php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #67644 Memory corruption & crash during ob_start function callback
Submitted: 2014-07-17 16:39 UTC Modified: 2021-06-20 04:22 UTC
Votes:9
Avg. Score:4.1 ± 0.9
Reproduced:6 of 7 (85.7%)
Same Version:4 (66.7%)
Same OS:4 (66.7%)
From: jocelyn dot fournier at gmail dot com Assigned: cmb (profile)
Status: No Feedback Package: Reproducible crash
PHP Version: 5.4.30 OS: Mac OS X
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: jocelyn dot fournier at gmail dot com
New email:
PHP Version: OS:

 

 [2014-07-17 16:39 UTC] jocelyn dot fournier at gmail dot com 
Description:
------------
Hi,

When accessing a amqplib function inside an ob_start() callback function, PHP memory is badly corrupted and eventually crashes.

Even the backtrace is random :
E.g. :

* thread #1: tid = 0x665749, 0x00000001004fb525 php54debug`_efree(ptr=0x0000000102af1778, __zend_filename=0x0000000100a2088d, __zend_lineno=357, __zend_orig_filename=0x0000000000000000, __zend_orig_lineno=0) + 85 at zend_alloc.c:2432, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
    frame #0: 0x00000001004fb525 php54debug`_efree(ptr=0x0000000102af1778, __zend_filename=0x0000000100a2088d, __zend_lineno=357, __zend_orig_filename=0x0000000000000000, __zend_orig_lineno=0) + 85 at zend_alloc.c:2432
   2429	{
   2430		TSRMLS_FETCH();
   2431	
-> 2432		if (UNEXPECTED(!AG(mm_heap)->use_zend_alloc)) {
   2433			AG(mm_heap)->_free(ptr);
   2434			return;
   2435		}
(lldb) bt
* thread #1: tid = 0x665749, 0x00000001004fb525 php54debug`_efree(ptr=0x0000000102af1778, __zend_filename=0x0000000100a2088d, __zend_lineno=357, __zend_orig_filename=0x0000000000000000, __zend_orig_lineno=0) + 85 at zend_alloc.c:2432, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
  * frame #0: 0x00000001004fb525 php54debug`_efree(ptr=0x0000000102af1778, __zend_filename=0x0000000100a2088d, __zend_lineno=357, __zend_orig_filename=0x0000000000000000, __zend_orig_lineno=0) + 85 at zend_alloc.c:2432
    frame #1: 0x0000000100532307 php54debug`destroy_op_array(op_array=0x0000000102eca310, tsrm_ls=0x0000000102c00070) + 183 at zend_opcode.c:357
    frame #2: 0x0000000100532231 php54debug`destroy_zend_function(function=0x0000000102eca310, tsrm_ls=0x0000000102c00070) + 81 at zend_opcode.c:112
    frame #3: 0x0000000100532733 php54debug`zend_function_dtor(function=0x0000000102eca310) + 51 at zend_opcode.c:124
    frame #4: 0x000000010055d89e php54debug`zend_hash_destroy(ht=0x0000000102c00650) + 126 at zend_hash.c:560
    frame #5: 0x0000000100544b88 php54debug`compiler_globals_dtor(compiler_globals=0x0000000102c006b0, tsrm_ls=0x0000000102c00070) + 56 at zend.c:538
    frame #6: 0x0000000100466007 php54debug`tsrm_shutdown + 263 at TSRM.c:180
    frame #7: 0x00000001006184dc php54debug`main(argc=2, argv=0x00007fff5fbffab8) + 2220 at php_cli.c:1386

