PHP :: Bug #64452 :: oo Zip PHPTs crash intermittently

Bug #64452	oo Zip PHPTs crash intermittently
Submitted:	2013-03-19 04:49 UTC	Modified:	2013-03-19 12:30 UTC
From:	mattficken@php.net	Assigned:
Status:	Closed	Package:	Zip Related
PHP Version:	5.5Git-2013-03-19 (snap)	OS:	Windows
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	mattficken@php.net
New email:
PHP Version:		OS:

New Comment:

[2013-03-19 04:49 UTC] mattficken@php.net

Description:
------------
Running this PHPT on Apache with PHP 5.5-03-19 intermittently crashes:
ext/zip/tests/oo_addemptydir.phpt

I tested some other ext/zip/tests/oo_* including oo_addfile and oo_open and oo_streams, with this revision and they do not crash.

Expected result:
----------------
Test pass

Actual result:
--------------
eax=054cf6e4 ebx=00000000 ecx=7fffffff edx=00000000 esi=00360000 edi=7577cad4
eip=7797dcbb esp=054cf6d4 ebp=054cf74c iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!RtlpNtEnumerateSubKey+0x1b26:
7797dcbb eb12            jmp     ntdll!RtlpNtEnumerateSubKey+0x1b3a (7797dccf)

054cf74c 7797ebc1 ntdll!RtlpNtEnumerateSubKey+0x1b26
054cf75c 7797eca1 ntdll!RtlpNtEnumerateSubKey+0x2a2c
054cf790 7792de10 ntdll!RtlpNtEnumerateSubKey+0x2b0c
054cf7c0 757714d1 ntdll!RtlUlonglongByteSwap+0xb70
054cf7d4 6d29dcc2 kernel32!HeapFree+0x14
054cf7e8 6b47e76f MSVCR110!free+0x1a
054cf7f8 6b47e3b3 php5ts!_zip_dirent_finalize+0xf [c:\php-sdk\snap_5_5\vc11\x86\ts-windows-vc11-x86\ext\zip\lib\zip_dirent.c @ 162]
054cf884 6b47c345 php5ts!zip_close+0x6d3 [c:\php-sdk\snap_5_5\vc11\x86\ts-windows-vc11-x86\ext\zip\lib\zip_close.c @ 307]
054cf88c 6b227942 php5ts!php_zip_object_free_storage+0x15 [c:\php-sdk\snap_5_5\vc11\x86\ts-windows-vc11-x86\ext\zip\php_zip.c @ 1054]
054cf944 6b2276c8 php5ts!zend_objects_store_del_ref_by_handle_ex+0x1a2 [c:\php-sdk\snap_5_5\vc11\x86\ts-windows-vc11-x86\zend\zend_objects_api.c @ 221]
054cf95c 6b50283e php5ts!zend_objects_store_del_ref+0x18 [c:\php-sdk\snap_5_5\vc11\x86\ts-windows-vc11-x86\zend\zend_objects_api.c @ 173]
054cf974 6b1eb459 php5ts!_zval_dtor_func+0x316e5e [c:\php-sdk\snap_5_5\vc11\x86\ts-windows-vc11-x86\zend\zend_variables.c @ 54]
054cf98c 6b1f985e php5ts!_zval_ptr_dtor+0x59 [c:\php-sdk\snap_5_5\vc11\x86\ts-windows-vc11-x86\zend\zend_execute_api.c @ 428]
054cf9a4 6b2906f1 php5ts!zend_hash_reverse_apply+0xbe [c:\php-sdk\snap_5_5\vc11\x86\ts-windows-vc11-x86\zend\zend_hash.c @ 804]
054cfa10 6b2572a9 php5ts!shutdown_destructors+0x71 [c:\php-sdk\snap_5_5\vc11\x86\ts-windows-vc11-x86\zend\zend_execute_api.c @ 218]
054cfa68 6b256c78 php5ts!zend_call_destructors+0x49 [c:\php-sdk\snap_5_5\vc11\x86\ts-windows-vc11-x86\zend\zend.c @ 924]
054cfd74 6f9a1566 php5ts!php_request_shutdown+0x108 [c:\php-sdk\snap_5_5\vc11\x86\ts-windows-vc11-x86\main\main.c @ 1743]
054cfea8 6d2341d5 php5apache2_4!php_handler+0x486 [c:\php-sdk\snap_5_5\vc11\x86\ts-windows-vc11-x86\sapi\apache2handler\sapi_apache2.c @ 680]
054cfec0 6d23356d libhttpd!ap_run_handler+0x25 [g:\php-sdk\lib_builds\vc11\x86\httpd-2.4.3-makefile\server\config.c @ 169]
054cfed8 6d242424 libhttpd!ap_invoke_handler+0xdd [g:\php-sdk\lib_builds\vc11\x86\httpd-2.4.3-makefile\server\config.c @ 432]
054cfef8 6d2424b1 libhttpd!ap_process_async_request+0x184 [g:\php-sdk\lib_builds\vc11\x86\httpd-2.4.3-makefile\modules\http\http_request.c @ 317]
054cff0c 6d23d8a1 libhttpd!ap_process_request+0x11 [g:\php-sdk\lib_builds\vc11\x86\httpd-2.4.3-makefile\modules\http\http_request.c @ 363]
054cff28 6d236545 libhttpd!ap_process_http_sync_connection+0x61 [g:\php-sdk\lib_builds\vc11\x86\httpd-2.4.3-makefile\modules\http\http_core.c @ 190]
054cff40 6d25ae62 libhttpd!ap_run_process_connection+0x25 [g:\php-sdk\lib_builds\vc11\x86\httpd-2.4.3-makefile\server\connection.c @ 41]
054cff68 75773677 libhttpd!worker_main+0x112 [g:\php-sdk\lib_builds\vc11\x86\httpd-2.4.3-makefile\server\mpm\winnt\child.c @ 840]
054cff74 778e9d72 kernel32!BaseThreadInitThunk+0x12
054cffb4 778e9d45 ntdll!RtlInitializeExceptionChain+0x63
054cffcc 00000000 ntdll!RtlInitializeExceptionChain+0x36

