PHP :: Bug #24762 :: Reproducible crash in error handling

Bug #24762	Reproducible crash in error handling
Submitted:	2003-07-22 22:40 UTC	Modified:	2003-07-23 11:32 UTC
From:	skissane at ics dot mq dot edu dot au	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	4.3.2	OS:	Linux (RedHat 9.0)
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	skissane at ics dot mq dot edu dot au
New email:
PHP Version:		OS:

New Comment:

[2003-07-22 22:40 UTC] skissane at ics dot mq dot edu dot au

Description:
------------
I am sometimes getting segfaults when my custom error handler executes. It happens when an array is passed to preg_match instead of a string, and this raises an error.
Below is the error handler, and the backtrace PHP gives, and my PHP configruation.

PHP/Apache Version
PHP Version 4.3.2

System 	Linux itsa.iips.mq.edu.au 2.4.18-10 #1 Wed Aug 7 11:39:21 EDT 2002 i686 
Build Date 	Jul 23 2003 09:42:28 
Configure Command 	'./configure' '--with-apxs2=/usr/local/apache2/bin/apxs' '--with-mssql=/usr/local' '--without-mysql' '--with-curl=/usr' '--enable-debug' 
Server API 	Apache 2.0 Handler 
Virtual Directory Support 	disabled 
Configuration File (php.ini) Path 	/usr/local/lib/php.ini 
PHP API 	20020918 
PHP Extension 	20020429 
Zend Extension 	20021010 
Debug Build 	yes 
Thread Safety 	disabled 
Registered PHP Streams 	php, http, ftp 

apache2handler
Apache Version 	Apache/2.0.45 (Unix) 
Apache API Version 	20020903 
Server Administrator 	root@localhost 
Hostname:Port 	itsa.iips.mq.edu.au:0 
User/Group 	apache(48)/48 
Max Requests 	Per Child: 1000 - Keep Alive: off - Max Per Connection: 100 
Timeouts 	Connection: 300 - Keep-Alive: 15 
Virtual Server 	No 
Server Root 	/etc/httpd 
Loaded Modules 	core mod_access mod_auth mod_include mod_log_config mod_env mod_setenvif prefork http_core mod_mime mod_status mod_autoindex mod_asis mod_cgi mod_negotiation mod_dir mod_imap mod_actions mod_userdir mod_alias mod_so sapi_apache2 

Directive	Local Value	Master Value
engine	1	1
last_modified	0	0
xbithack	0	0



Reproduce code:
---------------
<?
/*
 ** File: error.inc
 ** Description: Error handling code
 ** right form when user presses 'Cancel'
 ** Version: 1.0
 ** Created: 20/03/2003
 ** Author: Simon Kissane <skissane@ics.mq.edu.au>
 ** Group: Internet Information Projects & Services
 **
 ** Copyright (C) 2003 Macquarie University
 */

// Turn on output buffering
ob_start();

/*
 ** Function: _error_handler()
 ** Input: INTEGER $errno, STRING $errstr, STRING $errfile, INTEGER $errline
 ** Output: None
 ** Description: Print stack backtrace
 */
function _error_backtrace ()
{
    $trace = debug_backtrace();

    echo "<ul>\n";
    foreach ($trace as $fn => $frame) {
        if ($fn < 2) { continue; }
        echo "<li>#" . ($fn-2) . " - <b>";
        if (array_key_exists("class",$frame)) {
            echo $frame["class"] . $frame["type"];
        }
        echo $frame["function"];

        echo "</b>";
        if (array_key_exists("line",$frame)) {
            echo " (at line " . $frame["line"] . " of file " .
                $frame["file"] . ")";
        }
        echo "</li>\n";
        if (array_key_exists("args",$frame)) {
            echo "<ul>\n";
            foreach ($frame["args"] as $key => $arg) {
                echo "<li># " . $key . " - [";
                print_r($arg);
                echo "]</li>\n";
            }
            echo "</ul>\n";
        }
    }
    echo "</ul>\n";
}

