php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #5391 user abort during call_user_function() causes crashes
Submitted: 2000-07-06 00:14 UTC Modified: 2005-03-31 16:13 UTC
From: priit at bluemoon dot ee Assigned:
Status: Wont fix Package: Reproducible Crash
PHP Version: 3.0.16 OS: SunOS 2.7 / RH Linux 6.1
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: priit at bluemoon dot ee
New email:
PHP Version: OS:

 

 [2000-07-06 00:14 UTC] priit at bluemoon dot ee
call_user_function() sets GLOBAL(function_state).function_name to p_function_name.value.str.val and passes same p_function_name as parameter to cs_functioncall_pre_variable_passing() witch pushes function_state to function_state_stack and sets its parameter to GLOBAL(function_state).function_name. This results situration where there is 2 references to p_function_name.value.str.val: in function_state and function_state_stack top element OR if user abort is done in deeper level, 2 consecutive function_state_stack elements
This will result in crash php3_request_shutdown() when same pointer is freed twice

Possible fix:
diff -n -r1.1 language-parser.y
d742 1
a742 1
        pval p_function_name,dummy_function_name;
a760 2
        dummy_function_name = p_function_name;
        pval_copy_constructor(&dummy_function_name);
d770 1
a770 1
        GLOBAL(function_state).function_name = dummy_function_name.value.str.val;
a789 1
        pval_destructor(&dummy_function_name);

I don't think it is best one, but it works


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-03-31 16:13 UTC] php-bugs at lists dot php dot net
We are sorry, but we do not support PHP 3 related problems anymore.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 13:01:31 2024 UTC