php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #25922 In error handler, modifying 5th arg (errcontext) may result in seg fault
Submitted: 2003-10-20 07:54 UTC Modified: 2005-06-09 13:27 UTC
From: jeroen at derks dot it Assigned: dmitry
Status: Closed Package: Scripting Engine problem
PHP Version: 4-STABLE-CVS-20031021 OS: Linux 2.4.20 Debian 3.0
Private report: No CVE-ID:
 [2003-10-20 07:54 UTC] jeroen at derks dot it
Description:
------------
Modifying 5th parameter of error handler will make PHP crash when leaving the error handler.

NB: This seems to happen only when the error was generated in a function (possibly also in a member function). Please see the code.
NB2: When changing function test()'s parameter name into $args, PHP exitted normally.

Reproduce code:
---------------
    function my_error_handler( $error, $errmsg = '', $errfile = '', $errline = 0, $errcontext = '' )
    {
        $errcontext = '';
    }
                                                                                                   
    set_error_handler( 'my_error_handler' );
                                                                                                   
    function test( $headers = '' )
    {
        echo "Undefined index here: '{$data['HTTP_HEADER']}'\n";
    }
                                                                                                       test();

Expected result:
----------------
Undefined index here: ''

Actual result:
--------------
Undefined index here: ''
Segmentation fault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-10-20 14:11 UTC] helly@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip
 [2003-10-21 06:16 UTC] sniper@php.net
With PHP 4.3.4RC3-dev:

[Tue Oct 21 13:11:19 2003]  Script:  't.php'
---------------------------------------
zend_opcode.c(152) : Block 0x08508470 status:
Beginning:      Overrun (magic=0x084E8D58, expected=0x7312F8DC)
      End:      Unknown
---------------------------------------
[Tue Oct 21 13:11:19 2003]  Script:  't.php'
---------------------------------------
zend_opcode.c(159) : Block 0x08509568 status:
zend_variables.c(44) : Actual location (location was relayed)
Beginning:      Overrun (magic=0x084E8D58, expected=0x7312F8DC)
      End:      Unknown
---------------------------------------
[Tue Oct 21 13:11:19 2003]  Script:  't.php'
---------------------------------------
zend_opcode.c(159) : Block 0x085095A0 status:
zend_variables.c(44) : Actual location (location was relayed)
Beginning:      Overrun (magic=0x085095D0, expected=0x7312F8DC)
      End:      Unknown
---------------------------------------
[Tue Oct 21 13:11:19 2003]  Script:  't.php'
---------------------------------------
zend_opcode.c(165) : Block 0x085095D8 status:
zend_variables.c(44) : Actual location (location was relayed)
Beginning:      Overrun (magic=0x08509608, expected=0x7312F8DC)
      End:      Unknown
---------------------------------------
[Tue Oct 21 13:11:19 2003]  Script:  't.php'
---------------------------------------
zend_opcode.c(159) : Block 0x08509610 status:
zend_variables.c(44) : Actual location (location was relayed)
Beginning:      Overrun (magic=0x08509640, expected=0x7312F8DC)
      End:      Unknown
---------------------------------------
[Tue Oct 21 13:11:19 2003]  Script:  't.php'
---------------------------------------
zend_opcode.c(165) : Block 0x08509648 status:
zend_variables.c(44) : Actual location (location was relayed)
Beginning:      Overrun (magic=0x08509678, expected=0x7312F8DC)
      End:      Unknown

...and so on. GDB backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 14715)]
0x08259de8 in _efree (ptr=0x85096b4, __zend_filename=0x8361d00 "zend_opcode.c", 
    __zend_lineno=169, __zend_orig_filename=0x0, __zend_orig_lineno=0) at zend_alloc.c:259
259             REMOVE_POINTER_FROM_LIST(p);
(gdb) bt
#0  0x08259de8 in _efree (ptr=0x85096b4, __zend_filename=0x8361d00 "zend_opcode.c", 
    __zend_lineno=169, __zend_orig_filename=0x0, __zend_orig_lineno=0) at zend_alloc.c:259
#1  0x08265895 in destroy_op_array (op_array=0x8508af8) at zend_opcode.c:169
#2  0x0826566b in destroy_zend_function (function=0x8508af8) at zend_opcode.c:100
#3  0x08272fa7 in zend_hash_destroy (ht=0x8415848) at zend_hash.c:553
#4  0x0826cb30 in zend_shutdown () at zend.c:559
#5  0x082358bf in php_module_shutdown () at main.c:1284
#6  0x08290fb0 in main (argc=2, argv=0xbffffc84) at php_cli.c:876

Note: Works fine with PHP 5.

 [2005-06-08 16:13 UTC] dmitry@php.net
The bug is still reprodusabe in PHP_4_4 and HEAD.
 [2005-06-09 13:27 UTC] dmitry@php.net
Fixed in CVS HEAD, PHP_5_0 and PHP_4_4.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 03:02:48 2014 UTC