PHP :: Bug #60733 :: strtotime bug in php 5.3.9

Bug #60733

strtotime bug in php 5.3.9

Submitted:

2012-01-12 21:29 UTC

Modified:

2012-01-13 01:37 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

paul at minimoo dot org

Assigned:

gui (profile)

Status:

Closed

Package:

Reproducible crash

PHP Version:

5.3.9

OS:

linux(debian)-64bit

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	paul at minimoo dot org
New email:
PHP Version:		OS:

New Comment:

[2012-01-12 21:29 UTC] paul at minimoo dot org

Description:
------------
Since upgrading [using dotdeb.org compiled version of php] from php 5.3.8 to php 5.3.9, strtotime appears to crash. This occurs for me on 2 VM's, minimised to 1 line of php.

Valgrind/GDB output attached

Test script:
---------------
echo strtotime('2011-01-1 00:00 UTC');

Actual result:
--------------
valgrind /usr/bin/php test.php
==25725== Memcheck, a memory error detector
==25725== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==25725== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info
==25725== Command: /usr/bin/php test.php
==25725==
1293840000==25725== Invalid read of size 8
==25725==    at 0x45D494: timelib_tzinfo_dtor (in /usr/bin/php5)
==25725==    by 0x6D1217: zend_hash_destroy (in /usr/bin/php5)
==25725==    by 0x437BF0: zm_deactivate_date (in /usr/bin/php5)
==25725==    by 0x6C645B: module_registry_cleanup (in /usr/bin/php5)
==25725==    by 0x6D0FA3: zend_hash_reverse_apply (in /usr/bin/php5)
==25725==    by 0x6C4E7C: zend_deactivate_modules (in /usr/bin/php5)
==25725==    by 0x66FDB4: php_request_shutdown (in /usr/bin/php5)
==25725==    by 0x7547FF: main (in /usr/bin/php5)
==25725==  Address 0x8bdcf90 is 0 bytes inside a block of size 112 free'd
==25725==    at 0x4C240FD: free (vg_replace_malloc.c:366)
==25725==    by 0x435599: zif_strtotime (in /usr/bin/php5)
==25725==    by 0x715839: zend_do_fcall_common_helper_SPEC (in /usr/bin/php5)
==25725==    by 0x6ECC5F: execute (in /usr/bin/php5)
==25725==    by 0x6C3FAC: zend_execute_scripts (in /usr/bin/php5)
==25725==    by 0x66F147: php_execute_script (in /usr/bin/php5)
==25725==    by 0x755755: main (in /usr/bin/php5)
==25725==
==25725== Invalid read of size 8
==25725==    at 0x45D4A8: timelib_tzinfo_dtor (in /usr/bin/php5)
==25725==    by 0x6D1217: zend_hash_destroy (in /usr/bin/php5)
==25725==    by 0x437BF0: zm_deactivate_date (in /usr/bin/php5)
==25725==    by 0x6C645B: module_registry_cleanup (in /usr/bin/php5)
==25725==    by 0x6D0FA3: zend_hash_reverse_apply (in /usr/bin/php5)
==25725==    by 0x6C4E7C: zend_deactivate_modules (in /usr/bin/php5)
==25725==    by 0x66FDB4: php_request_shutdown (in /usr/bin/php5)
==25725==    by 0x7547FF: main (in /usr/bin/php5)
==25725==  Address 0x8bdcfb0 is 32 bytes inside a block of size 112 free'd
==25725==    at 0x4C240FD: free (vg_replace_malloc.c:366)
==25725==    by 0x435599: zif_strtotime (in /usr/bin/php5)
==25725==    by 0x715839: zend_do_fcall_common_helper_SPEC (in /usr/bin/php5)
==25725==    by 0x6ECC5F: execute (in /usr/bin/php5)
==25725==    by 0x6C3FAC: zend_execute_scripts (in /usr/bin/php5)
==25725==    by 0x66F147: php_execute_script (in /usr/bin/php5)
==25725==    by 0x755755: main (in /usr/bin/php5)
==25725==
==25725== Invalid read of size 8
==25725==    at 0x45D4BE: timelib_tzinfo_dtor (in /usr/bin/php5)
==25725==    by 0x6D1217: zend_hash_destroy (in /usr/bin/php5)
==25725==    by 0x437BF0: zm_deactivate_date (in /usr/bin/php5)
==25725==    by 0x6C645B: module_registry_cleanup (in /usr/bin/php5)
==25725==    by 0x6D0FA3: zend_hash_reverse_apply (in /usr/bin/php5)
==25725==    by 0x6C4E7C: zend_deactivate_modules (in /usr/bin/php5)
==25725==    by 0x66FDB4: php_request_shutdown (in /usr/bin/php5)
==25725==    by 0x7547FF: main (in /usr/bin/php5)
==25725==  Address 0x8bdcfb8 is 40 bytes inside a block of size 112 free'd
==25725==    at 0x4C240FD: free (vg_replace_malloc.c:366)
==25725==    by 0x435599: zif_strtotime (in /usr/bin/php5)
==25725==    by 0x715839: zend_do_fcall_common_helper_SPEC (in /usr/bin/php5)
==25725==    by 0x6ECC5F: execute (in /usr/bin/php5)
==25725==    by 0x6C3FAC: zend_execute_scripts (in /usr/bin/php5)
==25725==    by 0x66F147: php_execute_script (in /usr/bin/php5)
==25725==    by 0x755755: main (in /usr/bin/php5)
==25725==
==25725== Invalid read of size 8
==25725==    at 0x45D4D4: timelib_tzinfo_dtor (in /usr/bin/php5)
==25725==    by 0x6D1217: zend_hash_destroy (in /usr/bin/php5)
==25725==    by 0x437BF0: zm_deactivate_date (in /usr/bin/php5)
==25725==    by 0x6C645B: module_registry_cleanup (in /usr/bin/php5)
==25725==    by 0x6D0FA3: zend_hash_reverse_apply (in /usr/bin/php5)
==25725==    by 0x6C4E7C: zend_deactivate_modules (in /usr/bin/php5)
==25725==    by 0x66FDB4: php_request_shutdown (in /usr/bin/php5)
