php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #10495 Crash with ob_start();
Submitted: 2001-04-25 14:10 UTC Modified: 2001-10-19 10:58 UTC
From: vvtk at stealthcomp dot com Assigned:
Status: Closed Package: Output Control
PHP Version: 4.0 Latest CVS (25/04/2001) OS: RedHat 6.2
Private report: No CVE-ID: None
 [2001-04-25 14:10 UTC] vvtk at stealthcomp dot com
Segmentation fault with next script

<?
function my_h($str){
 global $HTTP_ACCEPT_ENCODING,$NO_COMPRESS;
 
 $size = strlen($contents);
 $crc32 = crc32($contents);
 Header("Etag: VT".$crc32);
    $size = strlen($contents);
 $crc32 = crc32($contents);
    // compressed output: set header
 $ENCODING = "gzip";
    header("Content-Encoding: $ENCODING");
    $ret =  "\x1f\x8b\x08\x00\x00\x00\x00\x00";
    $ret .= substr($gzcontent, 0, strlen($gzcontent) - 4);
    $ret .= pack('V',$crc32);
    $ret .= pack('V',$size);
 return $ret;
 if ($NO_COMPRESS) {return $str;}
 return $str.$HTTP_ACCEPT_ENCODING;
} 
 
function TO_LOGIN(){
 echo "Login";
 exit;
}
 
 
ob_start("my_h");
 
phpinfo(); 
TO_LOGIN("rr");
?>

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-04-29 11:25 UTC] andi@php.net
Can you please supply the smallest possible reproducing script and post it. Also please try today's CVS updating the PHP, TSRM and Zend CVS trees. Please compile with --enable-debug.
 [2001-04-29 16:03 UTC] vvtk at stealthcomp dot com
php4-200104290845

It is minimal script with segfault (after 3-5 times refresh in browser)

<?

function my_gzhandler($contents){
        $headers = getallheaders();

        global $TIME_EXECUTION,$USERS_ONLINE;
        $contents=str_replace("<!-- TIMEEXECUTION -->",$TIME_EXECUTION,$contents);
        $contents=str_replace("<!-- USERS_ONLINE -->",$USERS_ONLINE,$contents);

        $gzcontent = gzcompress($contents, 3);

        $ENCODING = "gzip";            
        $size = strlen($contents);     
        $crc32 = crc32($contents);     
                                       
        header("Content-Encoding: $ENCODING");
        $ret =  "\x1f\x8b\x08\x00\x00\x00\x00\x00";
        $ret .= substr($gzcontent, 0, strlen($gzcontent) - 4);
        $ret .= pack('V',$crc32);
        $ret .= pack('V',$size);
        return $ret;
}


ob_start("my_gzhandler");

phpinfo();

?>


bt:

Program received signal SIGSEGV, Segmentation fault.
0x40104493 in memcpy (dstpp=0xbffff86c, srcpp=0x2164eaf1, len=4) at ../sysdeps/generic/memcpy.c:61

#0  0x40104493 in memcpy (dstpp=0xbffff86c, srcpp=0x2164eaf1, len=4) at ../sysdeps/generic/memcpy.c:61
#1  0x4024e567 in _mem_block_check (ptr=0x810caac, silent=0, __zend_filename=0x40369062 "output.c", 
    __zend_lineno=229, __zend_orig_filename=0x0, __zend_orig_lineno=0) at zend_alloc.c:614
#2  0x4024e52b in _mem_block_check (ptr=0x810caac, silent=1, __zend_filename=0x40369062 "output.c", 
    __zend_lineno=229, __zend_orig_filename=0x0, __zend_orig_lineno=0) at zend_alloc.c:606
#3  0x4024d3f9 in _efree (ptr=0x810caac, __zend_filename=0x40369062 "output.c", __zend_lineno=229, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at zend_alloc.c:210
#4  0x40314c93 in php_end_ob_buffer (send_buffer=1 '\001', just_flush=0 '\000') at output.c:229
#5  0x40314d5c in php_end_ob_buffers (send_buffer=1 '\001') at output.c:250
#6  0x4027fc08 in apache_php_module_main (r=0x80e353c, display_source_mode=0) at sapi_apache.c:95
#7  0x40280807 in send_php (r=0x80e353c, display_source_mode=0, filename=0x80e4f44 "/home/httpd/html/3.php")
    at mod_php4.c:521
#8  0x40280845 in send_parsed_php (r=0x80e353c) at mod_php4.c:532
#9  0x805345e in ap_invoke_handler () from /lib/libnsl.so.1
#10 0x80618fb in ap_some_auth_required () from /lib/libnsl.so.1
#11 0x8061958 in ap_process_request () from /lib/libnsl.so.1
#12 0x805b940 in ap_child_terminate () from /lib/libnsl.so.1
#13 0x805baa7 in ap_child_terminate () from /lib/libnsl.so.1
#14 0x805bba8 in ap_child_terminate () from /lib/libnsl.so.1
#15 0x805c058 in ap_child_terminate () from /lib/libnsl.so.1
#16 0x805c65f in main () from /lib/libnsl.so.1
#17 0x400bc9cb in __libc_start_main (main=0x805c3e0 <main>, argc=2, argv=0xbffffb74, init=0x804f014 <_init>, 
    fini=0x807b99c <_fini>, rtld_fini=0x4000aea0 <_dl_fini>, stack_end=0xbffffb6c)
    at ../sysdeps/generic/libc-start.c:92

 [2001-10-19 10:58 UTC] sander@php.net
Please upgrade to the latest version. Reopen if the problem still occurs.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 16:01:29 2024 UTC