/php-4.3.2/sapi/apache/mod_php4.c:617
#10 0x2cbfb786 in send_parsed_php (r=0x82258cc)
    at /home/rcs/php-4.3.2/sapi/apache/mod_php4.c:632
#11 0x080546d3 in ap_invoke_handler ()
#12 0x08069b57 in process_request_internal ()
#13 0x08069f8f in ap_internal_redirect ()
#14 0x2c954dea in handle_dir () from /usr/local/apache/libexec/mod_dir.so
#15 0x080546d3 in ap_invoke_handler ()
#16 0x08069b57 in process_request_internal ()
#17 0x08069bb8 in ap_process_request ()

strace output:

read(9, "<?php\nfunction draw_menubox_head"..., 4096) = 702
_llseek(9, 702, [702], SEEK_SET)        = 0
ioctl(9, SNDCTL_TMR_TIMEBASE, 0x5e399740) = -1 ENOTTY (Inappropriate ioctl for device)
read(9, "", 4096)                       = 0
read(9, "", 8192)                       = 0
ioctl(9, SNDCTL_TMR_TIMEBASE, 0x5e398700) = -1 ENOTTY (Inappropriate ioctl for device)
close(9)                                = 0
munmap(0x21731000, 4096)                = 0
time(NULL)                              = 1058141468
write(22, "[Mon Jul 14 03:11:08 2003] [erro"..., 270) = 270
chdir("/")                              = 0
munmap(0x217f8000, 81920)               = 0
munmap(0x217ae000, 303104)              = 0
close(8)                                = 0
munmap(0x2173d000, 8192)                = 0
rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_IGN}, 8) = 0
fcntl64(6, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
read(6, 0x86c4c80, 8192)                = -1 EAGAIN (Resource temporarily unavailable)
fcntl64(6, F_SETFL, O_RDWR)             = 0
write(6, "\1\0\0\0\1", 5)               = 5
shutdown(6, 2 /* send and receive */)   = 0
close(6)                                = 0
rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_IGN}, 8) = 0
--- SIGSEGV (Segmentation fault) ---

Cheers
-J

Reproduce code:
---------------
<?php
function draw_menubox_header($titel){
$string = '<table>...' . $titel .
                       '...' .
                  '</table>' ;
return($string);
}
?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-07-13 21:52 UTC] sniper@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

And if you can reproduce this with latest CVS, provide
us a short but _complete_ example script. Some part of some
huge app is useless to us.

[2003-07-14 04:52 UTC] nospam at rshell dot org

This happen with the snap also.

tracing it down in the code, it curshs when it gets to
this line: <?php include('http://www.domain.com/banner.php')

access directly to http://www.domain.com/banner.php cuase no trouble.

[2003-07-14 05:33 UTC] nospam at rshell dot org

here's another backtrace:
#0  0x2da7535a in chunk_alloc () from /lib/i686/libc.so.6
#1  0x2da75158 in malloc () from /lib/i686/libc.so.6
#2  0x2ddfd8bf in _emalloc (size=12)
    at /home/rcs/php4-STABLE-200307140730/Zend/zend_alloc.c:158
#3  0x2ddecc73 in php_default_treat_data (arg=2, str=0x0, destArray=0x0)
    at /home/rcs/php4-STABLE-200307140730/main/php_variables.c:227
#4  0x2dde4e23 in php_hash_environment ()
    at /home/rcs/php4-STABLE-200307140730/main/main.c:1417
#5  0x2dde408c in php_request_startup ()
    at /home/rcs/php4-STABLE-200307140730/main/main.c:935
#6  0x2de26274 in apache_php_module_main (r=0x817a1bc, display_source_mode=0)
    at /home/rcs/php4-STABLE-200307140730/sapi/apache/sapi_apache.c:33
#7  0x2de26ed6 in send_php (r=0x817a1bc, display_source_mode=0, filename=0x0)
    at /home/rcs/php4-STABLE-200307140730/sapi/apache/mod_php4.c:620
#8  0x2de26f2a in send_parsed_php (r=0x817a1bc)
    at /home/rcs/php4-STABLE-200307140730/sapi/apache/mod_php4.c:635
#9  0x080546d3 in ap_invoke_handler ()
#10 0x08069b57 in process_request_internal ()
#11 0x08069f8f in ap_internal_redirect ()
#12 0x2db67dea in handle_dir () from /usr/local/apache/libexec/mod_dir.so
#13 0x080546d3 in ap_invoke_handler ()
#14 0x08069b57 in process_request_internal ()
#15 0x08069bb8 in ap_process_request ()
#16 0x08060929 in child_main ()
#17 0x08060bbb in make_child ()
#18 0x08060c6c in startup_children ()
#19 0x080612e4 in standalone_main ()
#20 0x08061b63 in main ()
#21 0x2da12589 in __libc_start_main () from /lib/i686/libc.so.6

