php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #20108 $a = "boo"; printf("%580.58s\n", $a); Segfaults
Submitted: 2002-10-26 13:13 UTC Modified: 2002-10-26 15:45 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: jeroen at unfix dot org Assigned: iliaa
Status: Closed Package: Reproducible crash
PHP Version: 4.0CVS-2002-10-20 OS: Linux and NetBSD
Private report: No CVE-ID:
 [2002-10-26 13:13 UTC] jeroen at unfix dot org
The oops:
8<-------------
jeroen@noc:~$ ulimit -c unlimited
jeroen@noc:~$ php4
<?php $a = "boo"; printf("%580.58s\n", $a); ?>
Segmentation fault (core dumped)
------------->8

The system:
8<-------------
jeroen@noc:~$ uname -a
Linux noc 2.4.18 #1 Wed May 29 22:19:46 CEST 2002 i686 Intel(R) Celeron(TM) CPU
               1200MHz GenuineIntel GNU/Linux
------------->8
It's Debian unstable, current as of 26-Oct-2002

Relevant Debian packages:
ii  libc6          2.3.1-3
ii  php4-cgi       4.2.3-3

Backtrace:
8<--------------
(gdb) bt
#0  0x402711af in mallopt () from /lib/libc.so.6
#1  0x4027001f in realloc () from /lib/libc.so.6
#2  0x080dd7a3 in _erealloc ()
#3  0x080a6b6a in php_if_stat ()
#4  0x080a8804 in zif_user_printf ()
#5  0x0810c060 in execute ()
#6  0x080ea428 in zend_execute_scripts ()
#7  0x080664cd in php_execute_script ()
#8  0x08064363 in main ()
#9  0x4021b9d3 in __libc_start_main () from /lib/libc.so.6
(gdb) q
-------------->8

I've also tested it on NetBSD, which also segfaulted apache and gave back a whole lot of wrong things (buffer from previous sessions).

OpenBSD 3.1 + FreeBSD 4.6-RELEASE didn't have this problem
so this could quite well be glibc related, see the traceback above.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-10-26 15:13 UTC] msopacua@php.net
Somewhat reproduced with BSDi 4.2. Not a segfault, but garbage output.

added testcase to CVS.
Updated version.
 [2002-10-26 15:25 UTC] jeroen at unfix dot org
I just re-tested this on a FreeBSD 4.6-RELEASE again and:

------------------------->8
jeroen@hog:~$ uname -a
<?php $a = "boo"; printf("%580.58s\n", $a); ?>
X-Powered-By: PHP/4.1.1
Content-type: text/html

                                                                                                                                                                                                                                                
------------------------->8
Notice the many \n's, this could be an empty buffer...
Which is the same I got on OpenBSD 3.1...
 [2002-10-26 15:45 UTC] iliaa@php.net
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 00:01:21 2014 UTC