==25725==    by 0x7547FF: main (in /usr/bin/php5)
==25725==  Address 0x8bdcfc0 is 48 bytes inside a block of size 112 free'd
==25725==    at 0x4C240FD: free (vg_replace_malloc.c:366)
==25725==    by 0x435599: zif_strtotime (in /usr/bin/php5)
==25725==    by 0x715839: zend_do_fcall_common_helper_SPEC (in /usr/bin/php5)
==25725==    by 0x6ECC5F: execute (in /usr/bin/php5)
==25725==    by 0x6C3FAC: zend_execute_scripts (in /usr/bin/php5)
==25725==    by 0x66F147: php_execute_script (in /usr/bin/php5)
==25725==    by 0x755755: main (in /usr/bin/php5)
==25725==
==25725== Invalid read of size 8
==25725==    at 0x45D4EA: timelib_tzinfo_dtor (in /usr/bin/php5)
==25725==    by 0x6D1217: zend_hash_destroy (in /usr/bin/php5)
==25725==    by 0x437BF0: zm_deactivate_date (in /usr/bin/php5)
==25725==    by 0x6C645B: module_registry_cleanup (in /usr/bin/php5)
==25725==    by 0x6D0FA3: zend_hash_reverse_apply (in /usr/bin/php5)
==25725==    by 0x6C4E7C: zend_deactivate_modules (in /usr/bin/php5)
==25725==    by 0x66FDB4: php_request_shutdown (in /usr/bin/php5)
==25725==    by 0x7547FF: main (in /usr/bin/php5)
==25725==  Address 0x8bdcfc8 is 56 bytes inside a block of size 112 free'd
==25725==    at 0x4C240FD: free (vg_replace_malloc.c:366)
==25725==    by 0x435599: zif_strtotime (in /usr/bin/php5)
==25725==    by 0x715839: zend_do_fcall_common_helper_SPEC (in /usr/bin/php5)
==25725==    by 0x6ECC5F: execute (in /usr/bin/php5)
==25725==    by 0x6C3FAC: zend_execute_scripts (in /usr/bin/php5)
==25725==    by 0x66F147: php_execute_script (in /usr/bin/php5)
==25725==    by 0x755755: main (in /usr/bin/php5)
==25725==
==25725== Invalid read of size 8
==25725==    at 0x45D500: timelib_tzinfo_dtor (in /usr/bin/php5)
==25725==    by 0x6D1217: zend_hash_destroy (in /usr/bin/php5)
==25725==    by 0x437BF0: zm_deactivate_date (in /usr/bin/php5)
==25725==    by 0x6C645B: module_registry_cleanup (in /usr/bin/php5)
==25725==    by 0x6D0FA3: zend_hash_reverse_apply (in /usr/bin/php5)
==25725==    by 0x6C4E7C: zend_deactivate_modules (in /usr/bin/php5)
==25725==    by 0x66FDB4: php_request_shutdown (in /usr/bin/php5)
==25725==    by 0x7547FF: main (in /usr/bin/php5)
==25725==  Address 0x8bdcfd0 is 64 bytes inside a block of size 112 free'd
==25725==    at 0x4C240FD: free (vg_replace_malloc.c:366)
==25725==    by 0x435599: zif_strtotime (in /usr/bin/php5)
==25725==    by 0x715839: zend_do_fcall_common_helper_SPEC (in /usr/bin/php5)
==25725==    by 0x6ECC5F: execute (in /usr/bin/php5)
==25725==    by 0x6C3FAC: zend_execute_scripts (in /usr/bin/php5)
==25725==    by 0x66F147: php_execute_script (in /usr/bin/php5)
==25725==    by 0x755755: main (in /usr/bin/php5)
==25725==
==25725== Invalid read of size 8
==25725==    at 0x45D516: timelib_tzinfo_dtor (in /usr/bin/php5)
==25725==    by 0x6D1217: zend_hash_destroy (in /usr/bin/php5)
==25725==    by 0x437BF0: zm_deactivate_date (in /usr/bin/php5)
==25725==    by 0x6C645B: module_registry_cleanup (in /usr/bin/php5)
==25725==    by 0x6D0FA3: zend_hash_reverse_apply (in /usr/bin/php5)
==25725==    by 0x6C4E7C: zend_deactivate_modules (in /usr/bin/php5)
==25725==    by 0x66FDB4: php_request_shutdown (in /usr/bin/php5)
==25725==    by 0x7547FF: main (in /usr/bin/php5)
==25725==  Address 0x8bdcff8 is 104 bytes inside a block of size 112 free'd
==25725==    at 0x4C240FD: free (vg_replace_malloc.c:366)
==25725==    by 0x435599: zif_strtotime (in /usr/bin/php5)
==25725==    by 0x715839: zend_do_fcall_common_helper_SPEC (in /usr/bin/php5)
==25725==    by 0x6ECC5F: execute (in /usr/bin/php5)
==25725==    by 0x6C3FAC: zend_execute_scripts (in /usr/bin/php5)
==25725==    by 0x66F147: php_execute_script (in /usr/bin/php5)
==25725==    by 0x755755: main (in /usr/bin/php5)
==25725==
==25725== Invalid free() / delete / delete[]
==25725==    at 0x4C240FD: free (vg_replace_malloc.c:366)
==25725==    by 0x6D1217: zend_hash_destroy (in /usr/bin/php5)
==25725==    by 0x437BF0: zm_deactivate_date (in /usr/bin/php5)
==25725==    by 0x6C645B: module_registry_cleanup (in /usr/bin/php5)
==25725==    by 0x6D0FA3: zend_hash_reverse_apply (in /usr/bin/php5)
==25725==    by 0x6C4E7C: zend_deactivate_modules (in /usr/bin/php5)
==25725==    by 0x66FDB4: php_request_shutdown (in /usr/bin/php5)
==25725==    by 0x7547FF: main (in /usr/bin/php5)
==25725==  Address 0x8bdcf90 is 0 bytes inside a block of size 112 free'd
==25725==    at 0x4C240FD: free (vg_replace_malloc.c:366)
==25725==    by 0x435599: zif_strtotime (in /usr/bin/php5)
==25725==    by 0x715839: zend_do_fcall_common_helper_SPEC (in /usr/bin/php5)
==25725==    by 0x6ECC5F: execute (in /usr/bin/php5)
==25725==    by 0x6C3FAC: zend_execute_scripts (in /usr/bin/php5)
==25725==    by 0x66F147: php_execute_script (in /usr/bin/php5)
==25725==    by 0x755755: main (in /usr/bin/php5)


