|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[1999-02-05 06:32 UTC] sas
[2025-10-06 06:47 UTC] git@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Fri Oct 31 20:00:01 2025 UTC |
An Update: Matt Cox, Jerry Karasz, and I have spent some time debugging the problem I found with the PHP function str_replace. We believe we have determined the problem that is causing php3 to segfault. In the function _php3_str_to_str in string.c, in the second block of code commented "if there is a rest, copy it", if realloc returns a different pointer, you need to also recompute 's' since 'q' has changed. Please see my patch below. Thanks, Greg Riggs griggs@lata.com Los Alamos Technical Associates ----- patch file --------- cut here ---------------------- diff -C 10 string.c.orig string.c *** string.c.orig Thu Feb 4 13:48:50 1999 --- string.c Thu Feb 4 13:58:53 1999 *************** *** 1380,1399 **** --- 1380,1401 ---- /* if there is a rest, copy it */ if((end - p) > 0) { s = (q) + (end - p); off = realloc(new, s - new + 1); if(off != new) { if(!off) { goto finish; } q += off - new; new = off; + /* need to recompute s also, since q has changed */ + s = (q) + (end - p); } memcpy(q, p, end - p); q = s; } finish: *q = '\0'; if(_new_length) *_new_length = q - new; return new; } ----- cut here -------------------------------------- Hi, The program below causes a reproducable crash under OpenBSD 2.4 I built PHP using the latest CVS as of feb 1, 1999, and the str_replace function is still causing PHP to crash (please see BugID #1028). Thanks, Greg Riggs griggs@lata.com bash-2.02$ cat hack.php3 #!/home/gkr/php <? for($i=0; $i<3; $i++) { $needle = 'needleneedle'; $haystack = 'haystackhaystack'; print "needle=|$needle|\n"; print "hystack=|$haystack|\n"; $foo = str_replace($needle, '', $haystack); $foolen = strlen($foo); print "foolen=|$foolen|\n"; print "loop **** $i ****\n"; } ?> bash-2.02$ gdb php GNU gdb 4.16.1 Copyright 1996 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-unknown-openbsd2.4"... (gdb) run hack.php3 Starting program: /home/gkr/php hack.php3 Content-type: text/html needle=|needleneedle| hystack=|haystackhaystack| foolen=|242704| loop **** 0 **** needle=|needleneedle| hystack=|haystackhaystack| Program received signal SIGSEGV, Segmentation fault. 0x400e450f in tcgetattr () (gdb) where #0 0x400e450f in tcgetattr () #1 0x400e482a in tcgetattr () #2 0x400e4f64 in malloc () #3 0x278bd in _emalloc (size=4294652113, filename=0x4142a "functions/string.c", lineno=1425) at alloc.c:129 #4 0x4332d in php3_str_replace (ht=0x7b218, return_value=0x5e374, list=0x707ac, plist=0x706fc) at functions/string.c:1425 #5 0xce90 in phpparse () at control_structures_inline.h:930 #6 0x1fe2a in php3_parse (yyin=0x4012800c) at main.c:1534 #7 0x20cc5 in main (argc=2, argv=0xefbfdcb4) at main.c:1842 (gdb)