PHP :: Bug #33989 :: extract()/eval()/require() crashes php

Bug #33989

extract()/eval()/require() crashes php

Submitted:

2005-08-03 23:09 UTC

Modified:

2005-08-04 12:38 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

mdpm2 at rohms dot com

Assigned:

Status:

Closed

Package:

Scripting Engine problem

PHP Version:

5CVS, 4CVS (2005-08-03)

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	mdpm2 at rohms dot com
New email:
PHP Version:		OS:

New Comment:

[2005-08-03 23:09 UTC] mdpm2 at rohms dot com

Description:
------------
The use of extract($GLOBALS,EXTR_REFS) appears to corrupt memory when it is followed by an eval()'d series of code which includes another PHP file.

This produces the following error:

httpd process:
  [notice] child pid 46966 exit signal Bus error (10)
or
  Bus error (core dumped)  (from php standalone)


NOTE: This is a clarification of bug #33985

Reproduce code:
---------------
art.php (base script to run to reproduce error):
<?
 echo "<PRE>";
  $fcategory=20;
//  $stx="require_once(\"l-catlist.php\"); echo \"inside eval\"; catlist(1,0,9,3,$fcategory,0,1,1,99);";

  $stx="require_once(\"l-catlist.php\"); echo \"inside eval\";";

echo 'EVAL string6='.$stx.'<P>';
  extract($GLOBALS,EXTR_REFS);
  eval($stx);
echo "\n\ndone run</PRE>";
?>

l-catlist.php (included from eval'd code):
<?
##
function catlist($ct1,$parentid,$depth=NULL,$distype=1,$selected=NULL,$linktype=2,$zero=1,$action=0,$tt=0)
{
  echo "inside catlist<P>";
  return(0);
}
?>


Expected result:
----------------
For server to not crash at least..

Actual result:
--------------
There are two versions of the $stx assignment - I was debugging a condition where I was having problems with the passing of parameters between functions and I discovered when trimming down the code, I could make the server completely crash with a simplified version so I believe this is related to the problems I'm experiencing.  If you can't reproduce the error, try enabling the alternate assignment of $stx and making sure the variables passed are accurate.  However, I can consistently crash the server using the above code and merely calling art.php.

If you comment out "extract($GLOBALS,EXTR_REFS);" there are no problems.

It's possible the above code could be even more simplified but I've verified the error condition works with it as listed, under Apache 1_3.26/PHP 4.4.0

The problem can also be reproduced outside of apache:

#php -f art.php
<PRE>EVAL string6=require_once("l-catlist.php"); echo "inside eval";<P>inside eval

done run</PRE>
Bus error (core dumped)

NOTE: zend 20050606 was enabled - I'm not sure how to disable it.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-08-04 00:12 UTC] tony2001@php.net

<?php
$a="a";
extract($GLOBALS, EXTR_REFS);
?>
is enough to see errors when Zend MM is disabled (with 5.1-dev too).

[2005-08-04 12:38 UTC] dmitry@php.net

Fixed in CVS HEAD, PHP_5_0 and PHP_4_4.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Jan 31 00:01:31 2025 UTC