------------------------------------


1293840000*** glibc detected *** /usr/bin/php: corrupted double-linked list: 0x0000000001076b30 ***
======= Backtrace: =========
/lib/libc.so.6(+0x71ad6)[0x7ffff4cc5ad6]
/lib/libc.so.6(+0x71f0d)[0x7ffff4cc5f0d]
/lib/libc.so.6(+0x73418)[0x7ffff4cc7418]
/lib/libc.so.6(cfree+0x6c)[0x7ffff4cca84c]
/usr/bin/php[0x6e4121]
/usr/bin/php(php_request_shutdown+0x306)[0x66fd26]
/usr/bin/php[0x754800]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7ffff4c72c4d]
/usr/bin/php[0x42f7e9]
======= Memory map: ========

gdb BT full @ http://pastebin.com/3gQpsRng

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-01-12 22:37 UTC] paul at minimoo dot org

This is looking like it may be an issue with the dotdeb.org build of 5.3.9 - have had 3-4 people confirm that this code breaks with the .deb files at http://dotdeb.mirror.somersettechsolutions.co.uk/dists/stable/php5/binary-amd64/ 

and 2 people unable to reproduce from a build from latest svn

[2012-01-12 22:37 UTC] paul at minimoo dot org

-Status: Open +Status: Closed

[2012-01-12 22:38 UTC] gui@php.net

-Status: Closed +Status: Assigned -Assigned To: +Assigned To: gui

[2012-01-12 22:38 UTC] gui@php.net

It seems to be a Dotdeb-specific issue, I'm looking for a fix. No need to post it 
here without warning me first.

[2012-01-13 01:37 UTC] gui@php.net

-Status: Assigned +Status: Closed

[2012-01-13 01:37 UTC] gui@php.net

This issue has been fixed in the latest Dotdeb packages.Be sure to upgrade at 
least :
  * to 5.3.9-0~dotdeb.3 if you're running Squeeze 
  * to 5.3.9-0~dotdeb.2 if you're running Lenny

Please send future Dotdeb-specific issues directly on http://www.dotdeb.org/ or 
on my email.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Jul 16 20:01:32 2025 UTC