or

* thread #1: tid = 0x666260, 0x0000000100471d26 php54debug`php_message_handler_for_zend(message=6, data=0x0000000000000000, tsrm_ls=0x0000000102c00070) + 1542 at main.c:1458, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x40)
    frame #0: 0x0000000100471d26 php54debug`php_message_handler_for_zend(message=6, data=0x0000000000000000, tsrm_ls=0x0000000102c00070) + 1542 at main.c:1458
   1455					datetime_str = php_asctime_r(ta, asctimebuf);
   1456					if (datetime_str) {
   1457						datetime_str[strlen(datetime_str)-1]=0;	/* get rid of the trailing newline */
-> 1458						snprintf(memory_leak_buf, sizeof(memory_leak_buf), "[%s]  Script:  '%s'\n", datetime_str, SAFE_FILENAME(SG(request_info).path_translated));
   1459					} else {
   1460						snprintf(memory_leak_buf, sizeof(memory_leak_buf), "[null]  Script:  '%s'\n", SAFE_FILENAME(SG(request_info).path_translated));
   1461					}
(lldb) bt
* thread #1: tid = 0x666260, 0x0000000100471d26 php54debug`php_message_handler_for_zend(message=6, data=0x0000000000000000, tsrm_ls=0x0000000102c00070) + 1542 at main.c:1458, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x40)
  * frame #0: 0x0000000100471d26 php54debug`php_message_handler_for_zend(message=6, data=0x0000000000000000, tsrm_ls=0x0000000102c00070) + 1542 at main.c:1458
    frame #1: 0x0000000100545dea php54debug`zend_message_dispatcher(message=6, data=0x0000000000000000, tsrm_ls=0x0000000102c00070) + 58 at zend.c:972
    frame #2: 0x00000001004fa85f php54debug`zend_mm_check_ptr(heap=0x0000000103802200, ptr=0x0000000102af5f98, silent=0, __zend_filename=0x0000000100a2088d, __zend_lineno=378, __zend_orig_filename=0x0000000100a20b7a, __zend_orig_lineno=36) + 191 at zend_alloc.c:1348
    frame #3: 0x00000001004faa69 php54debug`zend_mm_check_ptr(heap=0x0000000103802200, ptr=0x0000000102af5f98, silent=1, __zend_filename=0x0000000100a2088d, __zend_lineno=378, __zend_orig_filename=0x0000000100a20b7a, __zend_orig_lineno=36) + 713 at zend_alloc.c:1385
    frame #4: 0x00000001004f8d6a php54debug`_zend_mm_free_int(heap=0x0000000103802200, p=0x0000000102af5f98, __zend_filename=0x0000000100a2088d, __zend_lineno=378, __zend_orig_filename=0x0000000100a20b7a, __zend_orig_lineno=36) + 74 at zend_alloc.c:2064
    frame #5: 0x00000001004fb590 php54debug`_efree(ptr=0x0000000102af5f98, __zend_filename=0x0000000100a2088d, __zend_lineno=378, __zend_orig_filename=0x0000000100a20b7a, __zend_orig_lineno=36) + 192 at zend_alloc.c:2436
    frame #6: 0x0000000100540128 php54debug`_zval_dtor_func(zvalue=0x0000000102af4660, __zend_filename=0x0000000100a2088d, __zend_lineno=378) + 184 at zend_variables.c:36
    frame #7: 0x000000010053354c php54debug`_zval_dtor(zvalue=0x0000000102af4660, __zend_filename=0x0000000100a2088d, __zend_lineno=378) + 60 at zend_variables.h:35
    frame #8: 0x0000000100532444 php54debug`destroy_op_array(op_array=0x0000000102af5d88, tsrm_ls=0x0000000102c00070) + 500 at zend_opcode.c:378
    frame #9: 0x0000000100532231 php54debug`destroy_zend_function(function=0x0000000102af5d88, tsrm_ls=0x0000000102c00070) + 81 at zend_opcode.c:112
    frame #10: 0x0000000100532733 php54debug`zend_function_dtor(function=0x0000000102af5d88) + 51 at zend_opcode.c:124
    frame #11: 0x000000010055d89e php54debug`zend_hash_destroy(ht=0x0000000102af1300) + 126 at zend_hash.c:560
    frame #12: 0x0000000100533278 php54debug`destroy_zend_class(pce=0x0000000102d06f98) + 552 at zend_opcode.c:296
    frame #13: 0x000000010055d89e php54debug`zend_hash_destroy(ht=0x000000010511c440) + 126 at zend_hash.c:560
    frame #14: 0x0000000100544bc3 php54debug`compiler_globals_dtor(compiler_globals=0x0000000102d00890, tsrm_ls=0x0000000102c00070) + 115 at zend.c:542
    frame #15: 0x0000000100466007 php54debug`tsrm_shutdown + 263 at TSRM.c:180
    frame #16: 0x00000001006184dc php54debug`main(argc=2, argv=0x00007fff5fbffab8) + 2220 at php_cli.c:1386

