php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #24762 Reproducible crash in error handling
Submitted: 2003-07-22 22:40 UTC Modified: 2003-07-23 11:32 UTC
From: skissane at ics dot mq dot edu dot au Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 4.3.2 OS: Linux (RedHat 9.0)
Private report: No CVE-ID: None
View Developer Edit
 [2003-07-22 22:40 UTC] skissane at ics dot mq dot edu dot au 
Description:
------------
I am sometimes getting segfaults when my custom error handler executes. It happens when an array is passed to preg_match instead of a string, and this raises an error.
Below is the error handler, and the backtrace PHP gives, and my PHP configruation.

PHP/Apache Version
PHP Version 4.3.2

System 	Linux itsa.iips.mq.edu.au 2.4.18-10 #1 Wed Aug 7 11:39:21 EDT 2002 i686 
Build Date 	Jul 23 2003 09:42:28 
Configure Command 	'./configure' '--with-apxs2=/usr/local/apache2/bin/apxs' '--with-mssql=/usr/local' '--without-mysql' '--with-curl=/usr' '--enable-debug' 
Server API 	Apache 2.0 Handler 
Virtual Directory Support 	disabled 
Configuration File (php.ini) Path 	/usr/local/lib/php.ini 
PHP API 	20020918 
PHP Extension 	20020429 
Zend Extension 	20021010 
Debug Build 	yes 
Thread Safety 	disabled 
Registered PHP Streams 	php, http, ftp 

apache2handler
Apache Version 	Apache/2.0.45 (Unix) 
Apache API Version 	20020903 
Server Administrator 	root@localhost 
Hostname:Port 	itsa.iips.mq.edu.au:0 
User/Group 	apache(48)/48 
Max Requests 	Per Child: 1000 - Keep Alive: off - Max Per Connection: 100 
Timeouts 	Connection: 300 - Keep-Alive: 15 
Virtual Server 	No 
Server Root 	/etc/httpd 
Loaded Modules 	core mod_access mod_auth mod_include mod_log_config mod_env mod_setenvif prefork http_core mod_mime mod_status mod_autoindex mod_asis mod_cgi mod_negotiation mod_dir mod_imap mod_actions mod_userdir mod_alias mod_so sapi_apache2 

Directive	Local Value	Master Value
engine	1	1
last_modified	0	0
xbithack	0	0



Reproduce code:
---------------
<?
/*
 ** File: error.inc
 ** Description: Error handling code
 ** right form when user presses 'Cancel'
 ** Version: 1.0
 ** Created: 20/03/2003
 ** Author: Simon Kissane <skissane@ics.mq.edu.au>
 ** Group: Internet Information Projects & Services
 **
 ** Copyright (C) 2003 Macquarie University
 */

// Turn on output buffering
ob_start();

/*
 ** Function: _error_handler()
 ** Input: INTEGER $errno, STRING $errstr, STRING $errfile, INTEGER $errline
 ** Output: None
 ** Description: Print stack backtrace
 */
function _error_backtrace ()
{
    $trace = debug_backtrace();

    echo "<ul>\n";
    foreach ($trace as $fn => $frame) {
        if ($fn < 2) { continue; }
        echo "<li>#" . ($fn-2) . " - <b>";
        if (array_key_exists("class",$frame)) {
            echo $frame["class"] . $frame["type"];
        }
        echo $frame["function"];

        echo "</b>";
        if (array_key_exists("line",$frame)) {
            echo " (at line " . $frame["line"] . " of file " .
                $frame["file"] . ")";
        }
        echo "</li>\n";
        if (array_key_exists("args",$frame)) {
            echo "<ul>\n";
            foreach ($frame["args"] as $key => $arg) {
                echo "<li># " . $key . " - [";
                print_r($arg);
                echo "]</li>\n";
            }
            echo "</ul>\n";
        }
    }
    echo "</ul>\n";
}