/*
** Function: _error_handler()
 ** Input: INTEGER $errno, STRING $errstr, STRING $errfile, INTEGER $errline
 ** Output: None
 ** Description: Custom error handler.
 ** Some code taken from http://www.php.net/manual/en/function.set-error-handler.php
 */
function _error_handler($errno, $errstr, $errfile, $errline) {
    ob_clean();

    // Special friendly handling for database errors.
    if (strpos($errstr,"Unable to connect to server") !== FALSE) {
        include_once("databaseproblem.inc");
        exit;
    }
    else if (strpos($errstr,"String or binary data would be truncated") !== FALSE) {
        include_once("truncationerror.inc");
        exit;
    }

    echo "<b>ERROR:</b> [$errno] $errstr<br>\n";
    echo "  Fatal error in line " . $errline . " of file " . $errfile;
    echo ", PHP ". PHP_VERSION . " (" . PHP_OS . ")<br>\n";

    echo "<b>Stack backtrace:</b><br>\n";
    _error_backtrace();

    echo "<b>Request:</b>\n";
    echo "<ul>\n";
    foreach ($_REQUEST as $k => $v) {
        echo "<li>" . $k . "=" . $v . "</li>\n";
    }
    echo "</ul>\n";

    echo "<b>Session Data:</b>\n";
    echo "<ul>\n";
    foreach ($_SESSION as $k => $v) {
        echo "<li>" . $k . "="; print_r($v); echo "</li>\n";
    }
    echo "</ul>\n";

    //  echo "<b>Globals:</b>\n";
    //  echo "<ul>\n";
    //  foreach ($GLOBALS as $k => $v) {
    //      echo "<li>" . $k . "="; print_r($v); echo "</li>\n";
    //  }
    //  echo "</ul>\n";

    echo "Aborting...<br>\n";

    exit(1);
}

/*
** Function: logdebug()
 ** Input: STRING $msg
 ** Output: None
 ** Description: Log a debugging message to the debugging log
 */
function logdebug($msg) {
    // $_logdebug_file = fopen("/hosts/iips/logs/dev/handbook-debug.log","a+");
    // fwrite($_logdebug_file, date('Y-m-d H:i:s') . " " . $msg ."\n");
    // fclose($_logdebug_file);
    //  echo "<tt>" . $msg . "</tt><br/>";
}

// Initialise custom error handling
set_error_handler("_error_handler");

?>


Expected result:
----------------
No segfault!

