php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #2161 wddx deserializes crashes httpd
Submitted: 1999-08-26 05:04 UTC Modified: 2002-06-16 08:38 UTC
From: jeffgus at sdnonline dot com Assigned:
Status: Not a bug Package: Reproducible Crash
PHP Version: 3.0 Latest CVS (26/08/1999) OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: jeffgus at sdnonline dot com
New email:
PHP Version: OS:

 

 [1999-08-26 05:04 UTC] jeffgus at sdnonline dot com
I tried the latest in CVS, but wddx_descrialize still kills httpd.  Does wddx just stink or what?
All I did was make a loop with data from a database:

$a[$appt_type] = $event_no;
var_dump($a);
$packet_id = wddx_packet_start("PHP");
wddx_add_vars($packet_id, "a");
$packet = wddx_packet_end($packet_id);
print htmlentities($packet);
$test =wddx_deserialize($packet_id);

Here's the backtrace:

#0  0x401de920 in _php3_wddx_deserialize (packet=0x810bfb8, 
    return_value=0x4025869c) at functions/wddx_a.c:632
#1  0x401dee19 in php3_wddx_deserialize (ht=0x8175740, 
    return_value=0x4025869c, list=0x4026a02c, plist=0x4026a000)
    at functions/wddx_a.c:845
#2  0x401f0873 in phpparse () at control_structures_inline.h:934
#3  0x401a0b72 in php3_parse (yyin=0x80b8bf8) at main.c:1553
#4  0x401a0e50 in apache_php3_module_main (r=0x80b5e64, fd=23, 
    display_source_mode=0, preprocessed=0) at main.c:1934
#5  0x4019df65 in send_php3 ()
#6  0x4019dfdf in send_parsed_php3 ()
#7  0x80515b2 in ap_invoke_handler ()
#8  0x805fb4b in ap_some_auth_required ()
#9  0x805fba8 in ap_process_request ()
#10 0x8059b84 in ap_child_terminate ()
#11 0x8059cbb in ap_child_terminate ()
#12 0x8059dc4 in ap_child_terminate ()
#13 0x805a27b in ap_child_terminate ()
#14 0x805a9ce in main ()

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [1999-08-26 09:28 UTC] andrey at cvs dot php dot net
Firstly, please read the documentation.  wddx_deserialize() takes a packet
string, not a packet id.

Secondly, I did update it so it wouldn't crash if it received a non-valid packet.
 [1999-08-26 10:12 UTC] jeffgus at sdnonline dot com
I haven't tried your patch, but it still crashes after I corrected my typo:

echo "<pre>";
var_dump($a);
$packet_id = wddx_packet_start("PHP");
wddx_add_vars($packet_id, "a");
$packet = wddx_packet_end($packet_id);
print htmlentities($packet);
wddx_deserialize($packet);

$a is like:
int(11)
  string(454) "insert into calevent ( id, type, class, dtstart, dtend, duration, lastmod, seq, created, status, transp, location, description, summary, category, organizer, priority, completed, completeddt, rrule, rrulecnt, rruleend, rdate, exdate ) values ( '3665', 'vcal', 'private', '923259600', '923281200', null, 935676543, 0, 935676543, 'confirmed', 0, null, '', 'Easter Dinner with the Janssens', 'HOLIDAY', 3456, null, null, null, null, null, null, null, null )"

  int(12)
  string(464) "insert into calevent ( id, type, class, dtstart, dtend, duration, lastmod, seq, created, status, transp, location, description, summary, category, organizer, priority, completed, completeddt, rrule, rrulecnt, rruleend, rdate, exdate ) values ( '3666', 'vcal', 'private', '925434000', '925448400', null, 935676543, 0, 935676543, 'confirmed', 0, null, '', 'Sixpence None The Richer At  The House Of Blues', '0', 3456, null, null, null, null, null, null, null, null )"

etc.............

 [1999-08-26 10:54 UTC] andrey at cvs dot php dot net
I tried this and it worked for me:

$a[11] = "insert into calevent ( id, type, class, dtstart, dtend,
duration, lastmod, seq, created, status, transp, location, description,
summary, category, organizer, priority, completed, completeddt, rrule,
rrulecnt, rruleend, rdate, exdate ) values ( '3665', 'vcal', 'private',
'923259600', '923281200', null, 935676543, 0, 935676543, 'confirmed', 0, null,
'', 'Easter Dinner with the Janssens', 'HOLIDAY', 3456, null, null, null, null,
null, null, null, null )";
$a[12] = "insert into calevent ( id, type, class, dtstart, dtend,
duration, lastmod, seq, created, status, transp, location, description,
summary, category, organizer, priority, completed, completeddt, rrule, 
rrulecnt, rruleend, rdate, exdate ) values ( '3666', 'vcal', 'private',
'925434000', '925448400', null, 935676543, 0, 935676543, 'confirmed', 0, null,
'', 'Sixpence None The Richer At  The House Of Blues', '0', 3456, null, null,
null, null, null, null, null, null )";
$packet_id = wddx_packet_start("PHP");
wddx_add_vars($packet_id, "a");
$packet = wddx_packet_end($packet_id);
$test = wddx_deserialize($packet);

var_dump($test);