Test script:
---------------
To reproduce, clone this repository :

https://github.com/jocel1/php5.4-crash

and execute php app_test.php

Note : you should have a rabbitmq server running (the script is using the default rabbitmq params : localhost, port 5672, user : guest, password : guest, vhost : '/')


Expected result:
----------------
No crash !

Actual result:
--------------
Result in debug : 

/opt/local/php54-debug/bin/php54debug app_test.php                                                                                                                          <18:34:17
barPHP Fatal error:  Access to undeclared static property: PhpAmqpLib\Channel\AbstractChannel::$PROTOCOL_CONSTANTS_CLASS in /Users/jocelynfournier/Documents/workspace/sylius/web/bug/libs/php-amqplib-2.4.0/PhpAmqpLib/Channel/AbstractChannel.php on line 276
zsh: segmentation fault

Result without debug :

php app_test.php                                                                                                                                                            <18:34:47
barzsh: segmentation fault

Result with php 5.5.13 : 
barPHP Fatal error:  Access to undeclared static property: PhpAmqpLib\Channel\AbstractChannel::$PROTOCOL_CONSTANTS_CLASS in /Users/jocelynfournier/Documents/workspace/sylius/web/bug/libs/php-amqplib-2.4.0/PhpAmqpLib/Channel/AbstractChannel.php on line 276

Fatal error: Access to undeclared static property: PhpAmqpLib\Channel\AbstractChannel::$PROTOCOL_CONSTANTS_CLASS in /Users/jocelynfournier/Documents/workspace/sylius/web/bug/libs/php-amqplib-2.4.0/PhpAmqpLib/Channel/AbstractChannel.php on line 276
zend_mm_heap corrupted
zsh: segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-07-17 16:44 UTC] jocelyn dot fournier at gmail dot com
-Summary: Memory corruption & crash +Summary: Memory corruption & crash during ob_start function callback
 [2014-07-17 16:44 UTC] jocelyn dot fournier at gmail dot com 
better title
 [2014-07-17 21:40 UTC] yohgaki@php.net
-Assigned To: +Assigned To: mike
 [2014-07-17 21:50 UTC] jocelyn dot fournier at gmail dot com 
Part of valgrind output from PHP 5.5 :