Patches

64452.patch (last revision 2013-03-19 18:15 UTC by ab@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-03-19 12:30 UTC] ab@php.net

Reproduced the same on linux, here's what valgrind says

==17169== Invalid free() / delete / delete[]
==17169==    at 0x4024B3A: free (vg_replace_malloc.c:366)
==17169==    by 0x4C48831: _zip_dirent_finalize (zip_dirent.c:162)
==17169==    by 0x4C4693B: zip_close (zip_close.c:306)
==17169==    by 0x4C3E9A4: c_ziparchive_close (php_zip.c:1555)
==17169==    by 0x4DD0D81: zend_do_fcall_common_helper_SPEC 
(zend_vm_execute.h:542)
==17169==    by 0x4DD16A2: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER 
(zend_vm_execute.h:674)
==17169==    by 0x4DD029A: execute_ex (zend_vm_execute.h:356)
==17169==    by 0x4DD0364: zend_execute (zend_vm_execute.h:381)
==17169==    by 0x4D919F5: zend_execute_scripts (zend.c:1316)
==17169==    by 0x4CEBF47: php_execute_script (main.c:2479)
==17169==    by 0x4E4526A: php_handler (sapi_apache2.c:667)
==17169==    by 0x809072E: ap_run_handler (config.c:169)

