PHP :: Bug #38265 :: pear && serialize segfaults PHP

Bug #38265	pear && serialize segfaults PHP
Submitted:	2006-07-31 07:18 UTC	Modified:	2006-08-23 13:01 UTC
From:	judas dot iscariote at gmail dot com	Assigned:	dmitry (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	5CVS-2006-07-31 (CVS)	OS:	linux 64 bit
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	judas dot iscariote at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2006-07-31 07:18 UTC] judas dot iscariote at gmail dot com

Description:
------------
Im testing PHP 5.2, current CVS.
it segfaults using the pear tool

Reproduce code:
---------------
sorry but no short reproduce code :( , but it is easly reproducible like this :


pear install --alldeps phpdocumentor-beta

Expected result:
----------------
installing phpdocumentor beta as always

Actual result:
--------------
Starting program: /local/local/bodegon/php-debug/sapi/cli/php -C -q -d include_path=/usr/share/pear -d output_buffering=1 -d open_basedir= -d safe_mode=0 /usr/share/pear/pearcmd.php install --alldeps -f phpdocumentor-beta
downloading PhpDocumentor-1.3.0RC6.tar ...
Starting to download PhpDocumentor-1.3.0RC6.tar (-1 bytes)
.............................................................................................................................................................................................................................................................................................................................................................................................................

