php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #38265 pear && serialize segfaults PHP
Submitted: 2006-07-31 07:18 UTC Modified: 2006-08-23 13:01 UTC
From: judas dot iscariote at gmail dot com Assigned: dmitry (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5CVS-2006-07-31 (CVS) OS: linux 64 bit
Private report: No CVE-ID: None
 [2006-07-31 07:18 UTC] judas dot iscariote at gmail dot com
Description:
------------
Im testing PHP 5.2, current CVS.
it segfaults using the pear tool

Reproduce code:
---------------
sorry but no short reproduce code :( , but it is easly reproducible like this :


pear install --alldeps phpdocumentor-beta

Expected result:
----------------
installing phpdocumentor beta as always

Actual result:
--------------
Starting program: /local/local/bodegon/php-debug/sapi/cli/php -C -q -d include_path=/usr/share/pear -d output_buffering=1 -d open_basedir= -d safe_mode=0 /usr/share/pear/pearcmd.php install --alldeps -f phpdocumentor-beta
downloading PhpDocumentor-1.3.0RC6.tar ...
Starting to download PhpDocumentor-1.3.0RC6.tar (-1 bytes)
.............................................................................................................................................................................................................................................................................................................................................................................................................

.....done: 9,735,168 bytes

Program received signal SIGSEGV, Segmentation fault.
_zend_mm_alloc_int (heap=0x889210, size=786261,
    __zend_filename=0x6ecd08 "/local/local/bodegon/php-debug/ext/standard/var.c", __zend_lineno=541,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /local/local/bodegon/php-debug/Zend/zend_alloc.c:465
465             next->prev_free_block = mm_block;
(gdb)
(gdb)
(gdb) bt full
#0  _zend_mm_alloc_int (heap=0x889210, size=786261,
    __zend_filename=0x6ecd08 "/local/local/bodegon/php-debug/ext/standard/var.c", __zend_lineno=541,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /local/local/bodegon/php-debug/Zend/zend_alloc.c:465
        index = 18446744073709551610
        segment_size = 96
        segment = <value optimized out>
        next_block = (zend_mm_block *) 0x2b091d31afc0
        true_size = 786336
        best_size = <value optimized out>
        p = <value optimized out>
        end = (zend_mm_free_block *) 0x889258
        best_fit = (zend_mm_free_block *) 0x2b091d25b020
        offset = {4, 0, 1, 0, 2, 0, 1, 0, 3, 0, 1, 0, 2, 0, 1, 0}
#1  0x00000000005bec96 in _zend_mm_realloc_int (heap=0x889210, p=0x2b091d19a060, size=786261,
    __zend_filename=0x6ecd08 "/local/local/bodegon/php-debug/ext/standard/var.c", __zend_lineno=541,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /local/local/bodegon/php-debug/Zend/zend_alloc.c:1543
        index = <value optimized out>
        remaining_size = <value optimized out>
        mm_block = (zend_mm_block *) 0x2b091d19a020
        next_block = (zend_mm_block *) 0x2b091d259f10
        true_size = 786336
        ptr = <value optimized out>
#2  0x000000000056b678 in php_var_serialize_intern (buf=0x7fff90c10760, struc=<value optimized out>,
    var_hash=<value optimized out>) at /local/local/bodegon/php-debug/ext/standard/var.c:541
        __nl = <value optimized out>
        i = <value optimized out>
        var_already = <value optimized out>
        myht = <value optimized out>
#3  0x000000000056ab12 in php_var_serialize_intern (buf=0x7fff90c10760, struc=0x2b091c3bb120, var_hash=0x7fff90c10710)
    at /local/local/bodegon/php-debug/ext/standard/var.c:827
        __nl = 786068
        i = <value optimized out>
---Type <return> to continue, or q <return> to quit---
        var_already = <value optimized out>
        myht = (HashTable *) 0x2b091c578198
