php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #28528 glob() causes apache to segfault
Submitted: 2004-05-26 16:23 UTC Modified: 2004-05-26 19:22 UTC
From: liamr at umich dot edu Assigned:
Status: Not a bug Package: Directory function related
PHP Version: 4.3.6 OS: linux 2.4.24
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: liamr at umich dot edu
New email:
PHP Version: OS:

 

 [2004-05-26 16:23 UTC] liamr at umich dot edu
Description:
------------
glob() causes apache to segfault consistantly..

LFS (linux from scratch) install based on 2.4.24
php 4.3.6
apache 1.3.31
gcc 3.3.1
libc 2.3.2

Reproduce code:
---------------
<?php

    $files = glob( '*' );
    print_r( $files );

?>


Expected result:
----------------
When I run this code on solaris, I get output like..

Array
(
    [0] => replacements.html
    [1] => add.php
    [2] => file.php
    [3] => docs
    [4] => gd.php
    [5] => glob.php
)

Actual result:
--------------
It dumps core everytime.  

(gdb) bt
#0  0x429def6c in zif_glob () from /usr/libexec/libphp4.so
#1  0x42a96093 in execute () from /usr/libexec/libphp4.so
#2  0x42a857b1 in zend_execute_scripts () from /usr/libexec/libphp4.so
#3  0x42a51b19 in php_execute_script () from /usr/libexec/libphp4.so
#4  0x42a9ae61 in apache_php_module_main () from /usr/libexec/libphp4.so
#5  0x42a9be27 in send_php () from /usr/libexec/libphp4.so
#6  0x42a9beac in send_parsed_php () from /usr/libexec/libphp4.so
#7  0x0808b1a6 in ap_invoke_handler ()
#8  0x080a1b53 in process_request_internal ()
#9  0x080a1bb0 in ap_process_request ()
#10 0x08098407 in child_main ()
#11 0x080986b6 in make_child ()
#12 0x0809875f in startup_children ()
#13 0x08098e74 in standalone_main ()
#14 0x0809973a in main ()
#15 0x401a08be in __libc_start_main (main=0x809939f <main>, argc=3, 
    ubp_av=0xbfffeab4, init=0x80d2700 <__libc_csu_init>, 
    fini=0x80d2730 <__libc_csu_fini>, rtld_fini=0x40015060 <_rtld_local>, 
    stack_end=0x0) at ../sysdeps/generic/libc-start.c:152


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-05-26 16:37 UTC] wez@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

please build a debug build and submit a new backtrace.
 [2004-05-26 18:27 UTC] liamr at umich dot edu
New backtrace ( php rebuilt w/ --with-debug ):