.....done: 9,735,168 bytes

Program received signal SIGSEGV, Segmentation fault.
_zend_mm_alloc_int (heap=0x889210, size=786261,
    __zend_filename=0x6ecd08 "/local/local/bodegon/php-debug/ext/standard/var.c", __zend_lineno=541,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /local/local/bodegon/php-debug/Zend/zend_alloc.c:465
465             next->prev_free_block = mm_block;
(gdb)
(gdb)
(gdb) bt full
#0  _zend_mm_alloc_int (heap=0x889210, size=786261,
    __zend_filename=0x6ecd08 "/local/local/bodegon/php-debug/ext/standard/var.c", __zend_lineno=541,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /local/local/bodegon/php-debug/Zend/zend_alloc.c:465
        index = 18446744073709551610
        segment_size = 96
        segment = <value optimized out>
        next_block = (zend_mm_block *) 0x2b091d31afc0
        true_size = 786336
        best_size = <value optimized out>
        p = <value optimized out>
        end = (zend_mm_free_block *) 0x889258
        best_fit = (zend_mm_free_block *) 0x2b091d25b020
        offset = {4, 0, 1, 0, 2, 0, 1, 0, 3, 0, 1, 0, 2, 0, 1, 0}
#1  0x00000000005bec96 in _zend_mm_realloc_int (heap=0x889210, p=0x2b091d19a060, size=786261,
    __zend_filename=0x6ecd08 "/local/local/bodegon/php-debug/ext/standard/var.c", __zend_lineno=541,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /local/local/bodegon/php-debug/Zend/zend_alloc.c:1543
        index = <value optimized out>
        remaining_size = <value optimized out>
        mm_block = (zend_mm_block *) 0x2b091d19a020
        next_block = (zend_mm_block *) 0x2b091d259f10
        true_size = 786336
        ptr = <value optimized out>
#2  0x000000000056b678 in php_var_serialize_intern (buf=0x7fff90c10760, struc=<value optimized out>,
    var_hash=<value optimized out>) at /local/local/bodegon/php-debug/ext/standard/var.c:541
        __nl = <value optimized out>
        i = <value optimized out>
        var_already = <value optimized out>
        myht = <value optimized out>
#3  0x000000000056ab12 in php_var_serialize_intern (buf=0x7fff90c10760, struc=0x2b091c3bb120, var_hash=0x7fff90c10710)
    at /local/local/bodegon/php-debug/ext/standard/var.c:827
        __nl = 786068
        i = <value optimized out>
---Type <return> to continue, or q <return> to quit---
        var_already = <value optimized out>
        myht = (HashTable *) 0x2b091c578198
#4  0x000000000056ab12 in php_var_serialize_intern (buf=0x7fff90c10760, struc=0x2b091b909e10, var_hash=0x7fff90c10710)
    at /local/local/bodegon/php-debug/ext/standard/var.c:827
        __nl = 785956
        i = <value optimized out>
        var_already = <value optimized out>
        myht = (HashTable *) 0x2b091b2067d8
#5  0x000000000056ab12 in php_var_serialize_intern (buf=0x7fff90c10760, struc=0x2b091b33faa0, var_hash=0x7fff90c10710)
    at /local/local/bodegon/php-debug/ext/standard/var.c:827
        __nl = 326227
        i = <value optimized out>
        var_already = <value optimized out>
        myht = (HashTable *) 0x2b091be36cd8
#6  0x000000000056c6e9 in php_var_serialize (buf=0x0, struc=0xc1000, var_hash=0x2b091d31afc0)
    at /local/local/bodegon/php-debug/ext/standard/var.c:845
No locals.
#7  0x000000000056c7ad in zif_serialize (ht=<value optimized out>, return_value=0x2b091b274d98,
    return_value_ptr=<value optimized out>, this_ptr=<value optimized out>, return_value_used=<value optimized out>)
    at /local/local/bodegon/php-debug/ext/standard/var.c:868
        struc = (zval **) 0x2b091b33faa0
        var_hash = {nTableSize = 16384, nTableMask = 16383, nNumOfElements = 13861, nNextFreeElement = 4327,
  pInternalPointer = 0x2b091bc64968, pListHead = 0x2b091bc64968, pListTail = 0x2b091b76c398, arBuckets = 0x2b091c966b40,
  pDestructor = 0, persistent = 0 '\0', nApplyCount = 0 '\0', bApplyProtection = 1 '\001', inconsistent = 0}
        buf = {
  c = 0x2b091d19a060 "a:23:{s:7:\"attribs\";a:6:{s:15:\"packagerversion\";s:5:\"1.4.9\";s:7:\"version\";s:3:\"2.0\";s:5:\"xmlns\";s:35:\"http://pear.php.net/dtd/package-2.0\";s:11:\"xmlns:tasks\";s:33:\"http://pear.php.net/dtd/tasks-1.0\";s"...,
  len = 786076, a = 786260}
#8  0x0000000000605f9a in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff90c10fc0)
    at /local/local/bodegon/php-debug/Zend/zend_vm_execute.h:200
        i = 1
        p = <value optimized out>
---Type <return> to continue, or q <return> to quit---
        arg_count = 0
        return_reference = 0 '\0'
        opline = (zend_op *) 0x2b091ac162e0
        original_return_value = <value optimized out>
        current_scope = (zend_class_entry *) 0x0
        current_this = (zval *) 0x0