#4  0x000000000056ab12 in php_var_serialize_intern (buf=0x7fff90c10760, struc=0x2b091b909e10, var_hash=0x7fff90c10710)
    at /local/local/bodegon/php-debug/ext/standard/var.c:827
        __nl = 785956
        i = <value optimized out>
        var_already = <value optimized out>
        myht = (HashTable *) 0x2b091b2067d8
#5  0x000000000056ab12 in php_var_serialize_intern (buf=0x7fff90c10760, struc=0x2b091b33faa0, var_hash=0x7fff90c10710)
    at /local/local/bodegon/php-debug/ext/standard/var.c:827
        __nl = 326227
        i = <value optimized out>
        var_already = <value optimized out>
        myht = (HashTable *) 0x2b091be36cd8
#6  0x000000000056c6e9 in php_var_serialize (buf=0x0, struc=0xc1000, var_hash=0x2b091d31afc0)
    at /local/local/bodegon/php-debug/ext/standard/var.c:845
No locals.
#7  0x000000000056c7ad in zif_serialize (ht=<value optimized out>, return_value=0x2b091b274d98,
    return_value_ptr=<value optimized out>, this_ptr=<value optimized out>, return_value_used=<value optimized out>)
    at /local/local/bodegon/php-debug/ext/standard/var.c:868
        struc = (zval **) 0x2b091b33faa0
        var_hash = {nTableSize = 16384, nTableMask = 16383, nNumOfElements = 13861, nNextFreeElement = 4327,
  pInternalPointer = 0x2b091bc64968, pListHead = 0x2b091bc64968, pListTail = 0x2b091b76c398, arBuckets = 0x2b091c966b40,
  pDestructor = 0, persistent = 0 '\0', nApplyCount = 0 '\0', bApplyProtection = 1 '\001', inconsistent = 0}
        buf = {
  c = 0x2b091d19a060 "a:23:{s:7:\"attribs\";a:6:{s:15:\"packagerversion\";s:5:\"1.4.9\";s:7:\"version\";s:3:\"2.0\";s:5:\"xmlns\";s:35:\"http://pear.php.net/dtd/package-2.0\";s:11:\"xmlns:tasks\";s:33:\"http://pear.php.net/dtd/tasks-1.0\";s"...,
  len = 786076, a = 786260}
#8  0x0000000000605f9a in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff90c10fc0)
    at /local/local/bodegon/php-debug/Zend/zend_vm_execute.h:200
        i = 1
        p = <value optimized out>
---Type <return> to continue, or q <return> to quit---
        arg_count = 0
        return_reference = 0 '\0'
        opline = (zend_op *) 0x2b091ac162e0
        original_return_value = <value optimized out>
        current_scope = (zend_class_entry *) 0x0
        current_this = (zval *) 0x0
        return_value_used = -1
        should_change_scope = 0 '\0'
#9  0x00000000005f86df in execute (op_array=0x2b091ac12b08) at /local/local/bodegon/php-debug/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0x2b091ac162e0, function_state = {function_symbol_table = 0x2b091adc8380,
    function = 0x8b6af0, reserved = {0x889210, 0x1, 0x7fff90c114f0, 0x2b091ac34dd8}}, fbc = 0x0, op_array = 0x2b091ac12b08,
  object = 0x0, Ts = 0x7fff90c108d0, CVs = 0x7fff90c10880, original_in_execution = 1 '\001', symbol_table = 0x2b091adadc78,
  prev_execute_data = 0x7fff90c114f0, old_error_reporting = 0x0}
#10 0x00000000006059e3 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff90c114f0)
    at /local/local/bodegon/php-debug/Zend/zend_vm_execute.h:234
        opline = (zend_op *) 0x2b091ac350a8
        original_return_value = (zval **) 0x7fff90c15d38
        current_scope = (zend_class_entry *) 0x2b091ab0b828
        current_this = (zval *) 0x2b091c347488
        return_value_used = <value optimized out>
        should_change_scope = 1 '\001'
#11 0x00000000005f86df in execute (op_array=0x2b091ac362c0) at /local/local/bodegon/php-debug/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0x2b091ac350a8, function_state = {function_symbol_table = 0x2b091adadc78,
    function = 0x2b091ac12b08, reserved = {0x12700000040, 0x712168, 0x2b091c588e98, 0x7fff90c188e0}}, fbc = 0x2b091ac12b08,
  op_array = 0x2b091ac362c0, object = 0x2b091c347488, Ts = 0x7fff90c11170, CVs = 0x7fff90c11140,
  original_in_execution = 1 '\001', symbol_table = 0x2b091ad13f68, prev_execute_data = 0x7fff90c16420,
