PHP :: Bug #24739 :: php segfaults on non-initialized session variables

Bug #24739	php segfaults on non-initialized session variables
Submitted:	2003-07-21 11:45 UTC	Modified:	2003-07-21 15:40 UTC
From:	jullrich at euclidian dot com	Assigned:
Status:	Not a bug	Package:	Reproducible crash
PHP Version:	4.3.2	OS:	Linux 2.4.21, Solaris
Private report:	No	CVE-ID:	None

View Developer Edit

[2003-07-21 11:45 UTC] jullrich at euclidian dot com

Description:
------------
If a '$_SESSION' variable is used for a new session,
it will crash php. This bug has also been reported for
Solaris (bug ID 24592) and the recent RC version of php.
Happens with apache module or command line.

Reproduce code:
---------------
source code:

<?php
 
session_start();
 
$foo = $_SESSION['foo'];
$bar = $_SESSION['bar'];
 
$_SESSION['foo'] = $foo;
$_SESSION['bar'] = $bar;
 
?>


run: php -n filename.php


Expected result:
----------------
no output other than maybe session errors as this is executed from the command line.

Actual result:
--------------
Segmentation Fault.

Warning: session_start(): Cannot send session cookie - headers already sent in /home/jullrich/x2 on line 3
 
Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/jullrich/x2:3) in /home/jullrich/x2 on line 3
Segmentation fault

Backtrace:

#0  0x0813f96b in _efree (ptr=0x81dda04)
    at /usr/local/src/php-4.3.2/Zend/zend_alloc.c:259
#1  0x080b33b1 in migrate_global (ht=0x822fb68, pos=0xbfffd378)
    at /usr/local/src/php-4.3.2/ext/session/session.c:640
#2  0x080b355f in php_session_save_current_state ()
    at /usr/local/src/php-4.3.2/ext/session/session.c:670
#3  0x080b5ba9 in php_session_flush ()
    at /usr/local/src/php-4.3.2/ext/session/session.c:1591
#4  0x080b5bbf in zm_deactivate_session (type=1, module_number=7)
    at /usr/local/src/php-4.3.2/ext/session/session.c:1605
#5  0x0814f71d in module_registry_cleanup (module=0x0)
    at /usr/local/src/php-4.3.2/Zend/zend_API.c:1167
#6  0x081516d5 in zend_hash_apply (ht=0x81ddd80,
    apply_func=0x814f6ec <module_registry_cleanup>)
    at /usr/local/src/php-4.3.2/Zend/zend_hash.c:688
#7  0x0814ceac in zend_deactivate_modules ()
    at /usr/local/src/php-4.3.2/Zend/zend.c:634
#8  0x08126a7e in php_request_shutdown (dummy=0x0)
    at /usr/local/src/php-4.3.2/main/main.c:971
#9  0x0815e488 in main (argc=3, argv=0xbfffdba4)
    at /usr/local/src/php-4.3.2/sapi/cli/php_cli.c:862
#10 0x420156a4 in __libc_start_main () from /lib/tls/libc.so.6

Patches

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-07-21 14:16 UTC] iliaa@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

[2003-07-21 14:34 UTC] jullrich at euclidian dot com

the most recent 'STABLE' version (php4-STABLE-200307211730)
did not solve the problem:

php4-STABLE-200307211730/sapi/cli/php -n x2
Segmentation fault

running it in gdb yields as a backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x08145c53 in _efree (ptr=0x81e5704)
    at /usr/local/src/php4-STABLE-200307211730/Zend/zend_alloc.c:259
259             REMOVE_POINTER_FROM_LIST(p);
(gdb) bt
#0  0x08145c53 in _efree (ptr=0x81e5704)
    at /usr/local/src/php4-STABLE-200307211730/Zend/zend_alloc.c:259
#1  0x080b7461 in migrate_global (ht=0x8236ed0, pos=0xbfffda38)
    at /usr/local/src/php4-STABLE-200307211730/ext/session/session.c:640
#2  0x080b760f in php_session_save_current_state ()
    at /usr/local/src/php4-STABLE-200307211730/ext/session/session.c:670
#3  0x080b9c71 in php_session_flush ()
    at /usr/local/src/php4-STABLE-200307211730/ext/session/session.c:1593
#4  0x080b9c87 in zm_deactivate_session (type=1, module_number=7)
    at /usr/local/src/php4-STABLE-200307211730/ext/session/session.c:1607
#5  0x08155a91 in module_registry_cleanup (module=0x0)
    at /usr/local/src/php4-STABLE-200307211730/Zend/zend_API.c:1167
#6  0x08157a49 in zend_hash_apply (ht=0x81e5a80,
    apply_func=0x8155a60 <module_registry_cleanup>)
    at /usr/local/src/php4-STABLE-200307211730/Zend/zend_hash.c:688
#7  0x08153220 in zend_deactivate_modules ()
    at /usr/local/src/php4-STABLE-200307211730/Zend/zend.c:650
#8  0x0812cb4e in php_request_shutdown (dummy=0x0)
    at /usr/local/src/php4-STABLE-200307211730/main/main.c:981
#9  0x081648b4 in main (argc=3, argv=0xbfffe264)
    at /usr/local/src/php4-STABLE-200307211730/sapi/cli/php_cli.c:874
#10 0x420156a4 in __libc_start_main () from /lib/tls/libc.so.6

[2003-07-21 15:40 UTC] iliaa@php.net

Please do not submit the same bug more than once. An existing
bug report already describes this very problem. Even if you feel
that your issue is somewhat different, the resolution is likely
to be the same. Because of this, we hope you add your comments
to the existing bug instead.

Thank you for your interest in PHP.

This bug is an exact duplicate of bug #24592. The fix for the bug will applied to the CVS shortly.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Aug 17 15:01:29 2024 UTC