PHP :: Bug #28565 :: overrun / crash

Bug #28565	overrun / crash
Submitted:	2004-05-29 02:26 UTC	Modified:	2004-06-08 01:00 UTC
From:	gavin at vess dot com	Assigned:
Status:	No Feedback	Package:	Scripting Engine problem
PHP Version:	4CVS-2004-05-29 (stable)	OS:	Linux 2.6.5
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	gavin at vess dot com
New email:
PHP Version:		OS:

New Comment:

[2004-05-29 02:26 UTC] gavin at vess dot com

Description:
------------
First, this is a Zend engine 1 problem (but I don't see that as an option in the bug report form). I am using a copy of php4-STABLE from 2 days ago, compiled with debuging enabled.  Backtrace included below showing SEGV.

Zend's output
=============

pws/setup/set_config.php
---------------------------------------
Zend/zend_ini.c(53) : Block 0x08A06B40 status:
Beginning:      Overrun (magic=0x6D6F682F, expected=0x7312F8DC)


The fast cgi process then terminated itself.

Reproduce code:
---------------
Download http://phpwebsite.appstate.edu/downloads/daily-cvs/phpwebsite-cvs-core.tar.gz

In setup/set_config.php, find "PHPWS_Form::formHidden" near line 234.

Replace all code from there to end of file with:
     echo PHPWS_Form::formHidden($back);
     echo PHPWS_Form::formSubmit("Return to Setup");
   }
}

?>
</body>
</html>


Expected result:
----------------
PHP process dies when accesing the web page /pws/.

Strangely, commenting out either one of the two echo's above  results in a normal page creation.

Also, replacing the trivial method bodies of formHidden and/or formSubmit with a simple "return 'hello world'" does not stop PHP from dying.

Also odd, adding "<? exit(); ?>" to the end of the file results in a normal page creation .. but looking at the backtrace, I can see how that is related to the area seg faulting.

Actual result:
--------------
 '/home/vess/tiffany.vess.com/pws/setup/set_config.php'
---------------------------------------
/var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_ini.c(53) : Block 0x082D7348 status:
Beginning:      Overrun (magic=0x6D6F682F, expected=0x7312F8DC)

Program received signal SIGSEGV, Segmentation fault.
_mem_block_check (ptr=0x82d736c, silent=0,
    __zend_filename=0x81bb228 "/var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_ini.c",
    __zend_lineno=53, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_alloc.c:675
675             memcpy(&end_magic, (((char *) p)+sizeof(zend_mem_header)+MEM_HEADER_PADDING+p->size), sizeof(long));
(gdb) bt
#0  _mem_block_check (ptr=0x82d736c, silent=0,
    __zend_filename=0x81bb228 "/var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_ini.c",
    __zend_lineno=53, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_alloc.c:675
#1  0x08151592 in _mem_block_check (ptr=0x82d736c, silent=1,
    __zend_filename=0x81bb228 "/var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_ini.c",
    __zend_lineno=53, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_alloc.c:683
#2  0x08150ae2 in _efree (ptr=0x82d736c, __zend_lineno=53, __zend_orig_lineno=0)
    at /var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_alloc.c:243
#3  0x08168cdd in zend_restore_ini_entry_cb (ini_entry=0x81dfda8, stage=8)
    at /var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_ini.c:53
#4  0x08163d7c in zend_hash_apply_with_argument (ht=0x81dbbe0, apply_func=0x8168c93 <zend_restore_ini_entry_cb>,
    argument=0x8) at /var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_hash.c:717
#5  0x08168dda in zend_ini_deactivate () at /var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_ini.c:89
#6  0x0815ee33 in zend_deactivate () at /var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend.c:674
#7  0x081353d9 in php_request_shutdown (dummy=0x0)
    at /var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/main/main.c:996
#8  0x08175c80 in main (argc=7, argv=0xbffff7e4)
    at /var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/sapi/cgi/cgi_main.c:1774
(gdb)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-05-31 12:04 UTC] derick@php.net

Recategorize, and you really need to come up with a small piece of example code, otherwise it's very hard to debug this.

[2004-06-08 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Jul 01 20:01:36 2025 UTC