php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #47183 Invalid format in php_error_docref() in ext/date/php_date.c:guess_timezone()
Submitted: 2009-01-21 13:10 UTC Modified: 2015-01-19 23:02 UTC
Votes:2
Avg. Score:3.5 ± 0.5
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: ch dot maurer at gmx dot de Assigned: derick (profile)
Status: Not a bug Package: Date/time related
PHP Version: 5.2.8 OS: Linux (none) 2.6.26.2
Private report: No CVE-ID: None
 [2009-01-21 13:10 UTC] ch dot maurer at gmx dot de
Description:
------------
See also 'http://www.apachefriends.org/f/viewtopic.php?t=32008&sid=5d3e09931c2d70bb0c1430f49c6c3a0c'

When cross compiled for ppc_85xxDP
A. '<?php phpinfo(); ?>' terminates after displaying the date info and displays error 'Fatal error: Balloc()
allocation exceeds list boundary in /media/server/wwwroot/htdocs/info.php on line 2'
B. 'php -i' terminates after displaying the date info and terminates 

Workaround:	
 If I replace %f by %d in the call to php_error_docref() in function ext/date/php_date.c::guess_timezone():
 
        php_error_docref(NULL TSRMLS_CC, E_STRICT, DATE_TZ_ERRMSG "We selected '%s' for '%s/%.1f/%s' instead", tzid, ta ? ta->tm_zone : "Unknown", ta ? (float) (ta->tm_gmtoff / 3600) : 0, ta ? (ta->tm_isdst ? "DST" : "no DST") : "Unknown");

replaced by

        php_error_docref(NULL TSRMLS_CC, E_STRICT, DATE_TZ_ERRMSG "We selected '%s' for '%s/%d/%s' instead", tzid, ta ? ta->tm_zone : "Unknown", ta ? ta->tm_gmtoff : 0, ta ? (ta->tm_isdst ? "DST" : "no DST") : "Unknown");

this error disappears.    
    
'php -i' will call guess_timezone() which calls 
php_error_docref(NULL TSRMLS_CC, E_STRICT, DATE_TZ_ERRMSG "We selected '%s' for '%s/%.1f/%s' instead", tzid, ta ? ta->tm_zone : "Unknown", ta ? (float) (ta->tm_gmtoff / 3600) : 0, ta ? (ta->tm_isdst ? "DST" : "no DST") : "Unknown");

which ends up calling

xbuf_format_converter() which does a va_arg(ap, double) for the %f passed in to php_error_docref()

if I replace
                        case LM_STD:
                            fp_num = va_arg(ap, double);

by 
                        case LM_STD:
                            fp_num = va_arg(ap, float);

I get 

/home/christoph/php/ppc/php-5.2.8/main/spprintf.c: In function 'xbuf_format_converter':
/home/christoph/php/ppc/php-5.2.8/main/spprintf.c:570: warning: 'float' is promoted to 'double' when passed through '...'
/home/christoph/php/ppc/php-5.2.8/main/spprintf.c:570: warning: (so you should pass 'double' not 'float' to 'va_arg')
/home/christoph/php/ppc/php-5.2.8/main/spprintf.c:570: note: if this code is reached, the program will abort


Reproduce code:
---------------
'php -i', <?php phpinfo(); ?>


You will need to cross-compile PHP with the ELDK-4.2 for ppc_85xxDP and run on the target ppc
X. Install ELDK-4.2
Note: ELDK does not require *any* root privileges, which is why I run everything from my home dir.
X.1 download ELDK-4.2: ftp://ftp-stud.hs-esslingen.de/pub/Mirrors/eldk/4.2/ppc-linux-x86/iso/ppc-2008-04-01.iso
and burn CD
X.2 install ELDK-4.2: /media/ppc-2008-04-01> ./install -d /home/christoph/ELDK-4.2 ppc_85xxDP  
X.3 set environment variables in normal Linux shell (2 exports)
    export CROSS_COMPILE=ppc_85xxDP-
export PATH=/home/christoph/ELDK-4.2/usr/ppc-linux/bin:/home/christoph/ELDK-4.2/usr/bin:/home/christoph/ELDK-4.2/bin:$PATH

A. cross-compile apache from ELDK-4.2 src rpm for ppc_85xxDP
Do A. if you want to call '<?php phpinfo(); ?>' from a browser
If you only want to execute 'php -i', you can skip this step A.
A.1 Do X.3 first
A.2 download and copy apache source rpm 'ftp://ftp-stud.hs-esslingen.de/pub/Mirrors/eldk/4.2/ppc-linux-x86/sources/target/SRPMS/httpd-2.2.4-4.1.src.rpm'
to /home/christoph/ELDK-4.2/usr/src/denx/SRPMS
> cd /home/christoph/ELDK-4.2/usr/src/denx/SRPMS
> ~/ELDK-4.2/usr/src/denx/SRPMS> ${CROSS_COMPILE}rpm -iv httpd-2.2.4-4.1.src.rpm
A.3 build apache
cd > /home/christoph/usr/src/denx/SPECS
~/ELDK-4.2/usr/src/denx/SPECS> ${CROSS_COMPILE}rpmbuild -ba httpd.spec  
A.4 install apache to /home/christoph/ppc/wwwroot