/*
** Function: _error_handler()
 ** Input: INTEGER $errno, STRING $errstr, STRING $errfile, INTEGER $errline
 ** Output: None
 ** Description: Custom error handler.
 ** Some code taken from http://www.php.net/manual/en/function.set-error-handler.php
 */
function _error_handler($errno, $errstr, $errfile, $errline) {
    ob_clean();

    // Special friendly handling for database errors.
    if (strpos($errstr,"Unable to connect to server") !== FALSE) {
        include_once("databaseproblem.inc");
        exit;
    }
    else if (strpos($errstr,"String or binary data would be truncated") !== FALSE) {
        include_once("truncationerror.inc");
        exit;
    }

    echo "<b>ERROR:</b> [$errno] $errstr<br>\n";
    echo "  Fatal error in line " . $errline . " of file " . $errfile;
    echo ", PHP ". PHP_VERSION . " (" . PHP_OS . ")<br>\n";

    echo "<b>Stack backtrace:</b><br>\n";
    _error_backtrace();

    echo "<b>Request:</b>\n";
    echo "<ul>\n";
    foreach ($_REQUEST as $k => $v) {
        echo "<li>" . $k . "=" . $v . "</li>\n";
    }
    echo "</ul>\n";

    echo "<b>Session Data:</b>\n";
    echo "<ul>\n";
    foreach ($_SESSION as $k => $v) {
        echo "<li>" . $k . "="; print_r($v); echo "</li>\n";
    }
    echo "</ul>\n";

    //  echo "<b>Globals:</b>\n";
    //  echo "<ul>\n";
    //  foreach ($GLOBALS as $k => $v) {
    //      echo "<li>" . $k . "="; print_r($v); echo "</li>\n";
    //  }
    //  echo "</ul>\n";

    echo "Aborting...<br>\n";

    exit(1);
}

/*
** Function: logdebug()
 ** Input: STRING $msg
 ** Output: None
 ** Description: Log a debugging message to the debugging log
 */
function logdebug($msg) {
    // $_logdebug_file = fopen("/hosts/iips/logs/dev/handbook-debug.log","a+");
    // fwrite($_logdebug_file, date('Y-m-d H:i:s') . " " . $msg ."\n");
    // fclose($_logdebug_file);
    //  echo "<tt>" . $msg . "</tt><br/>";
}

// Initialise custom error handling
set_error_handler("_error_handler");

?>


Expected result:
----------------
No segfault!