[2003-07-14 05:42 UTC] nospam at rshell dot org

here's another. Please let me know if you need more info

#0  0x2da7535a in chunk_alloc () from /lib/i686/libc.so.6
#1  0x2da75158 in malloc () from /lib/i686/libc.so.6
#2  0x2de27175 in php_apache_value_handler_ex (cmd=0x58b200d0, conf=0x858a228,
    arg1=0x817a3ec "error_reporting", arg2=0x817a404 "7", mode=2)
    at /home/rcs/php4-STABLE-200307140730/sapi/apache/mod_php4.c:754
#3  0x2de271f9 in php_apache_value_handler (cmd=0x58b200d0, conf=0x858a228,
    arg1=0x817a3ec "error_reporting", arg2=0x817a404 "7")
    at /home/rcs/php4-STABLE-200307140730/sapi/apache/mod_php4.c:771
#4  0x08054f00 in invoke_cmd ()
#5  0x080558c6 in ap_handle_command ()
#6  0x08055959 in ap_srm_command_loop ()
#7  0x08056307 in ap_parse_htaccess ()
#8  0x08068415 in directory_walk ()
#9  0x08069730 in process_request_internal ()
#10 0x08069bb8 in ap_process_request ()
#11 0x08060929 in child_main ()
#12 0x08060bbb in make_child ()
#13 0x08060f38 in perform_idle_server_maintenance ()
#14 0x0806150d in standalone_main ()
#15 0x08061b63 in main ()
#16 0x2da12589 in __libc_start_main () from /lib/i686/libc.so.6

[2003-07-14 10:33 UTC] sniper@php.net

How exactly is your virtualhost setup?
Where is that script located which has that include() ?
What is in that .htaccess file involved?

[2003-07-14 11:33 UTC] nospam at rshell dot org

this is the virttualhost:
<VirtualHost xx.xxx.xx.xx:80>
ServerAdmin webmaster@domain.com
ServerName domain.com
ServerAlias www.domain.com
User domain
Group domain
DocumentRoot /var/www/html/domain
php_admin_value safe_mode 1
php_admin_value open_basedir /var/www/html/domain/
php_admin_value upload_tmp_dir /var/www/html/domain/tmp
php_admin_value file_uploads 1
php_admin_value safe_mode_exec_dir /dev/null
php_admin_value safe_mode_include_dir /var/www/html/domain/public_html/
</VirtualHost>

The site in question is www.pctip.co.il.
when you login, note the header. That's the file in question, and on the right side there's a banner. Thats the include() line. now click the forum, you will see the same header but with no banner (you'll see the works "banner" on the right). I've edited that to stop the seg faults. The include line was there, when you access that header file from the forum dir, and only from the forum dir, you get segmentaion fault.

As for .htaccess, there's no .htaccess anywhere in the path
of the forum dir, or the includes dir, and up to /.

[2003-07-14 12:32 UTC] sniper@php.net

If you remove all those php_admin_value settings, does it still segfault?

[2003-07-14 12:43 UTC] nospam at rshell dot org

yes

[2003-07-14 12:55 UTC] sniper@php.net

Ok. Then provide us complete testcase scripts.

[2003-07-14 13:41 UTC] nospam at rshell dot org

what does that mean "complete testcase script"?

[2003-07-14 14:32 UTC] sniper@php.net

We need to have short example scripts which we can use ourselves to try and reproduce this segfault, otherwise we can't fix it.

[2003-07-14 15:07 UTC] nospam at rshell dot org

I can't write a script that will reproduce the error, best I can do is get you more backtraces, they are all caused by accessing the forum dir and getting the banner, but each is different.

[2003-07-14 17:55 UTC] sniper@php.net

We can't fix it then either.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Nov 25 07:00:01 2025 UTC