PHP :: Bug #39558 :: Heap corrupted and segmentation fault from zend

Bug #39558	Heap corrupted and segmentation fault from zend_alloc.c
Submitted:	2006-11-20 13:24 UTC	Modified:	2006-11-20 18:27 UTC
From:	sheltren at cs dot ucsb dot edu	Assigned:
Status:	Not a bug	Package:	Reproducible crash
PHP Version:	5.2.0	OS:	Linux - CentOS 4
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	sheltren at cs dot ucsb dot edu
New email:
PHP Version:		OS:

New Comment:

[2006-11-20 13:24 UTC] sheltren at cs dot ucsb dot edu

Description:
------------
When running a script which uses the crack extension to check passwords against dictionary files, a "heap corrupted" message is output and then php segfaults.  The strange thing is, it crashes when $passwd is set to "jeffpass", but other strings I have tried do not cause the crash.

Reproduce code:
---------------
Code to reproduce is located here:
http://www.cs.ucsb.edu/~jeff/crashes.phps

$ php crashes.php
Heap corrupted
Segmentation fault (core dumped)


Expected result:
----------------
Should loop through dictionaries and return from function successfully - this same code works fine in php 5.1.6.

Actual result:
--------------
(gdb) bt
#0  0x00a7e7a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
#1  0x00abec46 in kill () from /lib/tls/libc.so.6
#2  0x0827b345 in zend_mm_panic (message=0x83a4ea0 "Heap corrupted")
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_alloc.c:61
#3  0x0827b7fa in zend_mm_remove_from_free_list (heap=0xa26c130, mm_block=0xb7f25a00)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_alloc.c:476
#4  0x0827cfee in _zend_mm_free_int (heap=0xa26c130, p=0xb7f251d4, 
    __zend_filename=0x117048 "/local/jeff/crack-0.4/libcrack/src/packlib.c", __zend_lineno=221, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_alloc.c:1357
#5  0x0827d815 in _efree (ptr=0xb7f251d4, 
    __zend_filename=0x117048 "/local/jeff/crack-0.4/libcrack/src/packlib.c", __zend_lineno=221, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_alloc.c:1653
#6  0x00114a30 in cracklib_pw_close (pwp=0xb7f251d4)
    at /local/jeff/crack-0.4/libcrack/src/packlib.c:221
#7  0x001133cb in php_crack_module_dtor (rsrc=0xb7f22c9c) at /local/jeff/crack-0.4/crack.c:177
#8  0x082a20d9 in list_entry_destructor (ptr=0xb7f22c9c)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_list.c:184
#9  0x0829ffa8 in zend_hash_del_key_or_index (ht=0x83d9b08, arKey=0x0, nKeyLength=0, h=3, flag=1)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_hash.c:492
#10 0x082a1dcd in _zend_list_delete (id=3)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_list.c:58
#11 0x082949b2 in _zval_dtor_func (zvalue=0xb7f22b00, 
    __zend_filename=0x83a66cc "/local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_variables.h", 
    __zend_lineno=35) at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_variables.c:60
#12 0x08288db2 in _zval_dtor (zvalue=0xb7f22b00, 
    __zend_filename=0x83a6644 "/local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_execute_API.c", 
    __zend_lineno=414) at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_variables.h:35
#13 0x08288f65 in _zval_ptr_dtor (zval_ptr=0xb7f22b84, 
    __zend_filename=0x83a77a8 "/local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_variables.c", 
    __zend_lineno=175) at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_execute_API.c:414
#14 0x08294c67 in _zval_ptr_dtor_wrapper (zval_ptr=0xb7f22b84)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_variables.c:175
#15 0x082a01fa in zend_hash_clean (ht=0xb7f22450)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_hash.c:547
#16 0x082b4724 in zend_do_fcall_common_helper_SPEC (execute_data=0xbffc4bd0)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_vm_execute.h:255
#17 0x082b8edd in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbffc4bd0)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_vm_execute.h:1681
#18 0x082b40c2 in execute (op_array=0xb7f21e14)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend_vm_execute.h:92
#19 0x082967ec in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/Zend/zend.c:1097
#20 0x08251376 in php_execute_script (primary_file=0xbffc6fa0)
    at /local/jeff/rpmbuild/SOURCES/php-5.2.0/main/main.c:1758
#21 0x082fa7a1 in main (argc=2, argv=0xbffc7084)
at /local/jeff/rpmbuild/SOURCES/php-5.2.0/sapi/cgi/cgi_main.c:1625

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-11-20 13:27 UTC] tony2001@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

[2006-11-20 17:33 UTC] sheltren at cs dot ucsb dot edu

The problem still exists with the latest CVS snapshot.

$ php crashes.php 
[Mon Nov 20 09:29:19 2006]  Script:  'crashes.php'
---------------------------------------
/local/jeff/php/crack-0.4/libcrack/src/packlib.c(221) : Block 0xB7EE71D8 status:
Invalid pointer: ((size=0x0000084D) != (next.prev=0x6C087905))
---------------------------------------
X-Powered-By: PHP/5.2.1-dev
Content-type: text/html

zend_mm_heap corrupted
Segmentation fault

[2006-11-20 17:42 UTC] tony2001@php.net

Are you able to reproduce NOT using PECL/crack?

[2006-11-20 18:11 UTC] sheltren at cs dot ucsb dot edu

So far that is the only code I have had crash on me in this manner.

[2006-11-20 18:15 UTC] tony2001@php.net

Ok, then please report it to PECL/crack developers:
http://pecl.php.net/bugs/search.php?cmd=display&status=Open&package_name[]=crack
Thanks.

[2006-11-20 18:27 UTC] sheltren at cs dot ucsb dot edu

Gladly... PECL bug opened for crack here: http://pecl.php.net/bugs/bug.php?id=9395

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri May 09 15:01:27 2025 UTC