        return_value_used = -1
        should_change_scope = 0 '\0'
#9  0x00000000005f86df in execute (op_array=0x2b091ac12b08) at /local/local/bodegon/php-debug/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0x2b091ac162e0, function_state = {function_symbol_table = 0x2b091adc8380,
    function = 0x8b6af0, reserved = {0x889210, 0x1, 0x7fff90c114f0, 0x2b091ac34dd8}}, fbc = 0x0, op_array = 0x2b091ac12b08,
  object = 0x0, Ts = 0x7fff90c108d0, CVs = 0x7fff90c10880, original_in_execution = 1 '\001', symbol_table = 0x2b091adadc78,
  prev_execute_data = 0x7fff90c114f0, old_error_reporting = 0x0}
#10 0x00000000006059e3 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff90c114f0)
    at /local/local/bodegon/php-debug/Zend/zend_vm_execute.h:234
        opline = (zend_op *) 0x2b091ac350a8
        original_return_value = (zval **) 0x7fff90c15d38
        current_scope = (zend_class_entry *) 0x2b091ab0b828
        current_this = (zval *) 0x2b091c347488
        return_value_used = <value optimized out>
        should_change_scope = 1 '\001'
#11 0x00000000005f86df in execute (op_array=0x2b091ac362c0) at /local/local/bodegon/php-debug/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0x2b091ac350a8, function_state = {function_symbol_table = 0x2b091adadc78,
    function = 0x2b091ac12b08, reserved = {0x12700000040, 0x712168, 0x2b091c588e98, 0x7fff90c188e0}}, fbc = 0x2b091ac12b08,
  op_array = 0x2b091ac362c0, object = 0x2b091c347488, Ts = 0x7fff90c11170, CVs = 0x7fff90c11140,
  original_in_execution = 1 '\001', symbol_table = 0x2b091ad13f68, prev_execute_data = 0x7fff90c16420,
  old_error_reporting = 0x0}
#12 0x00000000006059e3 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff90c16420)
    at /local/local/bodegon/php-debug/Zend/zend_vm_execute.h:234
        opline = (zend_op *) 0x2b091aee1878
        original_return_value = (zval **) 0x7fff90c188e0
        current_scope = (zend_class_entry *) 0x2b091ae4c640
---Type <return> to continue, or q <return> to quit---
        current_this = (zval *) 0x2b091ae475b0
        return_value_used = <value optimized out>
        should_change_scope = 1 '\001'
#13 0x00000000005f86df in execute (op_array=0x2b091ae747a8) at /local/local/bodegon/php-debug/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0x2b091aee1878, function_state = {function_symbol_table = 0x2b091ad13f68,
    function = 0x2b091ac362c0, reserved = {0x889210, 0x1, 0x7fff90c1ad00, 0x2b091ae04168}}, fbc = 0x2b091ac362c0,
  op_array = 0x2b091ae747a8, object = 0x2b091c347488, Ts = 0x7fff90c117d0, CVs = 0x7fff90c11670,
  original_in_execution = 1 '\001', symbol_table = 0x2b091ad14208, prev_execute_data = 0x7fff90c1ad00,
  old_error_reporting = 0x0}
#14 0x00000000006059e3 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff90c1ad00)
    at /local/local/bodegon/php-debug/Zend/zend_vm_execute.h:234
        opline = (zend_op *) 0x2b091ae043c0
        original_return_value = (zval **) 0x7fff90c1b3a0
        current_scope = (zend_class_entry *) 0x2b091add1718
        current_this = (zval *) 0x2b091addd7e0
        return_value_used = <value optimized out>
        should_change_scope = 1 '\001'
#15 0x00000000005f86df in execute (op_array=0x2b091adf3fa8) at /local/local/bodegon/php-debug/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0x2b091ae043c0, function_state = {function_symbol_table = 0x2b091ad14208,
    function = 0x2b091ae747a8, reserved = {0x9f, 0x7, 0x2b091ae31bb8, 0x8}}, fbc = 0x2b091ae747a8,
  op_array = 0x2b091adf3fa8, object = 0x2b091ae475b0, Ts = 0x7fff90c166f0, CVs = 0x7fff90c165a0,
  original_in_execution = 1 '\001', symbol_table = 0x2b091acc6238, prev_execute_data = 0x7fff90c1b3d0,
  old_error_reporting = 0x0}
#16 0x00000000006059e3 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff90c1b3d0)
    at /local/local/bodegon/php-debug/Zend/zend_vm_execute.h:234
        opline = (zend_op *) 0x2b091ae31dc8
        original_return_value = (zval **) 0x7fff90c1f0f0
        current_scope = (zend_class_entry *) 0x2b091adcee30
        current_this = (zval *) 0x2b091addd7e0
        return_value_used = <value optimized out>
        should_change_scope = 1 '\001'
#17 0x00000000005f86df in execute (op_array=0x2b091ade6e38) at /local/local/bodegon/php-debug/Zend/zend_vm_execute.h:92
---Type <return> to continue, or q <return> to quit---
        execute_data = {opline = 0x2b091ae31dc8, function_state = {function_symbol_table = 0x2b091acc6238,
    function = 0x2b091adf3fa8, reserved = {0x70e8d8, 0x10170e8d8, 0x2b091addf4a0, 0x90c1b4c0}}, fbc = 0x2b091adf3fa8,
  op_array = 0x2b091ade6e38, object = 0x2b091addd7e0, Ts = 0x7fff90c1aec0, CVs = 0x7fff90c1ae80,