  old_error_reporting = 0x0}
#12 0x00000000006059e3 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff90c16420)
    at /local/local/bodegon/php-debug/Zend/zend_vm_execute.h:234
        opline = (zend_op *) 0x2b091aee1878
        original_return_value = (zval **) 0x7fff90c188e0
        current_scope = (zend_class_entry *) 0x2b091ae4c640
---Type <return> to continue, or q <return> to quit---
        current_this = (zval *) 0x2b091ae475b0
        return_value_used = <value optimized out>
        should_change_scope = 1 '\001'
#13 0x00000000005f86df in execute (op_array=0x2b091ae747a8) at /local/local/bodegon/php-debug/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0x2b091aee1878, function_state = {function_symbol_table = 0x2b091ad13f68,
    function = 0x2b091ac362c0, reserved = {0x889210, 0x1, 0x7fff90c1ad00, 0x2b091ae04168}}, fbc = 0x2b091ac362c0,
  op_array = 0x2b091ae747a8, object = 0x2b091c347488, Ts = 0x7fff90c117d0, CVs = 0x7fff90c11670,
  original_in_execution = 1 '\001', symbol_table = 0x2b091ad14208, prev_execute_data = 0x7fff90c1ad00,
  old_error_reporting = 0x0}
#14 0x00000000006059e3 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff90c1ad00)
    at /local/local/bodegon/php-debug/Zend/zend_vm_execute.h:234
        opline = (zend_op *) 0x2b091ae043c0
        original_return_value = (zval **) 0x7fff90c1b3a0
        current_scope = (zend_class_entry *) 0x2b091add1718
        current_this = (zval *) 0x2b091addd7e0
        return_value_used = <value optimized out>
        should_change_scope = 1 '\001'
#15 0x00000000005f86df in execute (op_array=0x2b091adf3fa8) at /local/local/bodegon/php-debug/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0x2b091ae043c0, function_state = {function_symbol_table = 0x2b091ad14208,
    function = 0x2b091ae747a8, reserved = {0x9f, 0x7, 0x2b091ae31bb8, 0x8}}, fbc = 0x2b091ae747a8,
  op_array = 0x2b091adf3fa8, object = 0x2b091ae475b0, Ts = 0x7fff90c166f0, CVs = 0x7fff90c165a0,
  original_in_execution = 1 '\001', symbol_table = 0x2b091acc6238, prev_execute_data = 0x7fff90c1b3d0,
  old_error_reporting = 0x0}
#16 0x00000000006059e3 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff90c1b3d0)
    at /local/local/bodegon/php-debug/Zend/zend_vm_execute.h:234
        opline = (zend_op *) 0x2b091ae31dc8
        original_return_value = (zval **) 0x7fff90c1f0f0
        current_scope = (zend_class_entry *) 0x2b091adcee30
        current_this = (zval *) 0x2b091addd7e0
        return_value_used = <value optimized out>
        should_change_scope = 1 '\001'
#17 0x00000000005f86df in execute (op_array=0x2b091ade6e38) at /local/local/bodegon/php-debug/Zend/zend_vm_execute.h:92
---Type <return> to continue, or q <return> to quit---
        execute_data = {opline = 0x2b091ae31dc8, function_state = {function_symbol_table = 0x2b091acc6238,
    function = 0x2b091adf3fa8, reserved = {0x70e8d8, 0x10170e8d8, 0x2b091addf4a0, 0x90c1b4c0}}, fbc = 0x2b091adf3fa8,
  op_array = 0x2b091ade6e38, object = 0x2b091addd7e0, Ts = 0x7fff90c1aec0, CVs = 0x7fff90c1ae80,
  original_in_execution = 1 '\001', symbol_table = 0x2b091ad1c8c8, prev_execute_data = 0x7fff90c1f330,
  old_error_reporting = 0x0}
#18 0x00000000006059e3 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff90c1f330)
    at /local/local/bodegon/php-debug/Zend/zend_vm_execute.h:234
        opline = (zend_op *) 0x2b0919f5a770
        original_return_value = (zval **) 0x7fff90c1f4b0
        current_scope = (zend_class_entry *) 0x0
        current_this = (zval *) 0x0
        return_value_used = <value optimized out>
        should_change_scope = 1 '\001'
#19 0x00000000005f86df in execute (op_array=0x2b0919eef8f8) at /local/local/bodegon/php-debug/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0x2b0919f5a770, function_state = {function_symbol_table = 0x2b091ad1c8c8,