Actual result:
--------------
Backtrace

Program received signal SIGSEGV, Segmentation fault.
0x40405a9d in zend_hash_copy (target=0x8586ef4, source=0x8577b2c,
    pCopyConstructor=0x403fdf35 <zval_add_ref>, tmp=0xbfff50ec, size=4)
    at /home/skissane/adm/php-4.3.2/Zend/zend_hash.c:783
783                     if (p->nKeyLength) {
(gdb) bt
#0  0x40405a9d in zend_hash_copy (target=0x8586ef4, source=0x8577b2c,
    pCopyConstructor=0x403fdf35 <zval_add_ref>, tmp=0xbfff50ec, size=4)
    at /home/skissane/adm/php-4.3.2/Zend/zend_hash.c:783
#1  0x403fe08d in _zval_copy_ctor (zvalue=0x8586eb4,
    __zend_filename=0x40448440 "/home/skissane/adm/php-4.3.2/Zend/zend_execute.c",
    __zend_lineno=481) at /home/skissane/adm/php-4.3.2/Zend/zend_variables.c:124
#2  0x40415902 in zend_assign_to_variable (result=0x83916e8, op1=0x83916f8,
    op2=0x8391708, value=0x857a164, type=4, Ts=0xbfff5180)
    at /home/skissane/adm/php-4.3.2/Zend/zend_execute.c:481
#3  0x40410076 in execute (op_array=0x83a6280)
    at /home/skissane/adm/php-4.3.2/Zend/zend_execute.c:1349
#4  0x404110d9 in execute (op_array=0x82f6ee0)
    at /home/skissane/adm/php-4.3.2/Zend/zend_execute.c:1650
#5  0x403f5e28 in call_user_function_ex (function_table=0x813bcf0, object_pp=0x0,
    function_name=0x8352b6c, retval_ptr_ptr=0xbfff6264, param_count=5,
    params=0x857ca0c, no_separation=1, symbol_table=0x0)
    at /home/skissane/adm/php-4.3.2/Zend/zend_execute_API.c:559
#6  0x403ff8f6 in zend_error (type=8,
    format=0x404467e2 "Array to string conversion")
    at /home/skissane/adm/php-4.3.2/Zend/zend.c:797
#7  0x403f8dd8 in _convert_to_string (op=0x857a164,
    __zend_filename=0x40447d40 "/home/skissane/adm/php-4.3.2/Zend/zend_builtin_functions.c", __zend_lineno=263) at /home/skissane/adm/php-4.3.2/Zend/zend_operators.c:466
#8  0x40408185 in zend_if_strlen (ht=1, return_value=0x857a1a4, this_ptr=0x0,
    return_value_used=1)
    at /home/skissane/adm/php-4.3.2/Zend/zend_builtin_functions.c:263
#9  0x40410ea6 in execute (op_array=0x84f6818)
    at /home/skissane/adm/php-4.3.2/Zend/zend_execute.c:1606
#10 0x403f5e28 in call_user_function_ex (function_table=0x813bcf0, object_pp=0x0,
    function_name=0x85795b4, retval_ptr_ptr=0xbfff7a58, param_count=2,
    params=0x8580980, no_separation=0, symbol_table=0x0)
    at /home/skissane/adm/php-4.3.2/Zend/zend_execute_API.c:559
#11 0x4034c1ef in zif_call_user_func (ht=3, return_value=0x857770c, this_ptr=0x0,
    return_value_used=1)
    at /home/skissane/adm/php-4.3.2/ext/standard/basic_functions.c:1825
#12 0x40410ea6 in execute (op_array=0x8381608)
    at /home/skissane/adm/php-4.3.2/Zend/zend_execute.c:1606
#13 0x404110d9 in execute (op_array=0x849fb2c)
    at /home/skissane/adm/php-4.3.2/Zend/zend_execute.c:1650
#14 0x404110d9 in execute (op_array=0x8569a5c)
    at /home/skissane/adm/php-4.3.2/Zend/zend_execute.c:1650
#15 0x404110d9 in execute (op_array=0x82ec01c)
    at /home/skissane/adm/php-4.3.2/Zend/zend_execute.c:1650
#16 0x403ffb48 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/skissane/adm/php-4.3.2/Zend/zend.c:869
#17 0x403ca119 in php_execute_script (primary_file=0xbffff750)
#18 0x40416ba6 in php_handler (r=0x83ff948)
    at /home/skissane/adm/php-4.3.2/sapi/apache2handler/sapi_apache2.c:525
#19 0x0807b47e in ap_run_handler (r=0x83ff948) at config.c:195
#20 0x0807b996 in ap_invoke_handler (r=0x83ff948) at config.c:401
#21 0x0806b8ff in ap_process_request (r=0x83ff948) at http_request.c:288
#22 0x08067b4d in ap_process_http_connection (c=0x828f118) at http_core.c:293
#23 0x08084096 in ap_run_process_connection (c=0x828f118) at connection.c:85
#24 0x0807a034 in child_main (child_num_arg=1930623196) at prefork.c:696
#25 0x0807a1de in make_child (s=0x80b4f00, slot=0) at prefork.c:736
#26 0x0807a237 in startup_children (number_to_start=8) at prefork.c:808
#27 0x0807a929 in ap_mpm_run (_pconf=0x8079910, plog=0x80ea8d8, s=0x80b4f00)
    at prefork.c:1024
#28 0x0807f642 in main (argc=2, argv=0xbffffa24) at main.c:660
#29 0x401e0967 in __libc_start_main () from /lib/libc.so.6

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-07-23 08:03 UTC] iliaa@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip
 [2003-07-23 11:32 UTC] sniper@php.net 
This is fixed in CVS. (works fine here)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Oct 17 18:01:29 2024 UTC