PHP :: Bug #60733 :: strtotime bug in php 5.3.9

Bug #60733

strtotime bug in php 5.3.9

Submitted:

2012-01-12 21:29 UTC

Modified:

2012-01-13 01:37 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

paul at minimoo dot org

Assigned:

gui (profile)

Status:

Closed

Package:

Reproducible crash

PHP Version:

5.3.9

OS:

linux(debian)-64bit

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	paul at minimoo dot org
New email:
PHP Version:		OS:

New/Additional Comment:

[2012-01-12 21:29 UTC] paul at minimoo dot org

Description:
------------
Since upgrading [using dotdeb.org compiled version of php] from php 5.3.8 to php 5.3.9, strtotime appears to crash. This occurs for me on 2 VM's, minimised to 1 line of php.

Valgrind/GDB output attached

Test script:
---------------
echo strtotime('2011-01-1 00:00 UTC');

Actual result:
--------------
valgrind /usr/bin/php test.php
==25725== Memcheck, a memory error detector
==25725== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==25725== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info
==25725== Command: /usr/bin/php test.php
==25725==
1293840000==25725== Invalid read of size 8
==25725==    at 0x45D494: timelib_tzinfo_dtor (in /usr/bin/php5)
==25725==    by 0x6D1217: zend_hash_destroy (in /usr/bin/php5)
==25725==    by 0x437BF0: zm_deactivate_date (in /usr/bin/php5)
==25725==    by 0x6C645B: module_registry_cleanup (in /usr/bin/php5)
==25725==    by 0x6D0FA3: zend_hash_reverse_apply (in /usr/bin/php5)
==25725==    by 0x6C4E7C: zend_deactivate_modules (in /usr/bin/php5)
==25725==    by 0x66FDB4: php_request_shutdown (in /usr/bin/php5)
==25725==    by 0x7547FF: main (in /usr/bin/php5)
==25725==  Address 0x8bdcf90 is 0 bytes inside a block of size 112 free'd
==25725==    at 0x4C240FD: free (vg_replace_malloc.c:366)
==25725==    by 0x435599: zif_strtotime (in /usr/bin/php5)
==25725==    by 0x715839: zend_do_fcall_common_helper_SPEC (in /usr/bin/php5)
==25725==    by 0x6ECC5F: execute (in /usr/bin/php5)
==25725==    by 0x6C3FAC: zend_execute_scripts (in /usr/bin/php5)
==25725==    by 0x66F147: php_execute_script (in /usr/bin/php5)
==25725==    by 0x755755: main (in /usr/bin/php5)
==25725==
==25725== Invalid read of size 8
==25725==    at 0x45D4A8: timelib_tzinfo_dtor (in /usr/bin/php5)
==25725==    by 0x6D1217: zend_hash_destroy (in /usr/bin/php5)
==25725==    by 0x437BF0: zm_deactivate_date (in /usr/bin/php5)
==25725==    by 0x6C645B: module_registry_cleanup (in /usr/bin/php5)
==25725==    by 0x6D0FA3: zend_hash_reverse_apply (in /usr/bin/php5)
==25725==    by 0x6C4E7C: zend_deactivate_modules (in /usr/bin/php5)
==25725==    by 0x66FDB4: php_request_shutdown (in /usr/bin/php5)
==25725==    by 0x7547FF: main (in /usr/bin/php5)
==25725==  Address 0x8bdcfb0 is 32 bytes inside a block of size 112 free'd
==25725==    at 0x4C240FD: free (vg_replace_malloc.c:366)
==25725==    by 0x435599: zif_strtotime (in /usr/bin/php5)
==25725==    by 0x715839: zend_do_fcall_common_helper_SPEC (in /usr/bin/php5)
==25725==    by 0x6ECC5F: execute (in /usr/bin/php5)
==25725==    by 0x6C3FAC: zend_execute_scripts (in /usr/bin/php5)
==25725==    by 0x66F147: php_execute_script (in /usr/bin/php5)
==25725==    by 0x755755: main (in /usr/bin/php5)
==25725==
==25725== Invalid read of size 8
==25725==    at 0x45D4BE: timelib_tzinfo_dtor (in /usr/bin/php5)
==25725==    by 0x6D1217: zend_hash_destroy (in /usr/bin/php5)
==25725==    by 0x437BF0: zm_deactivate_date (in /usr/bin/php5)
==25725==    by 0x6C645B: module_registry_cleanup (in /usr/bin/php5)
==25725==    by 0x6D0FA3: zend_hash_reverse_apply (in /usr/bin/php5)
==25725==    by 0x6C4E7C: zend_deactivate_modules (in /usr/bin/php5)
==25725==    by 0x66FDB4: php_request_shutdown (in /usr/bin/php5)
==25725==    by 0x7547FF: main (in /usr/bin/php5)
==25725==  Address 0x8bdcfb8 is 40 bytes inside a block of size 112 free'd
==25725==    at 0x4C240FD: free (vg_replace_malloc.c:366)
==25725==    by 0x435599: zif_strtotime (in /usr/bin/php5)
==25725==    by 0x715839: zend_do_fcall_common_helper_SPEC (in /usr/bin/php5)
==25725==    by 0x6ECC5F: execute (in /usr/bin/php5)
==25725==    by 0x6C3FAC: zend_execute_scripts (in /usr/bin/php5)
==25725==    by 0x66F147: php_execute_script (in /usr/bin/php5)
==25725==    by 0x755755: main (in /usr/bin/php5)
==25725==
==25725== Invalid read of size 8
==25725==    at 0x45D4D4: timelib_tzinfo_dtor (in /usr/bin/php5)
==25725==    by 0x6D1217: zend_hash_destroy (in /usr/bin/php5)
==25725==    by 0x437BF0: zm_deactivate_date (in /usr/bin/php5)
==25725==    by 0x6C645B: module_registry_cleanup (in /usr/bin/php5)
==25725==    by 0x6D0FA3: zend_hash_reverse_apply (in /usr/bin/php5)
==25725==    by 0x6C4E7C: zend_deactivate_modules (in /usr/bin/php5)
==25725==    by 0x66FDB4: php_request_shutdown (in /usr/bin/php5)
