PHP :: Bug #33958 :: Crash with processing HTTP_COOKIE with 'doubled' variables

Bug #33958	Crash with processing HTTP_COOKIE with 'doubled' variables
Submitted:	2005-08-02 03:58 UTC	Modified:	2005-08-02 19:05 UTC
From:	andrey at cherezov dot koenig dot su	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	5CVS-2005-08-02	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	andrey at cherezov dot koenig dot su
New email:
PHP Version:		OS:

New Comment:

[2005-08-02 03:58 UTC] andrey at cherezov dot koenig dot su

Description:
------------
Just downloaded and installed 5.1 snap (2 Aug) and replaced PHP5.1b3 in my server (ISAPI mode). Now I see in log, some users got "error 500" while accessing /forum/ and /forum/viewtopic.php (PhpBB current version). Turn on trace and get error pages:

Mon, 01 Aug 2005 20:48:52 -0500 www.mdaemon.ru/forum/
HTTP/1.0 500 Internal Server Error
Content-Type: text/html

PHP has encountered an Access Violation at 00F9813A


Mon, 01 Aug 2005 20:48:54 -0500 www.mdaemon.ru/forum/
HTTP/1.0 500 Internal Server Error
Content-Type: text/html

PHP has encountered an Access Violation at 00F9813A

After server restart - address changed:

PHP has encountered an Access Violation at 0109813A

Reproduce code:
---------------
I can't reproduce it myself (same pages loaded ok), but there are lot of such dumps in my log. I can install and try any test version there.

Expected result:
----------------
Page load.

Actual result:
--------------
PHP has encountered an Access Violation at 0109813A

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-08-02 08:33 UTC] andrey at cherezov dot koenig dot su

The way to reproduce:

GET /php.php5 HTTP/1.0
Host: localhost
Cookie: phpbb2mysql_data=a%3A0%3A%7B%7D; phpbb2mysql_data=a%3A0%3A%7B%7D
Connection: close

Posted this request (via telnet) to my local web-server and got the same error! (the script php.php5 just "echo 'test'"). PHP has encountered an Access Violation at 00F2813A

If I delete second variable copy, i.e.:
GET /php.php5 HTTP/1.0
Host: localhost
Cookie: phpbb2mysql_data=a%3A0%3A%7B%7D
Connection: close
- the script works ok.

[2005-08-02 08:46 UTC] andrey at cherezov dot koenig dot su

In the PHP 4.3.11 under the same server with the same test request = 200 OK.
So this bug is PHP5.1 specific.

[2005-08-02 18:50 UTC] sniper@php.net

Verified with latest CVS and Apache2..

[2005-08-02 18:56 UTC] sniper@php.net

[Switching to Thread 46912528940992 (LWP 2360)]
0x00002aaab000aec1 in _mem_block_check (ptr=0x555555b3a081, silent=0, 
    __zend_filename=0x2aaab02538a0 "/usr/src/php/php5/main/php_variables.c", __zend_lineno=201, __zend_orig_filename=0x0, 
    __zend_orig_lineno=0) at /usr/src/php/php5/Zend/zend_alloc.c:736
736             memcpy(&end_magic, (((char *) p)+sizeof(zend_mem_header)+MEM_HEADER_PADDING+p->size), sizeof(long));
(gdb) 
(gdb) bt
#0  0x00002aaab000aec1 in _mem_block_check (ptr=0x555555b3a081, silent=0, 
    __zend_filename=0x2aaab02538a0 "/usr/src/php/php5/main/php_variables.c", __zend_lineno=201, __zend_orig_filename=0x0, 
    __zend_orig_lineno=0) at /usr/src/php/php5/Zend/zend_alloc.c:736
#1  0x00002aaab000ae9d in _mem_block_check (ptr=0x555555b3a081, silent=1, 
    __zend_filename=0x2aaab02538a0 "/usr/src/php/php5/main/php_variables.c", __zend_lineno=201, __zend_orig_filename=0x0, 
    __zend_orig_lineno=0) at /usr/src/php/php5/Zend/zend_alloc.c:728
#2  0x00002aaab0009c39 in _efree (ptr=0x555555b3a081, 
    __zend_filename=0x2aaab02538a0 "/usr/src/php/php5/main/php_variables.c", __zend_lineno=201, __zend_orig_filename=0x0, 
    __zend_orig_lineno=0) at /usr/src/php/php5/Zend/zend_alloc.c:287
#3  0x00002aaaaffe030e in php_register_variable_ex (var=0x555555b3a081 "phpbb2mysql_data", val=0x7fffff839990, 
    track_vars_array=0x555555b39ec0) at /usr/src/php/php5/main/php_variables.c:201
#4  0x00002aaaaffdfd3c in php_register_variable_safe (var=0x555555b3a080 " phpbb2mysql_data", 
    strval=0x5555557b5500 "a:0:{}", str_len=6, track_vars_array=0x555555b39ec0) at /usr/src/php/php5/main/php_variables.c:57
#5  0x00002aaaaffe0c8c in php_default_treat_data (arg=2, str=0x0, destArray=0x0)
    at /usr/src/php/php5/main/php_variables.c:345
#6  0x00002aaaaffe1b53 in php_hash_environment () at /usr/src/php/php5/main/php_variables.c:646
#7  0x00002aaaaffcf73b in php_request_startup () at /usr/src/php/php5/main/main.c:1064
#8  0x00002aaab00b850a in php_apache_request_ctor (r=0x555555b23020, ctx=0x555555b27a28)
    at /usr/src/php/php5/sapi/apache2handler/sapi_apache2.c:438
#9  0x00002aaab00b8c87 in php_handler (r=0x555555b23020) at /usr/src/php/php5/sapi/apache2handler/sapi_apache2.c:534

[2005-08-02 19:05 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Dec 26 14:01:30 2024 UTC