php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #9772 segfault w/ long POST/GET vars
Submitted: 2001-03-15 16:06 UTC Modified: 2001-05-18 17:13 UTC
From: cam at h2os dot org Assigned:
Status: Closed Package: *General Issues
PHP Version: 4.0.4pl1 OS: VA Redhat 6.2.3
Private report: No CVE-ID: None
 [2001-03-15 16:06 UTC] cam at h2os dot org
The script in question is thousands of lines long.

basically, the script uses about 100 global variables and just under 30 (depending on parameters) sql queries to a postgresql db.

when submitting a form that creates an array (e.g. <input type="text" name="input[first_name]">) with 20 or so elements, apache segfaults.

When reworking the script to not use array style names for form controls, it works ok. I haven't tested whether or not it is simply a length issue or something to do specifically with the array style for form variables, as it does add significantly to the length of the URI.

It happens with either GET or POST for methods.

the stack trace is below:

Program received signal SIGSEGV, Segmentation fault.
0x4019e90a in zend_indent () at zend_indent.c:96
96                                                                      ZEND_PUTS(" {\n");
(gdb) bt
#0  0x4019e90a in zend_indent () at zend_indent.c:96
#1  0xbfff8568 in ?? ()
#2  0x4018ef8b in _get_zval_ptr_ptr (node=0x8149774, Ts=0xbfff8580) at ./zend_execute.c:163
#3  0x4018a819 in execute (op_array=0x81a6424) at ./zend_execute.c:1531
#4  0x4018b9ac in execute (op_array=0x819d5f4) at ./zend_execute.c:1768
#5  0x4019a2bf in add_assoc_long (arg=0x8, key=0x3 <Address 0x3 out of bounds>, n=0) at zend_API.c:238
#6  0x401acba4 in php_fopen_with_path (filename=0xbffff954 "\002?&@D?\020\b|n\026\b\b{\034\b", 
    mode=0x806813f "\203?\b\211?\205?u\030\213E?\215\024?", path=0xbffff968 "\230???9\231\032@\234?\020\b", opened_path=0x401a8edc)
    at fopen-wrappers.c:405
#7  0x401a8f43 in php_init_handler (s=0x810d39c, p=0x0) at mod_php4.c:706
#8  0x401a9939 in php_if_virtual (ht=135320476, return_value=0x0, this_ptr=0x0, return_value_used=1075485032) at php_apache.c:302
#9  0x401a997e in php_if_virtual (ht=135320476, return_value=0x1, this_ptr=0x1f4, return_value_used=23) at php_apache.c:302
#10 0x806c173 in ?? ()
#11 0x807f9a9 in ?? ()
#12 0x807fa0c in ?? ()
#13 0x807728e in ?? ()
#14 0x807741c in ?? ()
#15 0x8077579 in ?? ()
#16 0x8077ba6 in ?? ()
#17 0x8078333 in ?? ()
#18 0x400809eb in __libc_start_main (main=0x8077fec, argc=3, argv=0xbffffb34, init=0x804ecd0, fini=0x80ac6d0, rtld_fini=0x4000af10 <_dl_fini>, 
    stack_end=0xbffffb2c) at ../sysdeps/generic/libc-start.c:92

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-03-15 16:20 UTC] cam at h2os dot org
Hmmm...After a bit more bashing, I've gotten it to do it even with the shortend variables.

new (but very similar) backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x4019e90a in zend_indent () at zend_indent.c:96
96                                                                      ZEND_PUTS(" {\n");
(gdb) bt
#0  0x4019e90a in zend_indent () at zend_indent.c:96
#1  0xbfff81f8 in ?? ()
#2  0x4018ef8b in _get_zval_ptr_ptr (node=0x8161864, Ts=0xbfff8210) at ./zend_execute.c:163
#3  0x4018a819 in execute (op_array=0x813a9a4) at ./zend_execute.c:1531
#4  0x4018b9ac in execute (op_array=0x81a6134) at ./zend_execute.c:1768
#5  0x4019a2bf in add_assoc_long (arg=0x8, key=0x3 <Address 0x3 out of bounds>, n=0) at zend_API.c:238
#6  0x401acba4 in php_fopen_with_path (filename=0xbffff964 "\002?&@\034?\020\b\\=\030\b\030?\017\b", 
    mode=0x806813f "\203?\b\211?\205?u\030\213E?\215\024?", path=0xbffff978 "????9\231\032@\234?\020\b", opened_path=0x401a8edc)
    at fopen-wrappers.c:405
#7  0x401a8f43 in php_init_handler (s=0x810cf9c, p=0x0) at mod_php4.c:706
#8  0x401a9939 in php_if_virtual (ht=135319452, return_value=0x0, this_ptr=0x0, return_value_used=1075485032) at php_apache.c:302
#9  0x401a997e in php_if_virtual (ht=135319452, return_value=0x1, this_ptr=0x1f4, return_value_used=23) at php_apache.c:302
#10 0x806c173 in ap_invoke_handler ()
#11 0x807f9a9 in process_request_internal ()
#12 0x807fa0c in ap_process_request ()
#13 0x807728e in child_main ()
#14 0x807741c in make_child ()
#15 0x8077579 in startup_children ()
#16 0x8077ba6 in standalone_main ()
#17 0x8078333 in main ()
#18 0x400809eb in __libc_start_main (main=0x8077fec <main>, argc=2, argv=0xbffffb44, init=0x804ecd0 <_init>, fini=0x80ac6d0 <_fini>, 
    rtld_fini=0x4000af10 <_dl_fini>, stack_end=0xbffffb3c) at ../sysdeps/generic/libc-start.c:92

 [2001-03-15 23:13 UTC] sniper@php.net
1. Try latest CVS snapshot from http://snaps.php.net/
2. Add the shortest possible php script into this bug report 
which can be used to reproduce this crash.

--Jani

 [2001-03-16 18:49 UTC] cam at h2os dot org
Addendum. In my haste, I think I mis-evaluated the cause of
this bug. It seems to have been resolved by my removing an &
from a function definintion (and no longer making it return
a reference). This function was used about 25 times on the
page with different paramenters. I'll try and create a
small, example set of code to recreate the problem. The
function was also generating large numbers (at times) of
suppressed warnings from the db (no results). All of those
factors may contribute to the issue. The problem remains,
though it occurs in a slightly different place, in the
current CVS (as of 20010316).
 [2001-03-16 19:56 UTC] cam at h2os dot org
Addendum. In my haste, I think I mis-evaluated the cause of
this bug. It seems to have been resolved by my removing an &
from a function definintion (and no longer making it return
a reference). This function was used about 25 times on the
page with different paramenters. I'll try and create a
small, example set of code to recreate the problem. The
function was also generating large numbers (at times) of
suppressed warnings from the db (no results). All of those
factors may contribute to the issue. The problem remains,
though it occurs in a slightly different place, in the
current CVS (as of 20010316).
 [2001-04-28 14:42 UTC] jmoore@php.net
Can you supply a small reproducing script please.

- James
 [2001-05-18 17:13 UTC] derick@php.net
No feedback, please reopen if you think this should not be closed.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 01:01:28 2024 UTC