PHP :: Bug #36079 :: Crash in session encode

Bug #36079	Crash in session encode
Submitted:	2006-01-19 10:35 UTC	Modified:	2006-01-19 14:44 UTC
From:	njewell at matrix-data dot co dot uk	Assigned:
Status:	Not a bug	Package:	Session related
PHP Version:	5CVS-2006-01-19 (snap)	OS:	Windows XP
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	njewell at matrix-data dot co dot uk
New email:
PHP Version:		OS:

New/Additional Comment:

[2006-01-19 10:35 UTC] njewell at matrix-data dot co dot uk

Description:
------------
I am seeing Apache crash upon saving a session.  This is reproducable in 5.0.5, 5.1.x and current snap.

PHP is configured as php.ini-recommended, but with:

curl, gd2 on
display errors on
correct session save path


Actual result:
--------------
php5ts.dll!zend_hash_internal_pointer_reset_ex(_hashtable * ht=0x3e612f3c, bucket * * pos=0x00000000)  Line 1000 + 0x4	C
 	php5ts.dll!ps_srlzr_encode_php(char * * newstr=0x00913eb4, int * newlen=0x0546fa44, void * * * tsrm_ls=0x0546fa68)  Line 483 + 0x20	C
 	php5ts.dll!php_session_encode(int * newlen=0x00f6ffe0, void * * * tsrm_ls=0x00bf8a60)  Line 571 + 0xe	C
 	php5ts.dll!php_session_flush(void * * * tsrm_ls=0x00f6ffe0)  Line 1806 + 0x6	C
 	php5ts.dll!zm_deactivate_session(int type=1, int module_number=11, void * * * tsrm_ls=0x00f6ffe0)  Line 1821	C
 	php5ts.dll!module_registry_cleanup(_zend_module_entry * module=0x0068baf0, void * * * tsrm_ls=0x00f6ffe0)  Line 1797 + 0x11	C
 	php5ts.dll!zend_hash_apply(_hashtable * ht=0x007e24bd, int (void *, void * * *)* apply_func=0x00bf8a60, void * * * tsrm_ls=0x007e70e0)  Line 664 + 0x7	C
 	php5ts.dll!zend_deactivate_modules(void * * * tsrm_ls=0x00f6ffe0)  Line 824 + 0x10	C
 	php5ts.dll!php_request_shutdown(void * dummy=0x00000000)  Line 1267	C
 	php5apache2.dll!php_apache_request_dtor(request_rec * r=0x012d37e0, void * * * tsrm_ls=0x00f6ffe0)  Line 442 + 0x8	C
 	php5apache2.dll!php_handler(request_rec * r=0x012d37e0)  Line 602	C
 	libhttpd.dll!ap_run_handler(request_rec * r=0x012d37e0)  Line 153 + 0x1f	C
 	libhttpd.dll!ap_invoke_handler(request_rec * r=0x6ff09a56)  Line 368	C
 	libhttpd.dll!ap_process_http_connection(conn_rec * c=0x6ff0426f)  Line 251 + 0x6	C
 	libhttpd.dll!ap_run_process_connection(conn_rec * c=0x012619d8)  Line 43 + 0x1f	C
 	libhttpd.dll!ap_process_connection(conn_rec * c=0x012619d8, void * csd=0x01261908)  Line 176 + 0x6	C
 	libhttpd.dll!worker_main(void * thread_num_val=0x77c3a3b0)  Line 733	C
 	msvcrt.dll!77c3a3b0() 	
 	kernel32.dll!7c80b50b()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-01-19 14:38 UTC] njewell at matrix-data dot co dot uk

Code to reproduce:

<?php
function r($a = array(), $l = 0)
{
        if ($l == 5) return;
        $a = array(0, 1);
        for ($i=0; $i<count($a); $i++)
                $a[$i] = r($a, $l+1);
        return $a;
}

session_name("foo");
session_start();

for ($i=0;$i<1000;$i++)
        $_SESSION['STUFF_'.$i] = r();

// Kills PHP
foreach ($_SESSION as $key => $value)
        unset($_SESSION[$key]);

// Works
//foreach (array_keys($_SESSION) as $key)
//      unset($_SESSION[$key]);
?>

[2006-01-19 14:44 UTC] sniper@php.net

You simply run out of memory and stack. No real bug here. 
free hint: Don't do that.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Nov 04 18:00:01 2025 UTC