|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #1110 str_replace still crashing undef OpenBSD 2.4 (See BugID #1028)
Submitted: 1999-02-01 23:52 UTC Modified: 1999-02-05 06:32 UTC
From: griggs at lata dot com Assigned:
Status: Closed Package: Reproducible Crash
PHP Version: 3.0 Latest CVS (01/02/1999) OS: OpenBSD 2.4
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: griggs at lata dot com
New email:
PHP Version: OS:


 [1999-02-01 23:52 UTC] griggs at lata dot com
An Update:
  Matt Cox, Jerry Karasz, and I have spent some time debugging the problem
I found with the PHP function str_replace.  We believe we have determined
the problem that is causing php3 to segfault.

  In the function _php3_str_to_str in string.c, in the second block of
code commented "if there is a rest, copy it", if realloc returns a
different pointer, you need to also recompute 's' since 'q' has changed.
Please see my patch below.

Greg Riggs
Los Alamos Technical Associates

----- patch file --------- cut here ----------------------
diff -C 10 string.c.orig string.c
*** string.c.orig       Thu Feb  4 13:48:50 1999
--- string.c    Thu Feb  4 13:58:53 1999
*** 1380,1399 ****
--- 1380,1401 ----
        /* if there is a rest, copy it */
        if((end - p) > 0) {
                s = (q) + (end - p);
                off = realloc(new, s - new + 1);
                if(off != new) {
                        if(!off) {
                                goto finish;
                        q += off - new;
                        new = off;
+                       /* need to recompute s also, since q has changed */
+                       s = (q) + (end - p);
                memcpy(q, p, end - p);
                q = s;
        *q = '\0';
        if(_new_length) *_new_length = q - new;
        return new;
----- cut here --------------------------------------

The program below causes a reproducable crash under OpenBSD 2.4
I built PHP using the latest CVS as of feb 1, 1999, and the 
str_replace function is still causing PHP to crash (please see BugID #1028).

  Greg Riggs

bash-2.02$ cat hack.php3

for($i=0; $i<3; $i++)
    $needle = 'needleneedle';
    $haystack = 'haystackhaystack';
    print "needle=|$needle|\n";
    print "hystack=|$haystack|\n";
    $foo = str_replace($needle, '', $haystack);
    $foolen = strlen($foo);
    print "foolen=|$foolen|\n";
    print "loop **** $i ****\n";

bash-2.02$ gdb php
GNU gdb 4.16.1
Copyright 1996 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-openbsd2.4"...
(gdb) run hack.php3
Starting program: /home/gkr/php hack.php3
Content-type: text/html

loop **** 0 ****

Program received signal SIGSEGV, Segmentation fault.
0x400e450f in tcgetattr ()
(gdb) where
#0  0x400e450f in tcgetattr ()
#1  0x400e482a in tcgetattr ()
#2  0x400e4f64 in malloc ()
#3  0x278bd in _emalloc (size=4294652113,
    filename=0x4142a "functions/string.c", lineno=1425) at alloc.c:129
#4  0x4332d in php3_str_replace (ht=0x7b218, return_value=0x5e374,
    list=0x707ac, plist=0x706fc) at functions/string.c:1425
#5  0xce90 in phpparse () at control_structures_inline.h:930
#6  0x1fe2a in php3_parse (yyin=0x4012800c) at main.c:1534
#7  0x20cc5 in main (argc=2, argv=0xefbfdcb4) at main.c:1842


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [1999-02-05 06:32 UTC] sas
Patch applied. Thanks, guys
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sun May 24 23:01:27 2020 UTC