PHP :: Bug #15501 :: header call crashes PHP as Apache module

Bug #15501	header call crashes PHP as Apache module
Submitted:	2002-02-11 08:05 UTC	Modified:	2002-02-11 08:39 UTC
From:	webmaster at sdu dot dk	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	4.1.1	OS:	RH Linux 7.1
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	webmaster at sdu dot dk
New email:
PHP Version:		OS:

New Comment:

[2002-02-11 08:05 UTC] webmaster at sdu dot dk

This script crashes my installation of Apache 1.3.22 with PHP 4.1.1 as module:

<?php 
  //$link = mysql_connect("<host>", "<id>", "<pw>");
  
  if (!isset($PHP_AUTH_USER)) {
    header("WWW-Authenticate: Basic realm=\"My Realm\"");
    header("HTTP/1.0 401 Unauthorized");
    echo "Please login\n";
    exit;
  } else {
    echo "<p>Hello $PHP_AUTH_USER.</p>";
  }
?>

When I remove the un-comment the line //$link = ... (and substitutes my MySQL server, id and passwd), Apache does not crash. The script correctly asks for login, however, the realm name is displayed as "My Realm-507".

All settings on the server can be seen at this phpInfo-page:
http://www3.sdu.dk/phpInfo.php

Apache logs this when crashing:
[Mon Feb 11 13:12:04 2002]  Script:  '/home/web/test/adgang3.php'
---------------------------------------
SAPI.c(505) : Block 0x08197B3C status:
Beginning:      Overrun (magic=0x00000000, expected=0x7312F8DC)
[Mon Feb 11 13:12:05 2002] [notice] child pid 7617 exit signal Segmentation fault (11)

Apache refuses to produce a core dump, but trace from gdb follows here:

(gdb) run -X
Starting program: /etc/httpd/bin/httpd -X

Program received signal SIGSEGV, Segmentation fault.
0x4020a07c in memcpy () from /lib/i686/libc.so.6

bt from gdb:
(gdb) bt
#0  0x4020a07c in memcpy () from /lib/i686/libc.so.6
#1  0x081d0ccc in zval_used_for_init ()
#2  0x0810b8f9 in _mem_block_check (ptr=0x8197b60, silent=1, __zend_filename=0x81742e9 "SAPI.c", __zend_lineno=505, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at zend_alloc.c:659
#3  0x0810aacb in _efree (ptr=0x8197b60, __zend_filename=0x81742e9 "SAPI.c", __zend_lineno=505, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at zend_alloc.c:224
#4  0x0806c4bc in sapi_add_header_ex (header_line=0x823de4c 'Z' <repeats 41 times>, "\204?\217*", 
    header_line_len=40, duplicate=1 '\001', replace=1 '\001') at SAPI.c:505
#5  0x080b91de in zif_header (ht=1, return_value=0x823de0c, this_ptr=0x0, return_value_used=0) at head.c:56
#6  0x0813e437 in execute (op_array=0x823dd24) at ./zend_execute.c:1590
#7  0x0811b8f2 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at zend.c:814
#8  0x080695ba in php_execute_script (primary_file=0xbffff710) at main.c:1307
#9  0x08126c22 in apache_php_module_main (r=0x82380f4, display_source_mode=0) at sapi_apache.c:90
#10 0x08065d14 in send_php ()
#11 0x08065d6d in send_parsed_php ()
#12 0x08148203 in ap_invoke_handler ()
#13 0x0815c3e3 in process_request_internal ()
#14 0x0815c444 in ap_process_request ()
#15 0x081538ad in child_main ()
#16 0x08153a58 in make_child ()
#17 0x08153bcc in startup_children ()
#18 0x08154244 in standalone_main ()
#19 0x08154a97 in main ()
#20 0x4019d627 in __libc_start_main (main=0x8154700 <main>, argc=2, ubp_av=0xbffffb44, init=0x8063594 <_init>, 
    fini=0x81726f0 <_fini>, rtld_fini=0x4000dcc4 <_dl_fini>, stack_end=0xbffffb3c)
    at ../sysdeps/generic/libc-start.c:129

Any ideas?