==25725==    by 0x7547FF: main (in /usr/bin/php5)
==25725==  Address 0x8bdcfc0 is 48 bytes inside a block of size 112 free'd
==25725==    at 0x4C240FD: free (vg_replace_malloc.c:366)
==25725==    by 0x435599: zif_strtotime (in /usr/bin/php5)
==25725==    by 0x715839: zend_do_fcall_common_helper_SPEC (in /usr/bin/php5)
==25725==    by 0x6ECC5F: execute (in /usr/bin/php5)
==25725==    by 0x6C3FAC: zend_execute_scripts (in /usr/bin/php5)
==25725==    by 0x66F147: php_execute_script (in /usr/bin/php5)
==25725==    by 0x755755: main (in /usr/bin/php5)
==25725==
==25725== Invalid read of size 8
==25725==    at 0x45D4EA: timelib_tzinfo_dtor (in /usr/bin/php5)
==25725==    by 0x6D1217: zend_hash_destroy (in /usr/bin/php5)
==25725==    by 0x437BF0: zm_deactivate_date (in /usr/bin/php5)
==25725==    by 0x6C645B: module_registry_cleanup (in /usr/bin/php5)
==25725==    by 0x6D0FA3: zend_hash_reverse_apply (in /usr/bin/php5)
==25725==    by 0x6C4E7C: zend_deactivate_modules (in /usr/bin/php5)
==25725==    by 0x66FDB4: php_request_shutdown (in /usr/bin/php5)
==25725==    by 0x7547FF: main (in /usr/bin/php5)
==25725==  Address 0x8bdcfc8 is 56 bytes inside a block of size 112 free'd
==25725==    at 0x4C240FD: free (vg_replace_malloc.c:366)
==25725==    by 0x435599: zif_strtotime (in /usr/bin/php5)
==25725==    by 0x715839: zend_do_fcall_common_helper_SPEC (in /usr/bin/php5)
==25725==    by 0x6ECC5F: execute (in /usr/bin/php5)
==25725==    by 0x6C3FAC: zend_execute_scripts (in /usr/bin/php5)
==25725==    by 0x66F147: php_execute_script (in /usr/bin/php5)
==25725==    by 0x755755: main (in /usr/bin/php5)
==25725==
==25725== Invalid read of size 8
==25725==    at 0x45D500: timelib_tzinfo_dtor (in /usr/bin/php5)
==25725==    by 0x6D1217: zend_hash_destroy (in /usr/bin/php5)
==25725==    by 0x437BF0: zm_deactivate_date (in /usr/bin/php5)
==25725==    by 0x6C645B: module_registry_cleanup (in /usr/bin/php5)
==25725==    by 0x6D0FA3: zend_hash_reverse_apply (in /usr/bin/php5)
==25725==    by 0x6C4E7C: zend_deactivate_modules (in /usr/bin/php5)
==25725==    by 0x66FDB4: php_request_shutdown (in /usr/bin/php5)
==25725==    by 0x7547FF: main (in /usr/bin/php5)
==25725==  Address 0x8bdcfd0 is 64 bytes inside a block of size 112 free'd
==25725==    at 0x4C240FD: free (vg_replace_malloc.c:366)
==25725==    by 0x435599: zif_strtotime (in /usr/bin/php5)
==25725==    by 0x715839: zend_do_fcall_common_helper_SPEC (in /usr/bin/php5)
==25725==    by 0x6ECC5F: execute (in /usr/bin/php5)
==25725==    by 0x6C3FAC: zend_execute_scripts (in /usr/bin/php5)
==25725==    by 0x66F147: php_execute_script (in /usr/bin/php5)
==25725==    by 0x755755: main (in /usr/bin/php5)
==25725==
==25725== Invalid read of size 8
==25725==    at 0x45D516: timelib_tzinfo_dtor (in /usr/bin/php5)
==25725==    by 0x6D1217: zend_hash_destroy (in /usr/bin/php5)
==25725==    by 0x437BF0: zm_deactivate_date (in /usr/bin/php5)
==25725==    by 0x6C645B: module_registry_cleanup (in /usr/bin/php5)
==25725==    by 0x6D0FA3: zend_hash_reverse_apply (in /usr/bin/php5)
==25725==    by 0x6C4E7C: zend_deactivate_modules (in /usr/bin/php5)
==25725==    by 0x66FDB4: php_request_shutdown (in /usr/bin/php5)
==25725==    by 0x7547FF: main (in /usr/bin/php5)
==25725==  Address 0x8bdcff8 is 104 bytes inside a block of size 112 free'd
==25725==    at 0x4C240FD: free (vg_replace_malloc.c:366)
==25725==    by 0x435599: zif_strtotime (in /usr/bin/php5)
==25725==    by 0x715839: zend_do_fcall_common_helper_SPEC (in /usr/bin/php5)
==25725==    by 0x6ECC5F: execute (in /usr/bin/php5)
==25725==    by 0x6C3FAC: zend_execute_scripts (in /usr/bin/php5)
==25725==    by 0x66F147: php_execute_script (in /usr/bin/php5)
==25725==    by 0x755755: main (in /usr/bin/php5)
==25725==
==25725== Invalid free() / delete / delete[]
==25725==    at 0x4C240FD: free (vg_replace_malloc.c:366)
==25725==    by 0x6D1217: zend_hash_destroy (in /usr/bin/php5)
==25725==    by 0x437BF0: zm_deactivate_date (in /usr/bin/php5)
==25725==    by 0x6C645B: module_registry_cleanup (in /usr/bin/php5)
==25725==    by 0x6D0FA3: zend_hash_reverse_apply (in /usr/bin/php5)
==25725==    by 0x6C4E7C: zend_deactivate_modules (in /usr/bin/php5)
==25725==    by 0x66FDB4: php_request_shutdown (in /usr/bin/php5)
==25725==    by 0x7547FF: main (in /usr/bin/php5)
==25725==  Address 0x8bdcf90 is 0 bytes inside a block of size 112 free'd
==25725==    at 0x4C240FD: free (vg_replace_malloc.c:366)
==25725==    by 0x435599: zif_strtotime (in /usr/bin/php5)
==25725==    by 0x715839: zend_do_fcall_common_helper_SPEC (in /usr/bin/php5)
==25725==    by 0x6ECC5F: execute (in /usr/bin/php5)
==25725==    by 0x6C3FAC: zend_execute_scripts (in /usr/bin/php5)
==25725==    by 0x66F147: php_execute_script (in /usr/bin/php5)
==25725==    by 0x755755: main (in /usr/bin/php5)


