PHP :: Bug #58221 :: Segfault on runkit_function

Bug #58221	Segfault on runkit_function_*
Submitted:	2008-06-05 18:03 UTC	Modified:	2013-02-23 14:17 UTC
From:	bj at schmong dot org	Assigned:	pollita (profile)
Status:	Closed	Package:	runkit (PECL)
PHP Version:	5.1.3	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	bj at schmong dot org
New email:
PHP Version:		OS:

New Comment:

[2008-06-05 18:03 UTC] bj at schmong dot org

Description:
------------
Segfault with runkit_function_* on PHP 5.x with both CVS and 0.9.

Suspect simple typo in php_runkit.h.  Patch (that works) is in "reproduce code."

Reproduce code:
---------------
I've tried this with 5.1.6 (centosplus from v4) and 5.2.6 (with and without RHish RPM patches), so I'm pretty sure it's all of v5.  I've tried both runkit 0.9 and CVS with the same result.

Anytime I use anything that calls PHP_RUNKIT_STRTOLOWER (including particularly runkit_function_remove, runkit_function_redefine, etc.), I get a segfault.  This goes for CLI or Apache mod.

As far as I can tell, it's a simple typo in php_runkit.h, where the PHP5 PHP_RUNKIT_STRTOLOWER calls php_strtolower(&p, ...) instead of just (p, ...)

Patch that fixes follows.


diff -ur pecl.old/runkit/php_runkit.h pecl/runkit/php_runkit.h
--- pecl.old/runkit/php_runkit.h        2008-03-31 06:11:36.000000000 -0400
+++ pecl/runkit/php_runkit.h    2008-06-05 17:49:47.000000000 -0400
@@ -173,7 +173,7 @@
 #define PHP_RUNKIT_DECL_STRING_PARAM(p)                        char *p; int p##_len;
 #define PHP_RUNKIT_STRING_SPEC                                 "s"
 #define PHP_RUNKIT_STRING_PARAM(p)                             &p, &p##_len
-#define PHP_RUNKIT_STRTOLOWER(p)                               php_strtolower(&p, &p##_len)
+#define PHP_RUNKIT_STRTOLOWER(p)                               php_strtolower(p, p##_len)
 #define PHP_RUNKIT_STRING_LEN(param,addtl)             (param##_len + (addtl))
 #define PHP_RUNKIT_STRING_TYPE(param)                  IS_STRING
 #define PHP_RUNKIT_HASH_FIND(hash,param,ppvar) zend_hash_find(hash, param, param##_len + 1, (void**)ppvar)


Expected result:
----------------
No segfault.

Actual result:
--------------
Segfault.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-08-22 10:12 UTC] Keisial at gmail dot com

Importance: Critical
Bug 14028 seems a duplicate of this.

I also faced the same problem. Seems a confusion between php_u_strtolower and php_strtolower. 

I think it should be:

Index: php_runkit.h
===================================================================
RCS file: /repository/pecl/runkit/php_runkit.h,v
retrieving revision 1.31
diff -u -r1.31 php_runkit.h
--- php_runkit.h        31 Mar 2008 10:11:36 -0000      1.31
+++ php_runkit.h        22 Aug 2008 14:09:03 -0000
@@ -159,7 +159,7 @@
 #define PHP_RUNKIT_DECL_STRING_PARAM(param)            void *param; int32_t par
am##_len; zend_uchar param##_type;
 #define PHP_RUNKIT_STRING_SPEC                                 "t"
 #define PHP_RUNKIT_STRING_PARAM(param)                 &param, &param##_len, &p
aram##_type
-#define PHP_RUNKIT_STRTOLOWER(param)                   php_u_strtolower((UChar*)&param, &param##_len, UG(default_locale))
+#define PHP_RUNKIT_STRTOLOWER(param)                   php_u_strtolower(param, &param##_len, UG(default_locale))
 #define PHP_RUNKIT_STRING_LEN(param,addtl)             (param##_type == IS_UNICODE ? UBYTES(param##_len + (addtl)) : (param##_len + (addtl)))
 #define PHP_RUNKIT_STRING_TYPE(param)                  (param##_type)
 #define PHP_RUNKIT_HASH_FIND(hash,param,ppvar) zend_u_hash_find(hash, param##_type, (UChar *)param, param##_len + 1, (void**)ppvar)
@@ -173,7 +173,7 @@
 #define PHP_RUNKIT_DECL_STRING_PARAM(p)                        char *p; int p##_len;
 #define PHP_RUNKIT_STRING_SPEC                                 "s"
 #define PHP_RUNKIT_STRING_PARAM(p)                             &p, &p##_len
-#define PHP_RUNKIT_STRTOLOWER(p)                               php_strtolower(&p, &p##_len)
+#define PHP_RUNKIT_STRTOLOWER(p)                               php_strtolower(p, p##_len)
 #define PHP_RUNKIT_STRING_LEN(param,addtl)             (param##_len + (addtl))
 #define PHP_RUNKIT_STRING_TYPE(param)                  IS_STRING
 #define PHP_RUNKIT_HASH_FIND(hash,param,ppvar) zend_hash_find(hash, param, param##_len + 1, (void**)ppvar)
@@ -188,7 +188,7 @@
 #define PHP_RUNKIT_DECL_STRING_PARAM(p)                        char *p; int p##_len;
 #define PHP_RUNKIT_STRING_SPEC                                 "s"
 #define PHP_RUNKIT_STRING_PARAM(p)                             &p, &p##_len
-#define PHP_RUNKIT_STRTOLOWER(p)                               php_strtolower(&p, &p##_len)
+#define PHP_RUNKIT_STRTOLOWER(p)                               php_strtolower(p, p##_len)
 #define PHP_RUNKIT_STRING_LEN(param,addtl)             (param##_len + (addtl))
 #define PHP_RUNKIT_STRING_TYPE(param)                  IS_STRING
 #define PHP_RUNKIT_HASH_FIND(hash,param,ppvar) zend_hash_find(hash, param, param##_len + 1, (void**)ppvar)

[2009-07-21 19:31 UTC] pear dot neufeind at speedpartner dot de

I verified that the patch from Keisial fixes it. Tried against php 5.2.10.
php_strtolower is called through the define-macro - with another pointer-indirection instead of the correct "string" (char-pointer).

This leads to a segfault which looks like:
#0  php_strtolower (s=0x7fffffffb598 "", len=<value optimized out>) at /usr/src/debug/php-5.2.10/ext/standard/string.c:1330
#1  0x00007ffff0b0e4d6 in php_runkit_fetch_function (fname_type=<value optimized out>, fname=0xa64000 "aaa", fname_len=0, pfe=0x0, flag=1)
    at /usr/src/debug/php-pecl-runkit-0.9/runkit/runkit_functions.c:59

Using the fix the function-name is correctly passed to php_strtolower.

[2009-07-22 04:37 UTC] pahan at hubbitus dot spb dot su

[2013-02-23 14:17 UTC] pollita@php.net

-Status: Verified +Status: Closed -Assigned To: +Assigned To: pollita

[2013-02-23 14:17 UTC] pollita@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

Thanks for the analysis and fix.

This was actually fixed in the big batch of updates I've committed recently.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 31 01:00:01 2025 UTC