==2715== Invalid read of size 8
==2715==    at 0x8DC6A8: _efree (zend_alloc.c:2436)
==2715==    by 0x91120F: destroy_op_array (zend_opcode.c:361)
==2715==    by 0x9104AF: destroy_zend_function (zend_opcode.c:116)
==2715==    by 0x9104E6: zend_function_dtor (zend_opcode.c:128)
==2715==    by 0x935A80: zend_hash_destroy (zend_hash.c:560)
==2715==    by 0x91F04B: compiler_globals_dtor (zend.c:539)
==2715==    by 0x858B1C: tsrm_shutdown (TSRM.c:180)
==2715==    by 0x9E4B7B: main (php_cli.c:1399)
==2715==  Address 0xd1a3060 is 0 bytes inside a block of size 8 free'd
==2715==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2715==    by 0x858B3B: tsrm_shutdown (TSRM.c:182)
==2715==    by 0x9E4B7B: main (php_cli.c:1399)
==2715== 
==2715== Invalid read of size 4
==2715==    at 0x8DC6AB: _efree (zend_alloc.c:2436)
==2715==    by 0x91120F: destroy_op_array (zend_opcode.c:361)
==2715==    by 0x9104AF: destroy_zend_function (zend_opcode.c:116)
==2715==    by 0x9104E6: zend_function_dtor (zend_opcode.c:128)
==2715==    by 0x935A80: zend_hash_destroy (zend_hash.c:560)
==2715==    by 0x91F04B: compiler_globals_dtor (zend.c:539)
==2715==    by 0x858B1C: tsrm_shutdown (TSRM.c:180)
==2715==    by 0x9E4B7B: main (php_cli.c:1399)
==2715==  Address 0xd1a3100 is 0 bytes inside a block of size 2,224 free'd
==2715==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2715==    by 0x8D9DD6: zend_mm_shutdown (zend_alloc.c:1688)
==2715==    by 0x8DCF40: shutdown_memory_manager (zend_alloc.c:2718)
==2715==    by 0x8DD028: alloc_globals_dtor (zend_alloc.c:2740)
==2715==    by 0x858B1C: tsrm_shutdown (TSRM.c:180)
==2715==    by 0x9E4B7B: main (php_cli.c:1399)
==2715== 
==2715== Invalid read of size 8
==2715==    at 0x8DC708: _efree (zend_alloc.c:2440)
==2715==    by 0x91120F: destroy_op_array (zend_opcode.c:361)
==2715==    by 0x9104AF: destroy_zend_function (zend_opcode.c:116)
==2715==    by 0x9104E6: zend_function_dtor (zend_opcode.c:128)
==2715==    by 0x935A80: zend_hash_destroy (zend_hash.c:560)
==2715==    by 0x91F04B: compiler_globals_dtor (zend.c:539)
==2715==    by 0x858B1C: tsrm_shutdown (TSRM.c:180)
==2715==    by 0x9E4B7B: main (php_cli.c:1399)
==2715==  Address 0xd1a3060 is 0 bytes inside a block of size 8 free'd
==2715==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2715==    by 0x858B3B: tsrm_shutdown (TSRM.c:182)
==2715==    by 0x9E4B7B: main (php_cli.c:1399)
==2715== 
==2715== Invalid read of size 8
==2715==    at 0x8D91C5: zend_mm_check_ptr (zend_alloc.c:1374)
==2715==    by 0x8DB02F: _zend_mm_free_int (zend_alloc.c:2068)
==2715==    by 0x8DC72B: _efree (zend_alloc.c:2440)
==2715==    by 0x91120F: destroy_op_array (zend_opcode.c:361)
==2715==    by 0x9104AF: destroy_zend_function (zend_opcode.c:116)
==2715==    by 0x9104E6: zend_function_dtor (zend_opcode.c:128)
==2715==    by 0x935A80: zend_hash_destroy (zend_hash.c:560)
==2715==    by 0x91F04B: compiler_globals_dtor (zend.c:539)
==2715==    by 0x858B1C: tsrm_shutdown (TSRM.c:180)
==2715==    by 0x9E4B7B: main (php_cli.c:1399)
==2715==  Address 0xd1e27c8 is 257,496 bytes inside a block of size 262,144 free'd
==2715==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2715==    by 0x8D79AA: zend_mm_mem_malloc_free (zend_alloc.c:297)
==2715==    by 0x8D9D99: zend_mm_shutdown (zend_alloc.c:1683)
==2715==    by 0x8DCF40: shutdown_memory_manager (zend_alloc.c:2718)
==2715==    by 0x8DD028: alloc_globals_dtor (zend_alloc.c:2740)
==2715==    by 0x858B1C: tsrm_shutdown (TSRM.c:180)
==2715==    by 0x9E4B7B: main (php_cli.c:1399)

[...]

