php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #21376 ereg(..., $unsetVar) crashes Apache in emalloc() / ecalloc()
Submitted: 2003-01-02 21:23 UTC Modified: 2003-01-03 00:40 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: mattb at columbia dot edu Assigned:
Status: Not a bug Package: Reproducible crash
PHP Version: 4.3.0 OS: GNU/Linux 2.4.18-19.7.x (RedHat)
Private report: No CVE-ID: None
View Developer Edit
 [2003-01-02 21:23 UTC] mattb at columbia dot edu 
ereg(..., null) is causing a crash in Apache, but not in command line mode. I'm using the following file in /path/to/htdocs/test.php:

    <?php
    define_syslog_variables();
    openlog('ereg() test', LOG_CONS | LOG_PERROR, LOG_USER);

    header("Content-Type: text/plain\r\n");
    syslog(LOG_ERR, "one\n");
    echo "one\n";
    ereg('wsdl', $unsetVariable);
    syslog(LOG_ERR, "two\n");
    echo "two\n";
    ?>

Nothing fancy, just trying to call ereg() with an unset variable as a second argument (the nusoap package at http://dietrich.ganx4.com/nusoap/ does this all over the place). This used to work just fine with 4.2.3.

If I run it from the 4.3.0 command line, it works as well:

    $ php test.php
    ereg() test: one
    X-Powered-By: PHP/4.1.2
    Content-Type: text/plain

    one
    ereg() test: two
    two

However, if I go to that page in a web browser, I get nothing back and this in the logs:

    ereg() test: one
    FATAL:  emalloc():  Unable to allocate 1449143544 bytes
    ereg() test: one
    FATAL:  emalloc():  Unable to allocate 1449143544 bytes
    ereg() test: one
    FATAL:  emalloc():  Unable to allocate 1449143544 bytes
    ereg() test: one
    FATAL:  emalloc():  Unable to allocate 1449143544 bytes
    ereg() test: one
    FATAL:  emalloc():  Unable to allocate 1449143544 bytes
    ereg() test: one
    FATAL:  emalloc():  Unable to allocate 1449143544 bytes
    ereg() test: one
    FATAL:  emalloc():  Unable to allocate 1449143544 bytes
    ereg() test: one
    FATAL:  emalloc():  Unable to allocate 1449143544 bytes
    ereg() test: one
    FATAL:  emalloc():  Unable to allocate 1449143544 bytes
    ereg() test: one
    FATAL:  emalloc():  Unable to allocate 1449143544 bytes

The weird thing is that if I call ereg('', ''); once in the program before all other ereg() calls, everything works as before (shared state initialization? are these thread safe?).

I'm using apache_1.3.27, curl-7.10.2, libxml2-2.4.30, libxslt-1.0.23, mod_ssl-2.8.11-1.3.27, openssl-engine-0.9.6g, and php-4.3.0 (everything else comes from the most up-to-date RedHat 7.3 distro).

Here is my Apache 1.3.27 build configuration (pretty simple). I'm using 

EAPI_MM=SYSTEM SSL_BASE="${ARENA_HOME}" ./configure \
    --disable-module=userdir \
    --enable-module=ssl \
    --enable-shared=ssl \
    --enable-shared=max \
    "--prefix=${ARENA_HOME}" \
    --with-layout=GNU

Here is my PHP 4.3.0 build configuration:

    EXTRA_LDFLAGS="-L/usr/X11R6/lib -lpthread" ./configure \
    --disable-short-tags \
    --disable-rpath \
    --disable-url-fopen-wrapper \
    --enable-bcmath \
    --enable-calendar \
    --enable-debugger \
    --enable-dio \
    --enable-discard-path \
    --enable-embed=shared \
    --enable-exif \
    --enable-force-cgi-redirect \
    --enable-ftp \
    --enable-inline-optimization \
    --enable-gd-native-ttf \
    --enable-magic-quotes \
    --enable-mailparse \
    --enable-memory-limit \
    --enable-mime-magic \
    --enable-safe-mode \
    --enable-shmop \
    --enable-sockets \
    --enable-sysvsem \
    --enable-sysvshm \
    --enable-track-vars \
    --enable-trans-sid \
    --enable-wddx \
    "--prefix=${ARENA_HOME}" \
    "--with-apxs=${ARENA_HOME}/sbin/apxs" \
    --with-bz2=shared \
    "--with-config-file-path=${ARENA_HOME}/etc" \
    --with-db3 \
    "--with-curl=shared,${ARENA_HOME}" \
    "--with-dom=${ARENA_HOME}" \
    "--with-dom-exslt=${ARENA_HOME}" \
    "--with-dom-xslt=${ARENA_HOME}" \
    --with-expat-dir=/usr \
    --with-freetype-dir=/usr \
    --with-gd=shared \
    --with-gettext=shared \
    --with-gmp \
    --with-iconv=shared \
    --with-imap=shared \
    "--with-imap-ssl=${ARENA_HOME}" \
    --with-jpeg-dir=/usr \
    --with-kerberos \
    --with-layout=GNU \
    --with-mysql=shared,/usr \
    --with-ncurses=shared \
    "--with-openssl=shared,${ARENA_HOME}" \
    --with-pgsql=shared \
    --with-pic \
    --with-png-dir=/usr \
    --with-pspell=shared \
    --with-readline \
    --with-regex=system \
    --with-ttf=shared \
    --with-xmlrpc=shared \
    --with-xpm-dir=/usr/X11R6 \
    --with-zlib \
    --x-includes=/usr/X11R6/include/X11 \
    --x-libraries=/usr/X11R6/lib

Patches

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-01-02 21:26 UTC] mattb at columbia dot edu 
changing title...
 [2003-01-03 00:33 UTC] mattb at columbia dot edu 
This does not happen if one uses --with-regex=php in the PHP configuration stage. Apparently, one cannot use --with-regex=system with Apache (is there a symbol name conflict here?).
 [2003-01-03 00:40 UTC] derick@php.net 
From ./configure --help output:

  --with-regex=TYPE       regex library type: system, apache, php. Default: php
                          WARNING: Do NOT use unless you know what you are doing!

It indeed causes problem if you chose the wrong one, just follow the advise in the ./configure --help output, it's there for a reason.

Not a bug -> bogus.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Aug 15 05:01:28 2024 UTC