php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #14161 segfault after strange code
Submitted: 2001-11-21 10:08 UTC Modified: 2002-08-13 23:32 UTC
From: hegyvari at ardents dot hu Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 4.0.6 OS: Redhat 6.2
Private report: No CVE-ID: None
View Developer Edit
 [2001-11-21 10:08 UTC] hegyvari at ardents dot hu 
<?
$str='1,2,3,4,5,6,7,8,9';
echo $str[0][NO];
echo $str[0][NO];
echo $str[0][NO];
echo $str[0][NO];
echo $str[0][NO];
echo $str[0][NO];
echo $str[0][NO];
echo "end.";
?>

check http://mail.ardents.hu:701/info.php3 for a phpinfo();

This piece of code causes Apache to segfault. It is a distilled version, the original error was a typo inside a complex function, hidden inside a loop. It took more than a day to find. PHP4.0.5 produced the same result.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-11-21 10:10 UTC] hegyvari at ardents dot hu 
Forgot to mention, that the code finishes, that is the "end" string appears in the browser. You have to check the apache error log to see the segfault. Of course if this type of code is in a function, the script will die inside the function.
 [2001-11-21 10:12 UTC] mj@php.net 
FYI: I get "access denied" when accessing http://mail.ardents.hu:701/info.php3.
 [2001-11-21 10:18 UTC] mfischer@php.net 
Reproduced with 4.0.6 (crash) and reported memory leak with current CVS:

mfischer@debian:~/src/php/bugtest$ php -f 14161.php
end../zend_execute.c(1962) :  Freeing 0x082FC3E4 (3 bytes), script=14161.php
zend_variables.c(106) : Actual location (location was relayed)
Last leak repeated 6 times


Reclassifying this as a ZE problem.
 [2001-11-21 10:18 UTC] hegyvari at ardents dot hu 
It works here, is that dot at the end of php3 really there?

The configuration is PHP4.0.6 compiled with:

 './configure' '--with-oci8' '--with-apache=/coca/install/apache_1.3.22/' '--enable-sigchild' '--enable-track-vars' '--with-mysql' '--with-pgsql=/usr/local/pgsql'
 [2001-12-14 13:27 UTC] yohgaki@php.net 
It does not crash with 4.1.0 CVS.
Is there something special to make PHP crash?
Could you try 4.1.0?
 [2001-12-14 14:06 UTC] mfischer@php.net 
As I said, it doesn't crash but it leaks:

mfischer@ficken:~/src/php/bugtest$ php -f 14161.php
end.
./zend_execute.c(1962) :  Freeing 0x082E0B64 (3 bytes), script=14161.php
zend_variables.c(106) : Actual location (location was relayed)
mfischer@ficken:~/src/php/bugtest$ cat 14161.php
<?
        #$str='1,2,3,4,5,6,7,8,9';
        $str = '';
        echo $str[0][NO];
        echo "end.";
?>

mfischer@ficken:~/src/php/bugtest$ php -f 14161.php
end.
./zend_execute.c(1962) :  Freeing 0x082E0B64 (3 bytes), script=14161.php
zend_variables.c(106) : Actual location (location was relayed)
 [2002-01-05 16:49 UTC] lobbin@php.net 
Any updates on this?
 [2002-01-26 05:34 UTC] sander@php.net 
Reopened.
 [2002-08-13 23:32 UTC] kalowsky@php.net 
This bug has been fixed in CVS. You can grab a snapshot of the
CVS version at http://snaps.php.net/. In case this was a documentation 
problem, the fix will show up soon at http://www.php.net/manual/.
In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites.
Thank you for the report, and for helping us make PHP better.

I think this has been fixed in CVS... give it a try.  If I'm wrong, re-open it.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Nov 04 17:00:01 2025 UTC