PHP :: Bug #36079 :: Crash in session encode

Bug #36079	Crash in session encode
Submitted:	2006-01-19 10:35 UTC	Modified:	2006-01-19 14:44 UTC
From:	njewell at matrix-data dot co dot uk	Assigned:
Status:	Not a bug	Package:	Session related
PHP Version:	5CVS-2006-01-19 (snap)	OS:	Windows XP
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	njewell at matrix-data dot co dot uk
New email:
PHP Version:		OS:

New Comment:

[2006-01-19 10:35 UTC] njewell at matrix-data dot co dot uk

Description:
------------
I am seeing Apache crash upon saving a session.  This is reproducable in 5.0.5, 5.1.x and current snap.

PHP is configured as php.ini-recommended, but with:

curl, gd2 on
display errors on
correct session save path


Actual result:
--------------
php5ts.dll!zend_hash_internal_pointer_reset_ex(_hashtable * ht=0x3e612f3c, bucket * * pos=0x00000000)  Line 1000 + 0x4	C
 	php5ts.dll!ps_srlzr_encode_php(char * * newstr=0x00913eb4, int * newlen=0x0546fa44, void * * * tsrm_ls=0x0546fa68)  Line 483 + 0x20	C
 	php5ts.dll!php_session_encode(int * newlen=0x00f6ffe0, void * * * tsrm_ls=0x00bf8a60)  Line 571 + 0xe	C
 	php5ts.dll!php_session_flush(void * * * tsrm_ls=0x00f6ffe0)  Line 1806 + 0x6	C
 	php5ts.dll!zm_deactivate_session(int type=1, int module_number=11, void * * * tsrm_ls=0x00f6ffe0)  Line 1821	C
 	php5ts.dll!module_registry_cleanup(_zend_module_entry * module=0x0068baf0, void * * * tsrm_ls=0x00f6ffe0)  Line 1797 + 0x11	C
 	php5ts.dll!zend_hash_apply(_hashtable * ht=0x007e24bd, int (void *, void * * *)* apply_func=0x00bf8a60, void * * * tsrm_ls=0x007e70e0)  Line 664 + 0x7	C
 	php5ts.dll!zend_deactivate_modules(void * * * tsrm_ls=0x00f6ffe0)  Line 824 + 0x10	C
 	php5ts.dll!php_request_shutdown(void * dummy=0x00000000)  Line 1267	C
 	php5apache2.dll!php_apache_request_dtor(request_rec * r=0x012d37e0, void * * * tsrm_ls=0x00f6ffe0)  Line 442 + 0x8	C
 	php5apache2.dll!php_handler(request_rec * r=0x012d37e0)  Line 602	C
 	libhttpd.dll!ap_run_handler(request_rec * r=0x012d37e0)  Line 153 + 0x1f	C
 	libhttpd.dll!ap_invoke_handler(request_rec * r=0x6ff09a56)  Line 368	C
 	libhttpd.dll!ap_process_http_connection(conn_rec * c=0x6ff0426f)  Line 251 + 0x6	C
 	libhttpd.dll!ap_run_process_connection(conn_rec * c=0x012619d8)  Line 43 + 0x1f	C
 	libhttpd.dll!ap_process_connection(conn_rec * c=0x012619d8, void * csd=0x01261908)  Line 176 + 0x6	C
 	libhttpd.dll!worker_main(void * thread_num_val=0x77c3a3b0)  Line 733	C
 	msvcrt.dll!77c3a3b0() 	
 	kernel32.dll!7c80b50b()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-01-19 14:38 UTC] njewell at matrix-data dot co dot uk

Code to reproduce:

<?php
function r($a = array(), $l = 0)
{
        if ($l == 5) return;
        $a = array(0, 1);
        for ($i=0; $i<count($a); $i++)
                $a[$i] = r($a, $l+1);
        return $a;
}

session_name("foo");
session_start();

for ($i=0;$i<1000;$i++)
        $_SESSION['STUFF_'.$i] = r();

// Kills PHP
foreach ($_SESSION as $key => $value)
        unset($_SESSION[$key]);

// Works
//foreach (array_keys($_SESSION) as $key)
//      unset($_SESSION[$key]);
?>

[2006-01-19 14:44 UTC] sniper@php.net

You simply run out of memory and stack. No real bug here. 
free hint: Don't do that.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Nov 01 01:01:28 2024 UTC