Sven M. Sorensen
University of Southern Denmark

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-02-11 08:10 UTC] webmaster at sdu dot dk

This script crashes my installation of Apache 1.3.22 with PHP 4.1.1 as module:

<?php 
  //$link = mysql_connect("<host>", "<id>", "<pw>");
  
  if (!isset($PHP_AUTH_USER)) {
    header("WWW-Authenticate: Basic realm=\"My Realm\"");
    header("HTTP/1.0 401 Unauthorized");
    echo "Please login\n";
    exit;
  } else {
    echo "<p>Hello $PHP_AUTH_USER.</p>";
  }
?>

When I un-comment the line //$link = ... (and substitutes my MySQL server, id and passwd), Apache does not crash. The script correctly asks for login; however, the realm name is displayed as "My Realm-507".

All settings on the server can be seen at this phpInfo-page:
http://www3.sdu.dk/phpInfo.php

Apache logs this when crashing:
[Mon Feb 11 13:12:04 2002]  Script:  '/home/web/test/adgang3.php'
---------------------------------------
SAPI.c(505) : Block 0x08197B3C status:
Beginning:      Overrun (magic=0x00000000, expected=0x7312F8DC)
[Mon Feb 11 13:12:05 2002] [notice] child pid 7617 exit signal
Segmentation fault (11)

Apache refuses to produce a core dump, but trace from gdb follows here:

(gdb) run -X
Starting program: /etc/httpd/bin/httpd -X

Program received signal SIGSEGV, Segmentation fault.
0x4020a07c in memcpy () from /lib/i686/libc.so.6

bt from gdb:
(gdb) bt
#0  0x4020a07c in memcpy () from /lib/i686/libc.so.6
#1  0x081d0ccc in zval_used_for_init ()
#2  0x0810b8f9 in _mem_block_check (ptr=0x8197b60, silent=1,
__zend_filename=0x81742e9 "SAPI.c", __zend_lineno=505, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at zend_alloc.c:659
#3  0x0810aacb in _efree (ptr=0x8197b60, __zend_filename=0x81742e9
"SAPI.c", __zend_lineno=505, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at zend_alloc.c:224
#4  0x0806c4bc in sapi_add_header_ex (header_line=0x823de4c 'Z' <repeats
41 times>, "\204?\217*", 
    header_line_len=40, duplicate=1 '\001', replace=1 '\001') at
SAPI.c:505
#5  0x080b91de in zif_header (ht=1, return_value=0x823de0c,
this_ptr=0x0, return_value_used=0) at head.c:56
#6  0x0813e437 in execute (op_array=0x823dd24) at ./zend_execute.c:1590
#7  0x0811b8f2 in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at zend.c:814
#8  0x080695ba in php_execute_script (primary_file=0xbffff710) at
main.c:1307
#9  0x08126c22 in apache_php_module_main (r=0x82380f4,
display_source_mode=0) at sapi_apache.c:90
#10 0x08065d14 in send_php ()
#11 0x08065d6d in send_parsed_php ()
#12 0x08148203 in ap_invoke_handler ()
#13 0x0815c3e3 in process_request_internal ()
#14 0x0815c444 in ap_process_request ()
#15 0x081538ad in child_main ()
#16 0x08153a58 in make_child ()
#17 0x08153bcc in startup_children ()
#18 0x08154244 in standalone_main ()
#19 0x08154a97 in main ()
#20 0x4019d627 in __libc_start_main (main=0x8154700 <main>, argc=2,
ubp_av=0xbffffb44, init=0x8063594 <_init>, 
    fini=0x81726f0 <_fini>, rtld_fini=0x4000dcc4 <_dl_fini>,
stack_end=0xbffffb3c)
    at ../sysdeps/generic/libc-start.c:129

Any ideas?

Sven M. Sorensen
University of Southern Denmark

[2002-02-11 08:39 UTC] sesser@php.net

This bug has been fixed in CVS.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2020 The PHP Group All rights reserved.	Last updated: Wed Sep 23 23:01:23 2020 UTC