PHP :: Bug #33958 :: Crash with processing HTTP_COOKIE with 'doubled' variables

Bug #33958	Crash with processing HTTP_COOKIE with 'doubled' variables
Submitted:	2005-08-02 03:58 UTC	Modified:	2005-08-02 19:05 UTC
From:	andrey at cherezov dot koenig dot su	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	5CVS-2005-08-02	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

[2005-08-02 03:58 UTC] andrey at cherezov dot koenig dot su

Description:
------------
Just downloaded and installed 5.1 snap (2 Aug) and replaced PHP5.1b3 in my server (ISAPI mode). Now I see in log, some users got "error 500" while accessing /forum/ and /forum/viewtopic.php (PhpBB current version). Turn on trace and get error pages:

Mon, 01 Aug 2005 20:48:52 -0500 www.mdaemon.ru/forum/
HTTP/1.0 500 Internal Server Error
Content-Type: text/html

PHP has encountered an Access Violation at 00F9813A


Mon, 01 Aug 2005 20:48:54 -0500 www.mdaemon.ru/forum/
HTTP/1.0 500 Internal Server Error
Content-Type: text/html

PHP has encountered an Access Violation at 00F9813A

After server restart - address changed:

PHP has encountered an Access Violation at 0109813A

Reproduce code:
---------------
I can't reproduce it myself (same pages loaded ok), but there are lot of such dumps in my log. I can install and try any test version there.

Expected result:
----------------
Page load.

Actual result:
--------------
PHP has encountered an Access Violation at 0109813A

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-08-02 08:33 UTC] andrey at cherezov dot koenig dot su

The way to reproduce:

GET /php.php5 HTTP/1.0
Host: localhost
Cookie: phpbb2mysql_data=a%3A0%3A%7B%7D; phpbb2mysql_data=a%3A0%3A%7B%7D
Connection: close

Posted this request (via telnet) to my local web-server and got the same error! (the script php.php5 just "echo 'test'"). PHP has encountered an Access Violation at 00F2813A

If I delete second variable copy, i.e.:
GET /php.php5 HTTP/1.0
Host: localhost
Cookie: phpbb2mysql_data=a%3A0%3A%7B%7D
Connection: close
- the script works ok.

[2005-08-02 08:46 UTC] andrey at cherezov dot koenig dot su

In the PHP 4.3.11 under the same server with the same test request = 200 OK.
So this bug is PHP5.1 specific.

[2005-08-02 18:50 UTC] sniper@php.net

Verified with latest CVS and Apache2..

[2005-08-02 18:56 UTC] sniper@php.net

[Switching to Thread 46912528940992 (LWP 2360)]
0x00002aaab000aec1 in _mem_block_check (ptr=0x555555b3a081, silent=0, 
    __zend_filename=0x2aaab02538a0 "/usr/src/php/php5/main/php_variables.c", __zend_lineno=201, __zend_orig_filename=0x0, 
    __zend_orig_lineno=0) at /usr/src/php/php5/Zend/zend_alloc.c:736
736             memcpy(&end_magic, (((char *) p)+sizeof(zend_mem_header)+MEM_HEADER_PADDING+p->size), sizeof(long));
(gdb) 
(gdb) bt
#0  0x00002aaab000aec1 in _mem_block_check (ptr=0x555555b3a081, silent=0, 
    __zend_filename=0x2aaab02538a0 "/usr/src/php/php5/main/php_variables.c", __zend_lineno=201, __zend_orig_filename=0x0, 
    __zend_orig_lineno=0) at /usr/src/php/php5/Zend/zend_alloc.c:736
#1  0x00002aaab000ae9d in _mem_block_check (ptr=0x555555b3a081, silent=1, 
    __zend_filename=0x2aaab02538a0 "/usr/src/php/php5/main/php_variables.c", __zend_lineno=201, __zend_orig_filename=0x0, 
    __zend_orig_lineno=0) at /usr/src/php/php5/Zend/zend_alloc.c:728
#2  0x00002aaab0009c39 in _efree (ptr=0x555555b3a081, 
    __zend_filename=0x2aaab02538a0 "/usr/src/php/php5/main/php_variables.c", __zend_lineno=201, __zend_orig_filename=0x0, 
    __zend_orig_lineno=0) at /usr/src/php/php5/Zend/zend_alloc.c:287
#3  0x00002aaaaffe030e in php_register_variable_ex (var=0x555555b3a081 "phpbb2mysql_data", val=0x7fffff839990, 
    track_vars_array=0x555555b39ec0) at /usr/src/php/php5/main/php_variables.c:201
#4  0x00002aaaaffdfd3c in php_register_variable_safe (var=0x555555b3a080 " phpbb2mysql_data", 
    strval=0x5555557b5500 "a:0:{}", str_len=6, track_vars_array=0x555555b39ec0) at /usr/src/php/php5/main/php_variables.c:57
#5  0x00002aaaaffe0c8c in php_default_treat_data (arg=2, str=0x0, destArray=0x0)
    at /usr/src/php/php5/main/php_variables.c:345
#6  0x00002aaaaffe1b53 in php_hash_environment () at /usr/src/php/php5/main/php_variables.c:646
#7  0x00002aaaaffcf73b in php_request_startup () at /usr/src/php/php5/main/main.c:1064
#8  0x00002aaab00b850a in php_apache_request_ctor (r=0x555555b23020, ctx=0x555555b27a28)
    at /usr/src/php/php5/sapi/apache2handler/sapi_apache2.c:438
#9  0x00002aaab00b8c87 in php_handler (r=0x555555b23020) at /usr/src/php/php5/sapi/apache2handler/sapi_apache2.c:534

[2005-08-02 19:05 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Feb 22 16:01:29 2025 UTC