==2715== Invalid read of size 8
==2715==    at 0x861009: php_message_handler_for_zend (main.c:1458)
==2715==    by 0x920750: zend_message_dispatcher (zend.c:973)
==2715==    by 0x8D90D6: zend_mm_check_ptr (zend_alloc.c:1352)
==2715==    by 0x8D92F0: zend_mm_check_ptr (zend_alloc.c:1389)
==2715==    by 0x8DB02F: _zend_mm_free_int (zend_alloc.c:2068)
==2715==    by 0x8DC72B: _efree (zend_alloc.c:2440)
==2715==    by 0x935B72: zend_hash_destroy (zend_hash.c:568)
==2715==    by 0x910EE8: destroy_zend_class (zend_opcode.c:298)
==2715==    by 0x935A80: zend_hash_destroy (zend_hash.c:560)
==2715==    by 0x91F088: compiler_globals_dtor (zend.c:543)
==2715==    by 0x858B1C: tsrm_shutdown (TSRM.c:180)
==2715==    by 0x9E4B7B: main (php_cli.c:1399)
==2715==  Address 0x40 is not stack'd, malloc'd or (recently) free'd
==2715== 
==2715== 
==2715== Process terminating with default action of signal 11 (SIGSEGV)
==2715==  Access not within mapped region at address 0x40
==2715==    at 0x861009: php_message_handler_for_zend (main.c:1458)
==2715==    by 0x920750: zend_message_dispatcher (zend.c:973)
==2715==    by 0x8D90D6: zend_mm_check_ptr (zend_alloc.c:1352)
==2715==    by 0x8D92F0: zend_mm_check_ptr (zend_alloc.c:1389)
==2715==    by 0x8DB02F: _zend_mm_free_int (zend_alloc.c:2068)
==2715==    by 0x8DC72B: _efree (zend_alloc.c:2440)
==2715==    by 0x935B72: zend_hash_destroy (zend_hash.c:568)
==2715==    by 0x910EE8: destroy_zend_class (zend_opcode.c:298)
==2715==    by 0x935A80: zend_hash_destroy (zend_hash.c:560)
==2715==    by 0x91F088: compiler_globals_dtor (zend.c:543)
==2715==    by 0x858B1C: tsrm_shutdown (TSRM.c:180)
==2715==    by 0x9E4B7B: main (php_cli.c:1399)
==2715==  If you believe this happened as a result of a stack
==2715==  overflow in your program's main thread (unlikely but
==2715==  possible), you can try to increase the size of the
==2715==  main thread stack using the --main-stacksize= flag.
==2715==  The main thread stack size used in this run was 8388608.
==2715== 
==2715== HEAP SUMMARY:
==2715==     in use at exit: 636,155 bytes in 5,094 blocks
==2715==   total heap usage: 28,246 allocs, 23,152 frees, 6,173,404 bytes allocated
==2715== 
==2715== LEAK SUMMARY:
==2715==    definitely lost: 0 bytes in 0 blocks
==2715==    indirectly lost: 0 bytes in 0 blocks
==2715==      possibly lost: 0 bytes in 0 blocks
==2715==    still reachable: 636,155 bytes in 5,094 blocks
==2715==         suppressed: 0 bytes in 0 blocks
==2715== Rerun with --leak-check=full to see details of leaked memory
==2715== 
==2715== For counts of detected and suppressed errors, rerun with: -v
==2715== ERROR SUMMARY: 5974 errors from 288 contexts (suppressed: 0 from 0)
 [2014-07-19 00:24 UTC] yohgaki@php.net 
This may not be a output control bug..
Could you try 5.5 also?
 [2014-07-19 06:00 UTC] jocelyn dot fournier at gmail dot com 
5.5.13 crashes as well
 [2014-07-19 06:11 UTC] jocelyn dot fournier at gmail dot com 
If I slightly modify the script to run the asynchronous_write function inside a register_shutdown_function instead of ob_start, it doesn't crash anymore :

<?php
use PhpAmqpLib\Connection\AMQPConnection;

class queue {
	private static $instance = null;
	private $connection = null;
	private $channel = null;

	public static function instance() {
		if (self::$instance == null) {
			self::$instance = new self();
		}
		return self::$instance;
	}

	private function __construct() {
		require_once __DIR__.'/libs/php-amqplib-2.4.0/vendor/autoload.php';
		$this->connection = new AMQPConnection('localhost', '5672', 'guest', 'guest', '/');
	}

	public function asynchronous_write() {
		if (!$this->connection) return;
		if ($this->channel == null) {
			$this->channel = $this->connection->channel();
		}
	}
}

register_shutdown_function('async');
ob_start('foo');
echo 'bar';

function async() {
	queue::instance()->asynchronous_write();
}

function foo($content, $mode = 5) {
	return $content;
}
exit;
 [2014-08-24 17:14 UTC] jocelyn dot fournier at gmail dot com 
Hi,

Any progress on this issue ?
Using register_shutdown_function() + ob_start() as a workaround doesn't work for all the cases. Indeed, I are have cases where ob_start() is called before register_shutdown_function(), even with the PHP_OUTPUT_HANDLER_REMOVABLE flag in ob_start().