Do you have the complete example?
 [1999-08-27 17:31 UTC] jeffgus at sdnonline dot com
Here it is (sorry for the delay).
This one seems to die on the encode:

$a[] = array ( "test" => "aasdf asdf asd fasdf asdf  asdf asdf", 
	       "asdf" => "123 134 134 123 123 4",
	       "abcdef" => "sdafklwefj wioa fwia",
	       array ( "a" => "test", "b" => "test1", "c" => "test2" )
	       );

$b[] = array();

for ( $i = 0; $i < 100; $i++ ) {
  $b[] = $a;
}
echo "<pre>";
#  var_dump ($b);
$packet_id = wddx_packet_start("PHP");
wddx_add_vars($packet_id, "b");
$packet = wddx_packet_end($packet_id);
print htmlentities($packet);
wddx_deserialize($packet);

 [1999-08-27 18:32 UTC] andrey at cvs dot php dot net
I tried your example and it works on my machine.  Can anyone else duplicate
the crash?
 [1999-08-30 13:31 UTC] jeffgus at sdnonline dot com
Try it with 500 or 1000 interations of the loop
 [1999-08-30 14:14 UTC] andrey at cvs dot php dot net
I tried that, still no crash.  If someone can compile PHP with dmalloc on their
system and test it with this script, I'd appreciate it, since I can't get
dmalloc going here.
 [1999-08-31 02:44 UTC] thies at cvs dot php dot net
ran 1000 iterations thru purify (solaris) - no problems here.

has this ever worked for you?

 [1999-09-01 09:10 UTC] andrey at cvs dot php dot net
Thies, did you run the script 1000 times or set the number of 'for'
loop iterations to 1000?

 [1999-09-07 08:57 UTC] jeffgus at sdnonline dot com
New backtrace... hope this helps things.

#0  0x400a9902 in chunk_free (ar_ptr=0x400fe420, p=0x810cd20) at malloc.c:2948
#1  0x400a97c1 in __libc_free (mem=0x810cd28) at malloc.c:2872
#2  0x401aa0b9 in _efree (ptr=0x810cd38) at alloc.c:173
#3  0x401e704f in _php3_free_packet_chunk (chunk_ptr=0x810cd20)
    at functions/wddx_a.c:206
#4  0x4020277d in dlst_kill (l=0x80e8bd8, 
    freeNode=0x401e7030 <_php3_free_packet_chunk>) at functions/dlist.c:151
#5  0x401e7083 in _php3_wddx_destructor (packet=0x80e8b50)
    at functions/wddx_a.c:214
#6  0x401aa593 in list_entry_destructor (ptr=0x80e8f30) at list.c:99
#7  0x401a3748 in _php3_hash_del_key_or_index (ht=0x40279888, arKey=0x0, 
    nKeyLength=0, h=1, flag=1) at php3_hash.c:639
#8  0x401aa4e3 in php3_list_do_delete (list=0x40279888, id=1) at list.c:75
#9  0x401e81c6 in php3_wddx_packet_end (ht=0x80e8dc8, return_value=0x40267eec, 
    list=0x40279888, plist=0x4027985c) at functions/wddx_a.c:791
#10 0x401fc484 in phpparse () at control_structures_inline.h:934
#11 0x401a247b in php3_parse (yyin=0x80b8be0) at main.c:1554
#12 0x401a27ad in apache_php3_module_main (r=0x80b5e64, fd=23, 
    display_source_mode=0, preprocessed=0) at main.c:1935
#13 0x4019f5d5 in send_php3 ()
#14 0x4019f64f in send_parsed_php3 ()
#15 0x80515b2 in ap_invoke_handler ()
#16 0x805fb4b in ap_some_auth_required ()
#17 0x805fba8 in ap_process_request ()
---Type <return> to continue, or q <return> to quit---
#18 0x8059b84 in ap_child_terminate ()
#19 0x8059cbb in ap_child_terminate ()
#20 0x8059dc4 in ap_child_terminate ()
#21 0x805a27b in ap_child_terminate ()
#22 0x805a9ce in main ()

 [2002-06-16 08:38 UTC] sander@php.net
Thank you for taking the time to report a problem with PHP.
Unfortunately, PHP 3 is no longer supported. Please download
the latest version of PHP 4 from http://www.php.net/downloads.php

If you are able to reproduce the bug with one of the latest
versions of PHP, please change the PHP version on this bug report
to the version you tested and change the status back to "Open".
Again, thank you for your continued support of PHP.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Tue Aug 04 15:01:25 2020 UTC