|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #20108 $a = "boo"; printf("%580.58s\n", $a); Segfaults
Submitted: 2002-10-26 13:13 UTC Modified: 2002-10-26 15:45 UTC
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: jeroen at unfix dot org Assigned: iliaa (profile)
Status: Closed Package: Reproducible crash
PHP Version: 4.0CVS-2002-10-20 OS: Linux and NetBSD
Private report: No CVE-ID: None
 [2002-10-26 13:13 UTC] jeroen at unfix dot org
The oops:
jeroen@noc:~$ ulimit -c unlimited
jeroen@noc:~$ php4
<?php $a = "boo"; printf("%580.58s\n", $a); ?>
Segmentation fault (core dumped)

The system:
jeroen@noc:~$ uname -a
Linux noc 2.4.18 #1 Wed May 29 22:19:46 CEST 2002 i686 Intel(R) Celeron(TM) CPU
               1200MHz GenuineIntel GNU/Linux
It's Debian unstable, current as of 26-Oct-2002

Relevant Debian packages:
ii  libc6          2.3.1-3
ii  php4-cgi       4.2.3-3

(gdb) bt
#0  0x402711af in mallopt () from /lib/
#1  0x4027001f in realloc () from /lib/
#2  0x080dd7a3 in _erealloc ()
#3  0x080a6b6a in php_if_stat ()
#4  0x080a8804 in zif_user_printf ()
#5  0x0810c060 in execute ()
#6  0x080ea428 in zend_execute_scripts ()
#7  0x080664cd in php_execute_script ()
#8  0x08064363 in main ()
#9  0x4021b9d3 in __libc_start_main () from /lib/
(gdb) q

I've also tested it on NetBSD, which also segfaulted apache and gave back a whole lot of wrong things (buffer from previous sessions).

OpenBSD 3.1 + FreeBSD 4.6-RELEASE didn't have this problem
so this could quite well be glibc related, see the traceback above.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2002-10-26 15:13 UTC]
Somewhat reproduced with BSDi 4.2. Not a segfault, but garbage output.

added testcase to CVS.
Updated version.
 [2002-10-26 15:25 UTC] jeroen at unfix dot org
I just re-tested this on a FreeBSD 4.6-RELEASE again and:

jeroen@hog:~$ uname -a
<?php $a = "boo"; printf("%580.58s\n", $a); ?>
X-Powered-By: PHP/4.1.1
Content-type: text/html

Notice the many \n's, this could be an empty buffer...
Which is the same I got on OpenBSD 3.1...
 [2002-10-26 15:45 UTC]
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at
In case this was a documentation problem, the fix will show up soon at

In case this was a website problem, the change will show
up on the site and on the mirror sites in short time.
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Tue Nov 28 17:01:27 2023 UTC