Actual result:
--------------
Backtrace

Program received signal SIGSEGV, Segmentation fault.
0x40405a9d in zend_hash_copy (target=0x8586ef4, source=0x8577b2c,
    pCopyConstructor=0x403fdf35 <zval_add_ref>, tmp=0xbfff50ec, size=4)
    at /home/skissane/adm/php-4.3.2/Zend/zend_hash.c:783
783                     if (p->nKeyLength) {
(gdb) bt
#0  0x40405a9d in zend_hash_copy (target=0x8586ef4, source=0x8577b2c,
    pCopyConstructor=0x403fdf35 <zval_add_ref>, tmp=0xbfff50ec, size=4)
    at /home/skissane/adm/php-4.3.2/Zend/zend_hash.c:783
#1  0x403fe08d in _zval_copy_ctor (zvalue=0x8586eb4,
    __zend_filename=0x40448440 "/home/skissane/adm/php-4.3.2/Zend/zend_execute.c",
    __zend_lineno=481) at /home/skissane/adm/php-4.3.2/Zend/zend_variables.c:124
#2  0x40415902 in zend_assign_to_variable (result=0x83916e8, op1=0x83916f8,
    op2=0x8391708, value=0x857a164, type=4, Ts=0xbfff5180)
    at /home/skissane/adm/php-4.3.2/Zend/zend_execute.c:481
#3  0x40410076 in execute (op_array=0x83a6280)
    at /home/skissane/adm/php-4.3.2/Zend/zend_execute.c:1349
#4  0x404110d9 in execute (op_array=0x82f6ee0)
    at /home/skissane/adm/php-4.3.2/Zend/zend_execute.c:1650
#5  0x403f5e28 in call_user_function_ex (function_table=0x813bcf0, object_pp=0x0,
    function_name=0x8352b6c, retval_ptr_ptr=0xbfff6264, param_count=5,
    params=0x857ca0c, no_separation=1, symbol_table=0x0)
    at /home/skissane/adm/php-4.3.2/Zend/zend_execute_API.c:559
#6  0x403ff8f6 in zend_error (type=8,
    format=0x404467e2 "Array to string conversion")
    at /home/skissane/adm/php-4.3.2/Zend/zend.c:797
#7  0x403f8dd8 in _convert_to_string (op=0x857a164,
    __zend_filename=0x40447d40 "/home/skissane/adm/php-4.3.2/Zend/zend_builtin_functions.c", __zend_lineno=263) at /home/skissane/adm/php-4.3.2/Zend/zend_operators.c:466
#8  0x40408185 in zend_if_strlen (ht=1, return_value=0x857a1a4, this_ptr=0x0,
    return_value_used=1)
    at /home/skissane/adm/php-4.3.2/Zend/zend_builtin_functions.c:263
#9  0x40410ea6 in execute (op_array=0x84f6818)
    at /home/skissane/adm/php-4.3.2/Zend/zend_execute.c:1606
#10 0x403f5e28 in call_user_function_ex (function_table=0x813bcf0, object_pp=0x0,
    function_name=0x85795b4, retval_ptr_ptr=0xbfff7a58, param_count=2,
    params=0x8580980, no_separation=0, symbol_table=0x0)
    at /home/skissane/adm/php-4.3.2/Zend/zend_execute_API.c:559
#11 0x4034c1ef in zif_call_user_func (ht=3, return_value=0x857770c, this_ptr=0x0,
    return_value_used=1)
    at /home/skissane/adm/php-4.3.2/ext/standard/basic_functions.c:1825
#12 0x40410ea6 in execute (op_array=0x8381608)
    at /home/skissane/adm/php-4.3.2/Zend/zend_execute.c:1606
#13 0x404110d9 in execute (op_array=0x849fb2c)
    at /home/skissane/adm/php-4.3.2/Zend/zend_execute.c:1650
#14 0x404110d9 in execute (op_array=0x8569a5c)
    at /home/skissane/adm/php-4.3.2/Zend/zend_execute.c:1650
#15 0x404110d9 in execute (op_array=0x82ec01c)
    at /home/skissane/adm/php-4.3.2/Zend/zend_execute.c:1650
#16 0x403ffb48 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/skissane/adm/php-4.3.2/Zend/zend.c:869
#17 0x403ca119 in php_execute_script (primary_file=0xbffff750)
#18 0x40416ba6 in php_handler (r=0x83ff948)
    at /home/skissane/adm/php-4.3.2/sapi/apache2handler/sapi_apache2.c:525
#19 0x0807b47e in ap_run_handler (r=0x83ff948) at config.c:195
#20 0x0807b996 in ap_invoke_handler (r=0x83ff948) at config.c:401
#21 0x0806b8ff in ap_process_request (r=0x83ff948) at http_request.c:288
#22 0x08067b4d in ap_process_http_connection (c=0x828f118) at http_core.c:293
#23 0x08084096 in ap_run_process_connection (c=0x828f118) at connection.c:85
#24 0x0807a034 in child_main (child_num_arg=1930623196) at prefork.c:696
#25 0x0807a1de in make_child (s=0x80b4f00, slot=0) at prefork.c:736
#26 0x0807a237 in startup_children (number_to_start=8) at prefork.c:808
#27 0x0807a929 in ap_mpm_run (_pconf=0x8079910, plog=0x80ea8d8, s=0x80b4f00)
    at prefork.c:1024
#28 0x0807f642 in main (argc=2, argv=0xbffffa24) at main.c:660
#29 0x401e0967 in __libc_start_main () from /lib/libc.so.6

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-07-23 08:03 UTC] iliaa@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

[2003-07-23 11:32 UTC] sniper@php.net

This is fixed in CVS. (works fine here)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Oct 17 21:01:27 2024 UTC