==17169== Invalid free() / delete / delete[]
==17169==    at 0x4024B3A: free (vg_replace_malloc.c:366)
==17169==    by 0x4C48849: _zip_dirent_finalize (zip_dirent.c:164)
==17169==    by 0x4C4693B: zip_close (zip_close.c:306)
==17169==    by 0x4C3E9A4: c_ziparchive_close (php_zip.c:1555)
==17169==    by 0x4DD0D81: zend_do_fcall_common_helper_SPEC 
(zend_vm_execute.h:542)
==17169==    by 0x4DD16A2: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER 
(zend_vm_execute.h:674)
==17169==    by 0x4DD029A: execute_ex (zend_vm_execute.h:356)
==17169==    by 0x4DD0364: zend_execute (zend_vm_execute.h:381)
==17169==    by 0x4D919F5: zend_execute_scripts (zend.c:1316)
==17169==    by 0x4CEBF47: php_execute_script (main.c:2479)
==17169==    by 0x4E4526A: php_handler (sapi_apache2.c:667)
==17169==    by 0x809072E: ap_run_handler (config.c:169)

==17169== 
==17169== Invalid free() / delete / delete[]
==17169==    at 0x4024B3A: free (vg_replace_malloc.c:366)
==17169==    by 0x4C48819: _zip_dirent_finalize (zip_dirent.c:160)
==17169==    by 0x4C4693B: zip_close (zip_close.c:306)
==17169==    by 0x4C3D1BB: php_zip_object_free_storage (php_zip.c:1054)
==17169==    by 0x4DC8D41: zend_objects_store_del_ref_by_handle_ex 
(zend_objects_API.c:221)
==17169==    by 0x4DC89CD: zend_objects_store_del_ref (zend_objects_API.c:173)
==17169==    by 0x4D8CBD6: _zval_dtor_func (zend_variables.c:54)
==17169==    by 0x4D79F34: _zval_dtor (zend_variables.h:35)
==17169==    by 0x4D7A03E: i_zval_ptr_dtor (zend_execute.h:81)
==17169==    by 0x4D7BCD3: _zval_ptr_dtor (zend_execute_API.c:428)
==17169==    by 0x4D8D034: _zval_ptr_dtor_wrapper (zend_variables.c:182)
==17169==    by 0x4DA2A48: zend_hash_apply_deleter (zend_hash.c:650)

It's always _zip_dirent_finalize on various lines, that function does actually 
only free() 
calls.

[2013-03-19 15:12 UTC] ab@php.net

The following patch has been added/updated:

Patch Name: 64452.patch
Revision:   1363705975
URL:        https://bugs.php.net/patch-display.php?bug=64452&patch=64452.patch&revision=1363705975

[2013-03-19 18:03 UTC] ab@php.net

The following patch has been added/updated:

Patch Name: 64452.patch
Revision:   1363716237
URL:        https://bugs.php.net/patch-display.php?bug=64452&patch=64452.patch&revision=1363716237

[2013-03-19 18:15 UTC] ab@php.net

The following patch has been added/updated:

Patch Name: 64452.patch
Revision:   1363716932
URL:        https://bugs.php.net/patch-display.php?bug=64452&patch=64452.patch&revision=1363716932

[2013-03-20 08:16 UTC] ab@php.net

Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bb935ff8dc65c52efea6aae6697a806dc86c8580
Log: Fixed bug #64452 Zip PHPTs crash intermittently

[2013-03-20 08:16 UTC] ab@php.net

-Status: Open +Status: Closed

[2013-03-20 08:43 UTC] ab@php.net

Automatic comment from SVN on behalf of ab
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=329838
Log: Fixed bug #64452 Zip PHPTs crash intermittently

[2013-03-21 17:53 UTC] ab@php.net

Related To: Bug #64382

[2013-03-23 20:34 UTC] ab@php.net

Automatic comment from SVN on behalf of ab
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=329897
Log: Reworked the changes for #64452

[2014-10-07 23:19 UTC] stas@php.net

Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=bb935ff8dc65c52efea6aae6697a806dc86c8580
Log: Fixed bug #64452 Zip PHPTs crash intermittently

[2014-10-07 23:30 UTC] stas@php.net

Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=bb935ff8dc65c52efea6aae6697a806dc86c8580
Log: Fixed bug #64452 Zip PHPTs crash intermittently

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Apr 07 16:01:28 2025 UTC