    function = 0x2b091ade6e38, reserved = {0x5be660, 0x2b0900000000, 0x0, 0x2b0919eefa28}}, fbc = 0x2b091ade6e38,
  op_array = 0x2b0919eef8f8, object = 0x2b091addd7e0, Ts = 0x7fff90c1b6a0, CVs = 0x7fff90c1b550,
  original_in_execution = 0 '\0', symbol_table = 0x888b48, prev_execute_data = 0x0, old_error_reporting = 0x0}
#20 0x00000000005d67a8 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /local/local/bodegon/php-debug/Zend/zend.c:1095
        files = {{gp_offset = 40, fp_offset = 32767, overflow_arg_area = 0x7fff90c1f5b0, reg_save_area = 0x7fff90c1f4c0}}
        i = 1
        file_handle = (zend_file_handle *) 0x7fff90c21a40
        orig_op_array = (zend_op_array *) 0x0
        local_retval = (zval *) 0x0
#21 0x0000000000593435 in php_execute_script (primary_file=0x7fff90c21a40)
    at /local/local/bodegon/php-debug/main/main.c:1759
        realfile = "/usr/share/pear/pearcmd.php\000\000\000\000\000\006\000\000\000\000\000\000p&#65533;\000\000\000\000\000linkinfo\000p\000\000\000\000\000&#65533;\213\032\t+\000\0004{\032\t+\000\000readlink\220i\205", '\0' <repeats 13 times>, "p\034&#65533;220\177", '\0' <repeats 26 times>, "&#65533;020&#65533;031\t+\000\000\001\000\000\000rlde\000\000\000\000\000\000\000\000\006\000\000\000\000\000\000p&#65533;\000\000\000\000\000&#65533;\213\032\t+", '\0' <repeats 18 times>, "Be&#65533;031\t+\000\000P&#65533;", '\0' <repeats 13 times>, "c&#65533;\000\000\000"...
---Type <return> to continue, or q <return> to quit---
        prepend_file_p = (zend_file_handle *) 0x0
        append_file_p = (zend_file_handle *) 0x0
        prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {
      handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'}
        append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {
      handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'}
        old_cwd = 0x7fff90c1f5d0 ""
        retval = 0
#22 0x000000000065dfbd in main (argc=16, argv=0x7fff90c21c78) at /local/local/bodegon/php-debug/sapi/cli/php_cli.c:1097
        bailout = {{__jmpbuf = {1, -69030786763965496, 0, 140735622028400, 0, 0, -69032687551370152, -69030786766214177},
    __mask_was_saved = 0, __saved_mask = {__val = {4426960, 0, 47318089355888, 47318089356752, 140735622027456,
        47318090518560, 434712305, 47318089357400, 456, 47317654700032, 4426960, 0, 47318089415902, 47318102347120,
        47318100110072, 0}}}}
        exit_status = <value optimized out>
        c = <value optimized out>
        file_handle = {type = 2 '\002', filename = 0x7fff90c23475 "/usr/share/pear/pearcmd.php",
  opened_path = 0x2b0919eef890 "/usr/share/pear/PEAR.php", handle = {fd = 10194480, fp = 0x9b8e30, stream = {
      handle = 0x9b8e30, reader = 0x5eb660 <zend_stream_stdio_reader>, closer = 0x5eb640 <zend_stream_stdio_closer>,
      fteller = 0x5eb630 <zend_stream_stdio_fteller>, interactive = 0}}, free_filename = 0 '\0'}
        behavior = 1
        reflection_what = 0x0
        orig_optind = 1
        orig_optarg = 0x0
        arg_free = 0x7fff90c23475 "/usr/share/pear/pearcmd.php"
        arg_excp = <value optimized out>
        script_file = 0x7fff90c23475 "/usr/share/pear/pearcmd.php"
        interactive = 0
        lineno = 1
        exec_direct = 0x0
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
---Type <return> to continue, or q <return> to quit---
        param_error = <value optimized out>
        hide_argv = 0



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-07-31 07:38 UTC] judas dot iscariote at gmail dot com
print (char *)(executor_globals.function_state_ptr->function)->common.function_name
$1 = 0x6e03a9 "serialize"

reclassified as reproducible crash , changed the report title since looks like serialize is the guilty.
 [2006-08-23 13:01 UTC] dmitry@php.net
Fixed in CVS HEAD and PHP_5_2.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 09:01:32 2024 UTC