PHP :: Bug #21376 :: ereg(..., $unsetVar) crashes Apache in emalloc() / ecalloc()

Bug #21376

ereg(..., $unsetVar) crashes Apache in emalloc() / ecalloc()

Submitted:

2003-01-02 21:23 UTC

Modified:

2003-01-03 00:40 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

mattb at columbia dot edu

Assigned:

Status:

Not a bug

Package:

Reproducible crash

PHP Version:

4.3.0

OS:

GNU/Linux 2.4.18-19.7.x (RedHat)

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	mattb at columbia dot edu
New email:
PHP Version:		OS:

New Comment:

[2003-01-02 21:23 UTC] mattb at columbia dot edu

ereg(..., null) is causing a crash in Apache, but not in command line mode. I'm using the following file in /path/to/htdocs/test.php:

    <?php
    define_syslog_variables();
    openlog('ereg() test', LOG_CONS | LOG_PERROR, LOG_USER);

    header("Content-Type: text/plain\r\n");
    syslog(LOG_ERR, "one\n");
    echo "one\n";
    ereg('wsdl', $unsetVariable);
    syslog(LOG_ERR, "two\n");
    echo "two\n";
    ?>

Nothing fancy, just trying to call ereg() with an unset variable as a second argument (the nusoap package at http://dietrich.ganx4.com/nusoap/ does this all over the place). This used to work just fine with 4.2.3.

If I run it from the 4.3.0 command line, it works as well:

    $ php test.php
    ereg() test: one
    X-Powered-By: PHP/4.1.2
    Content-Type: text/plain

    one
    ereg() test: two
    two

However, if I go to that page in a web browser, I get nothing back and this in the logs:

    ereg() test: one
    FATAL:  emalloc():  Unable to allocate 1449143544 bytes
    ereg() test: one
    FATAL:  emalloc():  Unable to allocate 1449143544 bytes
    ereg() test: one
    FATAL:  emalloc():  Unable to allocate 1449143544 bytes
    ereg() test: one
    FATAL:  emalloc():  Unable to allocate 1449143544 bytes
    ereg() test: one
    FATAL:  emalloc():  Unable to allocate 1449143544 bytes
    ereg() test: one
    FATAL:  emalloc():  Unable to allocate 1449143544 bytes
    ereg() test: one
    FATAL:  emalloc():  Unable to allocate 1449143544 bytes
    ereg() test: one
    FATAL:  emalloc():  Unable to allocate 1449143544 bytes
    ereg() test: one
    FATAL:  emalloc():  Unable to allocate 1449143544 bytes
    ereg() test: one
    FATAL:  emalloc():  Unable to allocate 1449143544 bytes

The weird thing is that if I call ereg('', ''); once in the program before all other ereg() calls, everything works as before (shared state initialization? are these thread safe?).

I'm using apache_1.3.27, curl-7.10.2, libxml2-2.4.30, libxslt-1.0.23, mod_ssl-2.8.11-1.3.27, openssl-engine-0.9.6g, and php-4.3.0 (everything else comes from the most up-to-date RedHat 7.3 distro).

Here is my Apache 1.3.27 build configuration (pretty simple). I'm using 

EAPI_MM=SYSTEM SSL_BASE="${ARENA_HOME}" ./configure \
    --disable-module=userdir \
    --enable-module=ssl \
    --enable-shared=ssl \
    --enable-shared=max \
    "--prefix=${ARENA_HOME}" \
    --with-layout=GNU

Here is my PHP 4.3.0 build configuration:

    EXTRA_LDFLAGS="-L/usr/X11R6/lib -lpthread" ./configure \
    --disable-short-tags \
    --disable-rpath \
    --disable-url-fopen-wrapper \
    --enable-bcmath \
    --enable-calendar \
    --enable-debugger \
    --enable-dio \
    --enable-discard-path \
    --enable-embed=shared \
    --enable-exif \
    --enable-force-cgi-redirect \
    --enable-ftp \
    --enable-inline-optimization \
    --enable-gd-native-ttf \
    --enable-magic-quotes \
    --enable-mailparse \
    --enable-memory-limit \
    --enable-mime-magic \
    --enable-safe-mode \
    --enable-shmop \
    --enable-sockets \
    --enable-sysvsem \
    --enable-sysvshm \
    --enable-track-vars \
    --enable-trans-sid \
    --enable-wddx \
    "--prefix=${ARENA_HOME}" \
    "--with-apxs=${ARENA_HOME}/sbin/apxs" \
    --with-bz2=shared \
    "--with-config-file-path=${ARENA_HOME}/etc" \
    --with-db3 \
    "--with-curl=shared,${ARENA_HOME}" \
    "--with-dom=${ARENA_HOME}" \
    "--with-dom-exslt=${ARENA_HOME}" \
    "--with-dom-xslt=${ARENA_HOME}" \
    --with-expat-dir=/usr \
    --with-freetype-dir=/usr \
    --with-gd=shared \
    --with-gettext=shared \
    --with-gmp \
    --with-iconv=shared \
    --with-imap=shared \
    "--with-imap-ssl=${ARENA_HOME}" \
    --with-jpeg-dir=/usr \
    --with-kerberos \
    --with-layout=GNU \
    --with-mysql=shared,/usr \
    --with-ncurses=shared \
    "--with-openssl=shared,${ARENA_HOME}" \
    --with-pgsql=shared \
    --with-pic \
    --with-png-dir=/usr \
    --with-pspell=shared \
    --with-readline \
    --with-regex=system \
    --with-ttf=shared \
    --with-xmlrpc=shared \
    --with-xpm-dir=/usr/X11R6 \
    --with-zlib \
    --x-includes=/usr/X11R6/include/X11 \
    --x-libraries=/usr/X11R6/lib

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-01-02 21:26 UTC] mattb at columbia dot edu

changing title...

[2003-01-03 00:33 UTC] mattb at columbia dot edu

This does not happen if one uses --with-regex=php in the PHP configuration stage. Apparently, one cannot use --with-regex=system with Apache (is there a symbol name conflict here?).

[2003-01-03 00:40 UTC] derick@php.net

From ./configure --help output:

  --with-regex=TYPE       regex library type: system, apache, php. Default: php
                          WARNING: Do NOT use unless you know what you are doing!

It indeed causes problem if you chose the wrong one, just follow the advise in the ./configure --help output, it's there for a reason.

Not a bug -> bogus.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Wed Sep 11 05:01:28 2024 UTC