PHP :: Bug #9801 :: mcrypt_encrypt dumps core

Bug #9801	mcrypt_encrypt dumps core
Submitted:	2001-03-16 20:58 UTC	Modified:	2001-05-17 17:31 UTC
From:	michael at carceri dot dk	Assigned:	derick (profile)
Status:	Closed	Package:	mcrypt related
PHP Version:	4.0 Latest CVS (16/03/2001)	OS:	Linux 2.4.1
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	michael at carceri dot dk
New email:
PHP Version:		OS:

New Comment:

[2001-03-16 20:58 UTC] michael at carceri dot dk

When I run .php files under Apache (1.3.19) PHP sometimes crash. I can run the same file several times, and only sometimes is crashes.

This is what is recorded in the apache log (a lot of them):

[Fri Mar  9 19:24:51 2001] [notice] child pid 22845 exit signal Segmentation fault (11)

The following code can reproduce the crash:

$input = "Teststring";
$key = "gQ8V(|!kQ?lmJ8*~/HajI~lNM.-HzJqy";
$iv = "w81kaMfJq(1lcJaQ+m BsjedLq!?230?";
$output = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $input, MCRYPT_MODE_CBC, $iv);

The configure line is: --enable-track-vars --with-mysql=/usr/local/mysql --with-mhash --with-mcrypt
--with-apxs=/usr/local/apache/bin/apxs

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-04-10 12:59 UTC] cmv@php.net

This happens for me too with today's CVS and the latest CVS of mcrypt.

Backtrace says:

#0  0x402c89bc in chunk_free (ar_ptr=0x40369680, p=0x81f7f00) at malloc.c:3152
3152    malloc.c: No such file or directory.
(gdb) bt
#0  0x402c89bc in chunk_free (ar_ptr=0x40369680, p=0x81f7f00) at malloc.c:3152
#1  0x402c8828 in __libc_free (mem=0x81f7f08) at malloc.c:3054
#2  0x400a650d in mcrypt_module_close (td=0x81f7f08) at mcrypt_modules.c:48
#3  0x807c1e7 in php_mcrypt_do_crypt (cipher=0x81f7e94 "rijndael-256", key=0x81f2118, data=0x81f211c, 
    mode=0x818174c "cbc", iv=0x81f2124, argc=5, dencrypt=0, return_value=0x81f7ef4) at mcrypt.c:1317
#4  0x807c576 in php_if_mcrypt_encrypt (ht=5, return_value=0x81f7ef4, this_ptr=0x0, return_value_used=1)
    at mcrypt.c:1334
#5  0x81228e6 in execute (op_array=0x81f37dc) at ./zend_execute.c:1494
#6  0x80f3fcd in zend_execute_scripts (type=8, file_count=3) at zend.c:743
#7  0x8069c8f in php_execute_script (primary_file=0xbffffa60) at main.c:1196
#8  0x8067fa4 in main (argc=2, argv=0xbffffb04) at cgi_main.c:731
#9  0x4026ab5c in __libc_start_main (main=0x8067830 <main>, argc=2, ubp_av=0xbffffb04, init=0x8064b8c <_init>, 
    fini=0x81362ec <_fini>, rtld_fini=0x4000d634 <_dl_fini>, stack_end=0xbffffafc)
    at ../sysdeps/generic/libc-start.c:129

Assigning it to the expert ... :)

[2001-04-10 13:01 UTC] cmv@php.net

Actually, the script only seems to dump core if I do:

    echo bin2hex($output);

after the encryption.  Just a simple:

    echo $output;

seems to work just fine (i.e. it outputs stuff).

- Colin

[2001-04-10 13:58 UTC] derick@php.net

Crashes for me too, possibly a bug in mcrypt it self. Trying more things...

[2001-05-17 16:16 UTC] michael at carceri dot dk

I think I've found the problem (and the solution).

Let's look at some functions found in mcrypt first...

File: mcrypt_modules.c

int mcrypt_module_close(MCRYPT td)
{

	lt_dlclose(td->algorithm_handle);
	lt_dlclose(td->mode_handle);
	lt_dlexit();

	td->algorithm_handle = NULL;
	td->mode_handle = NULL;

	td->m_encrypt = NULL;
	td->a_encrypt = NULL;
	td->a_decrypt = NULL;
	td->m_decrypt = NULL;

	free(td);
	
	return 0;
}

File: mcrypt.c

int mcrypt_generic_end(const MCRYPT td)
{
	internal_end_mcrypt(td);
	mcrypt_module_close(td);
	return 0;
}

The crash occurs when the call free(td) is made in mcrypt_module_close(MCRYPT td)

Notice that mcrypt_generic_end(const MCRYPT td) calls mcrypt_module_close(MCRYPT td) in the end.

Let's look at the mcrypt.c file from PHP (NOT the same one as above). It has a function called

php_mcrypt_do_crypt(char* cipher, zval **key, zval **data, char *mode, zval **iv, int argc, int dencrypt, zval* return_value)

At the end of the function, we find the following:

/* freeing vars */
	mcrypt_generic_end (td);
	if (key_s != NULL)
		efree (key_s);
	if (iv_s != NULL)
		efree (iv_s);
	efree (data_s);
        mcrypt_module_close (td);
}

The crash occurs when the final mcrypt_module_close is called.

The reason is that the call to mcrypt_generic_end (td) also calls mcrypt_module_close(td) that again calls free (td). When we later call mcrypt_module_close (td) we try to free td again, and that sometimes gives us a segmentation fault.

The solution is simply to delete the last line in the php_mcrypt_do_crypt function (mcrypt_module_close (td);) found in mcrypt.c. This is ok, since we have already freed td in the call to mcrypt_generic_end (td) a few lines above.

That solved the problems for me. Finally no more crashes :)

[2001-05-17 16:37 UTC] derick@php.net

Hello,

looks all ok. I'll check it out, and apply the patch (if ok) so that it will be fixed in PHP 4.0.6

Derick

[2001-05-17 17:31 UTC] derick@php.net

Ok, this was indeed the problem. Thanks for this excellent help!

Derick

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon May 05 20:01:29 2025 UTC