gdb httpd core
GNU gdb 5.3
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public 
License, and you are
welcome to change it and/or distribute copies of it 
under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show 
warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...
Core was generated by `/usr/bin/httpd -f /etc/apache/
httpd.conf'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libm.so.6...done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /lib/libcrypt.so.1...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /usr/lib/libssl.so.0.9.7...done.
Loaded symbols for /usr/lib/libssl.so.0.9.7
Reading symbols from /usr/lib/libcrypto.so.0.9.7...done.
Loaded symbols for /usr/lib/libcrypto.so.0.9.7
Reading symbols from /lib/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
Reading symbols from /lib/libresolv.so.2...done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols from /lib/libnss_dns.so.2...done.
Loaded symbols for /lib/libnss_dns.so.2
Reading symbols from /usr/libexec/mod_cosign.so...done.
Loaded symbols for /usr/libexec/mod_cosign.so
Reading symbols from /usr/local/krb5/lib/
libkrb4.so.2...done.
Loaded symbols for /usr/local/krb5/lib/libkrb4.so.2
Reading symbols from /usr/local/krb5/lib/
libkrb5.so.3...done.
Loaded symbols for /usr/local/krb5/lib/libkrb5.so.3
Reading symbols from /usr/local/krb5/lib/
libk5crypto.so.3...done.
Loaded symbols for /usr/local/krb5/lib/libk5crypto.so.3
---Type <return> to continue, or q <return> to quit---
Reading symbols from /usr/local/krb5/lib/
libcom_err.so.3...done.
Loaded symbols for /usr/local/krb5/lib/libcom_err.so.3
Reading symbols from /usr/local/krb5/lib/
libgssapi_krb5.so.2...done.
Loaded symbols for /usr/local/krb5/lib/
libgssapi_krb5.so.2
Reading symbols from /usr/local/krb5/lib/
libdes425.so.3...done.
Loaded symbols for /usr/local/krb5/lib/libdes425.so.3
Reading symbols from /usr/libexec/
mod_cronolog.so...done.
Loaded symbols for /usr/libexec/mod_cronolog.so
Reading symbols from /usr/libexec/libphp4-
debug.so...done.
Loaded symbols for /usr/libexec/libphp4-debug.so
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
#0  0x4285b274 in zif_glob (ht=1, 
return_value=0x8644ef4, this_ptr=0x0, 
    return_value_used=1) at /usr/src/php-4.3.6/ext/
standard/dir.c:407
407             strncpy(cwd, globbuf.gl_pathv[0], 
MAXPATHLEN);
(gdb) 
(gdb) bt
#0  0x4285b274 in zif_glob (ht=1, 
return_value=0x8644ef4, this_ptr=0x0, 
    return_value_used=1) at /usr/src/php-4.3.6/ext/
standard/dir.c:407
#1  0x4292932f in execute (op_array=0x86408ac)
    at /usr/src/php-4.3.6/Zend/zend_execute.c:1635
#2  0x42915b2c in zend_execute_scripts (type=8, 
retval=0x0, file_count=3)
    at /usr/src/php-4.3.6/Zend/zend.c:886
#3  0x428dac5e in php_execute_script 
(primary_file=0xbffff680)
    at /usr/src/php-4.3.6/main/main.c:1731
#4  0x4292eb86 in apache_php_module_main (r=0x8189f68, 
display_source_mode=0)
    at /usr/src/php-4.3.6/sapi/apache/sapi_apache.c:54
#5  0x4292fc11 in send_php (r=0x8189f68, 
display_source_mode=0, 
    filename=0x818bb08 "/home/liamr/Public/html/
glob.php")
    at /usr/src/php-4.3.6/sapi/apache/mod_php4.c:620
#6  0x4292fc96 in send_parsed_php (r=0x8189f68)
    at /usr/src/php-4.3.6/sapi/apache/mod_php4.c:635
#7  0x0808b1a6 in ap_invoke_handler ()
#8  0x080a1b53 in process_request_internal ()
#9  0x080a1bb0 in ap_process_request ()
#10 0x08098407 in child_main ()
#11 0x080986b6 in make_child ()
#12 0x0809875f in startup_children ()
#13 0x08098e74 in standalone_main ()
#14 0x0809973a in main ()
#15 0x401a08be in __libc_start_main (main=0x809939f 
<main>, argc=3, 
    ubp_av=0xbffffb24, init=0x80d2700 <__libc_csu_init>, 
    fini=0x80d2730 <__libc_csu_fini>, 
rtld_fini=0x40015060 <_rtld_local>, 
    stack_end=0x0) at ../sysdeps/generic/libc-start.c:
152
(gdb)
 [2004-05-26 18:31 UTC] iliaa@php.net
Can you please print the value of globbuf.gl_pathv and 
globbuf.gl_pathv[0] 
 [2004-05-26 18:50 UTC] liamr at umich dot edu
(gdb) p globbuf.gl_pathv
$1 = (char **) 0x304
(gdb) p globbuf.gl_pathv[0] 
Cannot access memory at address 0x304
 [2004-05-26 19:22 UTC] iliaa@php.net
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions. 

Thank you for your interest in PHP.

The problems seems to a memory corruption elsewhere as the 
libc function glob() does not return a valid pointer to a 
list of matching entries. In this case PHP has no way of 
determining whether or not the data returned is valid. 
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 12:01:31 2024 UTC