PHP :: Bug #39176 :: php segfaults in zend_get

Bug #39176

php segfaults in zend_get_extension

Submitted:

2006-10-17 15:37 UTC

Modified:

2006-10-25 01:00 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

prometheus__0 at hotmail dot com

Assigned:

Status:

No Feedback

Package:

Reproducible crash

PHP Version:

5.1.6

OS:

Linux Sles10

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	prometheus__0 at hotmail dot com
New email:
PHP Version:		OS:

New Comment:

[2006-10-17 15:37 UTC] prometheus__0 at hotmail dot com

Description:
------------
a pointer isn't checked within zend_extension.c which can cause segfaults

i had the problem using current version of DBG extension no as zend_extension installed

but the cause of this is a not validated pointer

i checked actual php5.2 CSV and the bug can also be found there on line 221 of file Zend/zend_extension.c
---------------------------
zend_extension *extension = (zend_extension *) element->data;
if (!strcmp(extension->name, extension_name)) {
	return extension;
}
---------------------------
extension isn't checked if it is NULL and strcmp doesn't care
extension_name was correct as seen in the backtrace

Reproduce code:
---------------
host:/home/testuser # php5 -r 'print "BUGG";'
BUGGSegmentation fault
host:/home/testuser #


Expected result:
----------------
host:/home/testuser # php5 -r 'print "BUGG";'
BUGG
host:/home/testuser #

Actual result:
--------------
(gdb) run -r 'print "BUGG";'
Starting program: /usr/bin/php5 -r 'print "BUGG";'
[Thread debugging using libthread_db enabled]
[New Thread 182910915616 (LWP 20652)]
BUGG
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 182910915616 (LWP 20652)]
0x0000002a963b73c3 in strcmp () from /lib64/tls/libc.so.6
(gdb) bt
#0  0x0000002a963b73c3 in strcmp () from /lib64/tls/libc.so.6
#1  0x000000000054cb96 in zend_get_extension (extension_name=0x2a9727629d "DBG") at /usr/src/debug/php-5.1.6/Zend/zend_extensions.c:221
#2  0x0000002a9726e50c in zm_shutdown_dbg (type=<value optimized out>, module_number=18) at /home/mcls/dbg-2.15.1/dbg.c:926
#3  0x0000000000548613 in module_destructor (module=0x7fe030) at /usr/src/debug/php-5.1.6/Zend/zend_API.c:1811
#4  0x000000000054dc86 in zend_hash_apply_deleter (ht=0x79ed20, p=0x7fdfd0) at /usr/src/debug/php-5.1.6/Zend/zend_hash.c:576
#5  0x000000000054de68 in zend_hash_graceful_reverse_destroy (ht=0x79ed20) at /usr/src/debug/php-5.1.6/Zend/zend_hash.c:642
#6  0x00000000005443d7 in zend_shutdown () at /usr/src/debug/php-5.1.6/Zend/zend.c:728
#7  0x000000000050699a in php_module_shutdown () at /usr/src/debug/php-5.1.6/main/main.c:1618
#8  0x00000000005b70d0 in main (argc=3, argv=0x7fbffff498) at /usr/src/debug/php-5.1.6/sapi/cli/php_cli.c:1252
(gdb)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-10-17 16:07 UTC] iliaa@php.net

What zend extensions do you have loaded?

Also can you print the value of extension->name ?

[2006-10-25 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Aug 13 04:00:02 2025 UTC