|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #12227 Over writing output buffer and returning it causes segfault
Submitted: 2001-07-18 06:07 UTC Modified: 2002-05-03 23:07 UTC
Avg. Score:4.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: brueckner at respublica dot de Assigned: yohgaki (profile)
Status: Closed Package: Output Control
PHP Version: 4.2.0-dev OS: Linux 2.2.16-SMP
Private report: No CVE-ID: None
 [2001-07-18 06:07 UTC] brueckner at respublica dot de
When using ob_start() with a script included via auto_prepend_file and then doing something like this:


function my_flush($buffer)
    $buffer = preg_replace("/(<!--REPLACE\\s.*?-->)/e", "parse(\"\\1\")",

    return $buffer;

PHP 4.0.6 SIGSEGV's with this message in the error_log:

[Wed Jul 18 11:55:08 2001]  Script:  '/home/htdocs/test.php'
output.c(235) : Block 0x0824C940 status:
Beginning:  	Overrun (magic=0x08294990, expected=0x7312F8DC)
      End:	Unknown
./zend_execute.c(334) :  Freeing 0x082A8CB4 (28131 bytes), script=/home/htdocs/test.php
zend_variables.c(117) : Actual location (location was relayed)
[Wed Jul 18 11:55:08 2001] [notice] child pid 30192 exit signal Segmentation fault (11)

If I replace the line
    $buffer = preg_replace("/(<!--REPLACE\\s.*?-->)/e", "parse(\"\\1\")",
    $newbuffer = preg_replace("/(<!--REPLACE\\s.*?-->)/e", "parse(\"\\1\")",

it works fine.

Any ideas for a fix?



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2001-07-18 06:13 UTC] brueckner at respublica dot de
One more comment which I forgot before:

This does NOT happen when I do not use auto_prepend_file and call my function inside the main script instead.

 [2001-12-12 04:31 UTC]
I guess you have ob_end_clean() or ob_end_flush() in your auto prepend file. Do you?
Anyway, does this happen with 4.1.0?
 [2002-01-02 13:58 UTC]
No feedback. Closing.
 [2002-01-02 18:48 UTC]
The same issue was submitted recently and it seems there is a problem.

To Reporter: Do not change parameter passed, but assgin to new var and return new var to prevent segfault for now. Please update PHP Version if you have tried with newer PHP.

Assigned to myslef so that I don't forget this.
 [2002-02-05 18:28 UTC]
Easy one to fix :)


function my_flush($buffer)
    $buffer = preg_replace("/(<!--REPLACE\\s.*?-->)/e",

    return $buffer;


/home/yohgaki/public_html/bugs/12227/bug.php(9) : Warning - String is not zero-terminated (ZZZZZZZZZZZZZZ
 [2002-02-07 02:29 UTC]
Anyone who are interested in this problem.
here is a patch for this problem. This should solve unwanted free for this specific case. Question is do we really want this?

Index: main/output.c
RCS file: /repository/php4/main/output.c,v
retrieving revision 1.84
diff -u -r1.84 output.c
--- main/output.c       7 Feb 2002 02:50:28 -0000       1.84
+++ main/output.c       7 Feb 2002 06:31:35 -0000
@@ -164,7 +164,7 @@
                ZVAL_STRINGL(orig_buffer, OG(active_ob_buffer).buffer, OG(active_ob_buffer).text_length, 0);
                orig_buffer->refcount=2;        /* don't let call_user_function() destroy our buffer */
-               orig_buffer->is_ref=1;
+               orig_buffer->is_ref=0;
                ZVAL_LONG(z_status, status);

 [2002-02-12 22:38 UTC]
Last patch that I memtioned still have problem with simple output handler like

ob_handler($buffer) {
  $result = $buffer;
  return $result;

This could happen easily when user conditinally convert buffer....

To fix this segfualt completely, it seems I have to copy buffer before pass it to user defined output handler. 
 [2002-04-05 05:19 UTC] lucifer at vengeance dot et dot tudelft dot nl
the following testcase even crashes PHP4. it seems if you assign a value to the given parameter (here $s) which is larger than the original, it will crash. copying the input into a seperate variable and work with that is a workaround. still this simple buffer overflow ought to be easy to fix?

using 4.1.1 (build dec 30, 2001):

ob_start( "handler" );

function handler( $s ) {
  $s = $s."foobar foobar foobar";
  return $s;
 [2002-05-03 23:07 UTC]
This bug has been fixed in CVS. You can grab a snapshot of the
CVS version at

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Jul 25 06:01:30 2024 UTC