Thanks,
 [2014-08-29 07:50 UTC] stas@php.net 
It would help a lot if there was a reproducing case that does not require running rabbitmq server. You say you have different cases reproducing it, can any of them be cut down so that actual amqp server is not needed to reproduce?
 [2014-08-29 14:42 UTC] jocelyn dot fournier at gmail dot com 
I've just modified the code on https://github.com/jocel1/php5.4-crash to not require a working AMQP server.
 [2014-08-31 00:45 UTC] stas@php.net 
Looking at the library, I see that it runs a lot of code from __destruct function which is called on shutdown. This is usually not the best idea as the services the object needs to run his code may be already partially shut down. I'll still see if it can be handled better, but I'm not sure if this code will actually work properly in this way.
 [2014-08-31 01:35 UTC] stas@php.net 
BTW, if you add a flush at the end of the script, this also fixes the issue.
 [2014-08-31 12:00 UTC] jocelyn dot fournier at gmail dot com 
Ok, so the register_shutdown + ob_start approach is the best way to do this, as long as we are sure register_shutdown is called before ob_start (which should always be the case).
I cannot use ob_flush() because my lib is loaded on auto_prepend_file.
 [2014-09-02 19:33 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=53fa6c5b6b5b09059ba54c8912d0c0aef57aa4ff
Log: Fix bug #67644 - Memory corruption &amp; crash during ob_start function callback
 [2014-09-02 19:33 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2014-09-02 21:19 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fe551c089a7d309e3fa08513f1d1e287141cd202
Log: Revert &quot;Fix bug #67644 - Memory corruption &amp; crash during ob_start function callback&quot;
 [2014-09-02 21:20 UTC] stas@php.net
-Status: Closed +Status: Re-Opened
 [2014-09-02 21:20 UTC] stas@php.net 
had to revert the fix, breaks tests. Will look more into it.
 [2014-09-02 21:20 UTC] stas@php.net
-Assigned To: mike +Assigned To: stas
 [2014-10-07 23:13 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=fe551c089a7d309e3fa08513f1d1e287141cd202
Log: Revert &quot;Fix bug #67644 - Memory corruption &amp; crash during ob_start function callback&quot;
 [2014-10-07 23:13 UTC] stas@php.net
-Status: Re-Opened +Status: Closed
 [2014-10-07 23:13 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=53fa6c5b6b5b09059ba54c8912d0c0aef57aa4ff
Log: Fix bug #67644 - Memory corruption &amp; crash during ob_start function callback
 [2014-10-07 23:13 UTC] stas@php.net
-Status: Closed +Status: Re-Opened
 [2014-10-07 23:24 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=fe551c089a7d309e3fa08513f1d1e287141cd202
Log: Revert &quot;Fix bug #67644 - Memory corruption &amp; crash during ob_start function callback&quot;
 [2014-10-07 23:24 UTC] stas@php.net
-Status: Re-Opened +Status: Closed
 [2014-10-07 23:24 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=53fa6c5b6b5b09059ba54c8912d0c0aef57aa4ff
Log: Fix bug #67644 - Memory corruption &amp; crash during ob_start function callback
 [2014-10-07 23:24 UTC] stas@php.net
-Status: Closed +Status: Re-Opened
 [2017-10-24 05:10 UTC] kalle@php.net
-Status: Re-Opened +Status: Assigned
 [2017-10-24 05:54 UTC] stas@php.net
-Status: Assigned +Status: Open -Assigned To: stas +Assigned To:
 [2021-06-09 14:37 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2021-06-09 14:37 UTC] cmb@php.net 
Is this still an issue with any of the actively supported PHP
versions[1]?

[1] <https://www.php.net/supported-versions.php>
 [2021-06-20 04:22 UTC] php-bugs at lists dot php dot net 
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Oct 30 16:00:01 2025 UTC