  original_in_execution = 1 '\001', symbol_table = 0x2b091ad1c8c8, prev_execute_data = 0x7fff90c1f330,
  old_error_reporting = 0x0}
#18 0x00000000006059e3 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff90c1f330)
    at /local/local/bodegon/php-debug/Zend/zend_vm_execute.h:234
        opline = (zend_op *) 0x2b0919f5a770
        original_return_value = (zval **) 0x7fff90c1f4b0
        current_scope = (zend_class_entry *) 0x0
        current_this = (zval *) 0x0
        return_value_used = <value optimized out>
        should_change_scope = 1 '\001'
#19 0x00000000005f86df in execute (op_array=0x2b0919eef8f8) at /local/local/bodegon/php-debug/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0x2b0919f5a770, function_state = {function_symbol_table = 0x2b091ad1c8c8,
    function = 0x2b091ade6e38, reserved = {0x5be660, 0x2b0900000000, 0x0, 0x2b0919eefa28}}, fbc = 0x2b091ade6e38,
  op_array = 0x2b0919eef8f8, object = 0x2b091addd7e0, Ts = 0x7fff90c1b6a0, CVs = 0x7fff90c1b550,
  original_in_execution = 0 '\0', symbol_table = 0x888b48, prev_execute_data = 0x0, old_error_reporting = 0x0}
#20 0x00000000005d67a8 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /local/local/bodegon/php-debug/Zend/zend.c:1095
        files = {{gp_offset = 40, fp_offset = 32767, overflow_arg_area = 0x7fff90c1f5b0, reg_save_area = 0x7fff90c1f4c0}}
        i = 1
        file_handle = (zend_file_handle *) 0x7fff90c21a40
        orig_op_array = (zend_op_array *) 0x0
        local_retval = (zval *) 0x0
#21 0x0000000000593435 in php_execute_script (primary_file=0x7fff90c21a40)
    at /local/local/bodegon/php-debug/main/main.c:1759
        realfile = "/usr/share/pear/pearcmd.php\000\000\000\000\000\006\000\000\000\000\000\000p&#65533;\000\000\000\000\000linkinfo\000p\000\000\000\000\000&#65533;\213\032\t+\000\0004{\032\t+\000\000readlink\220i\205", '\0' <repeats 13 times>, "p\034&#65533;220\177", '\0' <repeats 26 times>, "&#65533;020&#65533;031\t+\000\000\001\000\000\000rlde\000\000\000\000\000\000\000\000\006\000\000\000\000\000\000p&#65533;\000\000\000\000\000&#65533;\213\032\t+", '\0' <repeats 18 times>, "Be&#65533;031\t+\000\000P&#65533;", '\0' <repeats 13 times>, "c&#65533;\000\000\000"...
---Type <return> to continue, or q <return> to quit---
        prepend_file_p = (zend_file_handle *) 0x0
        append_file_p = (zend_file_handle *) 0x0
        prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {
      handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'}
        append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {
      handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'}
        old_cwd = 0x7fff90c1f5d0 ""
        retval = 0
#22 0x000000000065dfbd in main (argc=16, argv=0x7fff90c21c78) at /local/local/bodegon/php-debug/sapi/cli/php_cli.c:1097
        bailout = {{__jmpbuf = {1, -69030786763965496, 0, 140735622028400, 0, 0, -69032687551370152, -69030786766214177},
    __mask_was_saved = 0, __saved_mask = {__val = {4426960, 0, 47318089355888, 47318089356752, 140735622027456,
        47318090518560, 434712305, 47318089357400, 456, 47317654700032, 4426960, 0, 47318089415902, 47318102347120,
        47318100110072, 0}}}}
        exit_status = <value optimized out>
        c = <value optimized out>
        file_handle = {type = 2 '\002', filename = 0x7fff90c23475 "/usr/share/pear/pearcmd.php",
  opened_path = 0x2b0919eef890 "/usr/share/pear/PEAR.php", handle = {fd = 10194480, fp = 0x9b8e30, stream = {
      handle = 0x9b8e30, reader = 0x5eb660 <zend_stream_stdio_reader>, closer = 0x5eb640 <zend_stream_stdio_closer>,
      fteller = 0x5eb630 <zend_stream_stdio_fteller>, interactive = 0}}, free_filename = 0 '\0'}
        behavior = 1
        reflection_what = 0x0
        orig_optind = 1
        orig_optarg = 0x0
        arg_free = 0x7fff90c23475 "/usr/share/pear/pearcmd.php"
        arg_excp = <value optimized out>
        script_file = 0x7fff90c23475 "/usr/share/pear/pearcmd.php"
        interactive = 0
        lineno = 1
        exec_direct = 0x0
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
---Type <return> to continue, or q <return> to quit---
        param_error = <value optimized out>
        hide_argv = 0

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-07-31 07:38 UTC] judas dot iscariote at gmail dot com

print (char *)(executor_globals.function_state_ptr->function)->common.function_name
$1 = 0x6e03a9 "serialize"

reclassified as reproducible crash , changed the report title since looks like serialize is the guilty.

[2006-08-23 13:01 UTC] dmitry@php.net

Fixed in CVS HEAD and PHP_5_2.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 13:01:29 2024 UTC