B. cross-compile PHP-5.2.8 for ppc_85xxDP
B.1 download and copy PHP sources to /home/christoph/php/ppc/php-5.2.8
B.2 build php
B.2.1 If you executed step A. before, run
/home/christoph/php/ppc/php-5.2.8> ./configure --build=i386-linux --host=ppc-linux \
    --with-apxs2=/home/christoph/ppc/wwwroot/bin/apxs \
    --with-config-file-path=/media/server/wwwroot/php \
    --disable-all \
    --prefix=/home/christoph/ppc/wwwroot \
    --enable-session 
B.2.2 If you only want to run 'php -i' (and not '<?php phpinfo(); ?>', so no libphp5.so is built) and you skipped step A., run
./configure --build=i386-linux --host=ppc-linux \
    --with-config-file-path=/media/server/wwwroot/php \
    --disable-all \
    --prefix=/home/christoph/ppc/wwwroot \
    --enable-session 
    
B.3 install php to /home/christoph/ppc/wwwroot
/home/christoph/php/ppc/php-5.2.8> make install
B.4 go to your ppc target hardware and copy or mount directory /home/christoph/ppc/wwwroot
B.5 on the ppc target hardware, execute 'php -i' or call <?php phpinfo(); ?> from apache


Expected result:
----------------
Expected result:
'php -i' and <?php phpinfo(); ?> should display everything up to the license info at the end.


Actual result:
--------------
Actual result:
Error 1: 'php -i' will not display anything after 'date' info
===========
# php -i
phpinfo()
PHP Version => 5.2.8
...<more here deleted>
date

date/time support => enabled
"Olson" Timezone Database Version => 2008.9
Timezone Database => internal
< there should be more output here but there is none >
#
===========

Error2: when calling a info.php with this contents:
<?php
phpinfo();
?>
the browser will display the date info with this error and not display anything more:
===========
date

Fatal error: Balloc() allocation exceeds list boundary in /media/server/wwwroot/htdocs/info.php on line 2
date/time support   enabled
"Olson" Timezone Database Version   2008.9
Timezone Database   internal 
===========




Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-01-21 19:18 UTC] jani@php.net
So it's actually bug in ext/date..
 [2009-01-22 14:32 UTC] iliaa@php.net
Have you tried changing the (float) cast to (double) ?
 [2009-01-26 08:29 UTC] ch dot maurer at gmx dot de
No, changing 

      php_error_docref(NULL TSRMLS_CC, E_STRICT, DATE_TZ_ERRMSG "We selected '%s' for '%s/%.1f/%s' instead", tzid, ta ? ta->tm_zone : "Unknown", ta ? (float) (ta->tm_gmtoff / 3600) : 0, ta ? (ta->tm_isdst ? "DST" : "no DST") : "Unknown");

to 

double value =  (double) (ta ? (float) (ta->tm_gmtoff / 3600) : 0);

php_error_docref(NULL TSRMLS_CC, E_STRICT, DATE_TZ_ERRMSG "We selected '%s' for '%s/%.1f/%s' instead", tzid, ta ? ta->tm_zone : "Unknown", value, ta ? (ta->tm_isdst ? "DST" : "no DST") : "Unknown");

does not change anything.
 [2009-04-29 14:16 UTC] ch dot maurer at gmx dot de
I get something similar when calling 'gettimeofday(true)'.
This php script

info.php
<?php
print gettimeofday(true);
?>

produces this error on the embedded ppc device:
# php -f info.php                                   
Fatal error: Balloc() allocation exceeds list boundary in /.../info.php on line 5

Here is some gdb trace.
We end up in _php_gettimeofday(), and then:

(gdb) break zend_dtoa
Breakpoint 1 at 0x1015c4e0: file /.../php/ppc/php-5.2.8/Zend/zend_strtod.c, line 1485.
(gdb) break php_gcvt
Breakpoint 2 at 0x100f5364: file /.../php/ppc/php-5.2.8/main/snprintf.c, line 142.
(gdb) c
Continuing.

Breakpoint 2, php_gcvt (value=1241016759.4940989, ndigit=14, dec_point=46 '.', exponent=69 'E', buf=0xbffd4d8d "")
    at /.../php/ppc/php-5.2.8/main/snprintf.c:142
(gdb)c
Continuing.

Breakpoint 1, zend_dtoa (_d=1241016759.4940989, mode=2, ndigits=14, decpt=0xbffd4d48, sign=0xbffd4d4c, rve=0x0)
    at /.../php/ppc/php-5.2.8/Zend/zend_strtod.c:1485

It loops around the code in zend_dtoa for several seconds, then enters

Breakpoint 2, pow5mult (b=0x10368e58, k=359312503) at /home/christoph/php/ppc/php-5.2.8/Zend/zend_strtod.c:788

(gdb) info args
b = (Bigint *) 0x10368e58
k = 359312503
(gdb) print *b
$2 = {next = 0xfd5c26c, k = 1, maxwds = 2, sign = 0, wds = 1, x = {1}}
 then I get 

Fatal error: Balloc() allocation exceeds list boundary in /.../info.php on line 5
 [2015-01-19 23:02 UTC] derick@php.net
-Status: Assigned +Status: Not a bug
 [2015-01-19 23:02 UTC] derick@php.net
Thank you for taking the time to report a problem with PHP.
Unfortunately you are not using a current version of PHP -- 
the problem might already be fixed. Please download a new
PHP version from http://www.php.net/downloads.php

If you are able to reproduce the bug with one of the latest
versions of PHP, please change the PHP version on this bug report
to the version you tested and change the status back to "Open".
Again, thank you for your continued support of PHP.

This code does no longer exist in PHP 5.4 and up. Closing it.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 07:01:28 2024 UTC