------------------------------------


1293840000*** glibc detected *** /usr/bin/php: corrupted double-linked list: 0x0000000001076b30 ***
======= Backtrace: =========
/lib/libc.so.6(+0x71ad6)[0x7ffff4cc5ad6]
/lib/libc.so.6(+0x71f0d)[0x7ffff4cc5f0d]
/lib/libc.so.6(+0x73418)[0x7ffff4cc7418]
/lib/libc.so.6(cfree+0x6c)[0x7ffff4cca84c]
/usr/bin/php[0x6e4121]
/usr/bin/php(php_request_shutdown+0x306)[0x66fd26]
/usr/bin/php[0x754800]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7ffff4c72c4d]
/usr/bin/php[0x42f7e9]
======= Memory map: ========

gdb BT full @ http://pastebin.com/3gQpsRng

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-01-12 22:37 UTC] paul at minimoo dot org

This is looking like it may be an issue with the dotdeb.org build of 5.3.9 - have had 3-4 people confirm that this code breaks with the .deb files at http://dotdeb.mirror.somersettechsolutions.co.uk/dists/stable/php5/binary-amd64/ 

and 2 people unable to reproduce from a build from latest svn

[2012-01-12 22:37 UTC] paul at minimoo dot org

-Status: Open +Status: Closed

[2012-01-12 22:38 UTC] gui@php.net

-Status: Closed +Status: Assigned -Assigned To: +Assigned To: gui

[2012-01-12 22:38 UTC] gui@php.net

It seems to be a Dotdeb-specific issue, I'm looking for a fix. No need to post it 
here without warning me first.

[2012-01-13 01:37 UTC] gui@php.net

-Status: Assigned +Status: Closed

[2012-01-13 01:37 UTC] gui@php.net

This issue has been fixed in the latest Dotdeb packages.Be sure to upgrade at 
least :
  * to 5.3.9-0~dotdeb.3 if you're running Squeeze 
  * to 5.3.9-0~dotdeb.2 if you're running Lenny

Please send future Dotdeb-specific issues directly on http://www.dotdeb.org/ or 
on my email.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Jul 16 16:01:34 2025 UTC