php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #27135 segfault in zend_execute.c
Submitted: 2004-02-03 11:32 UTC Modified: 2004-02-05 21:23 UTC
From: jan at horde dot org Assigned: moriyoshi
Status: Closed Package: mbstring related
PHP Version: 4CVS-2004-02-03 (stable) OS: Linux
Private report: No CVE-ID:
 [2004-02-03 11:32 UTC] jan at horde dot org
Description:
------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 28753)]
0x4067a064 in execute (op_array=0x878137c)
    at /home/jan/cvs/php43/Zend/zend_execute.c:1258
1258                                    if (ARG_SHOULD_BE_SENT_BY_REF(EX(opline)


backtrace:

#0  0x4067a064 in execute (op_array=0x878137c)
    at /home/jan/cvs/php43/Zend/zend_execute.c:1258
#1  0x4067c063 in execute (op_array=0x8785b0c)
    at /home/jan/cvs/php43/Zend/zend_execute.c:1660
#2  0x4067c063 in execute (op_array=0x85c52e4)
    at /home/jan/cvs/php43/Zend/zend_execute.c:1660
#3  0x4067c063 in execute (op_array=0x816b2bc)
    at /home/jan/cvs/php43/Zend/zend_execute.c:1660
#4  0x4067c063 in execute (op_array=0x8647dfc)
    at /home/jan/cvs/php43/Zend/zend_execute.c:1660
#5  0x4067c063 in execute (op_array=0x8647c24)
    at /home/jan/cvs/php43/Zend/zend_execute.c:1660
#6  0x4067c063 in execute (op_array=0x8647b34)
    at /home/jan/cvs/php43/Zend/zend_execute.c:1660
#7  0x4067c063 in execute (op_array=0x816814c)
    at /home/jan/cvs/php43/Zend/zend_execute.c:1660
#8  0x4066a7fa in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/jan/cvs/php43/Zend/zend.c:884
#9  0x40633178 in php_execute_script (primary_file=0xbfffee60)
    at /home/jan/cvs/php43/main/main.c:1727
#10 0x40680f04 in apache_php_module_main (r=0x815cfd8, display_source_mode=0)
    at /home/jan/cvs/php43/sapi/apache/sapi_apache.c:54
#11 0x40681eb9 in send_php (r=0x815cfd8, display_source_mode=0,
---Type <return> to continue, or q <return> to quit---
    filename=0x815edb8 "/home/jan/headhorde//imp/message.php")
    at /home/jan/cvs/php43/sapi/apache/mod_php4.c:620
#12 0x40681f3f in send_parsed_php (r=0x815cfd8)
    at /home/jan/cvs/php43/sapi/apache/mod_php4.c:635
#13 0x080557a7 in ap_invoke_handler ()
#14 0x0806aaf0 in process_request_internal ()
#15 0x0806ad81 in ap_process_request ()
#16 0x08062762 in child_main ()
#17 0x0806290a in make_child ()
#18 0x08062a46 in startup_children ()
#19 0x080634eb in standalone_main ()
#20 0x08063ca6 in main ()


Matching Apache log entry:
[Tue Feb  3 17:37:39 2004]  Script:  '/home/jan/headhorde//imp/message.php'
---------------------------------------
/home/jan/cvs/php43/ext/mbstring/mbstring.c(329) : Block 0x0877ADF8 status:
Beginning:      OK (allocated on /home/jan/cvs/php43/ext/mbstring/mbstring.c:314
, 17 bytes)
      End:      Overflown (magic=0xC3592234 instead of 0x2A8FCC84)
                At least 4 bytes overflown
---------------------------------------



No reproduce code at the moment.



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-02-03 12:11 UTC] jan at horde dot org
Get this text file: 
http://www.horde.org/~jan/message.txt
and pass its contents as $text to:
mb_strlen($text, 'us-ascii')

Given, this is no us-ascii string, but it still shouldn't segfault. ;-)
 [2004-02-03 12:16 UTC] sniper@php.net
Dunno if this should go to Rui or what..? :)

 [2004-02-04 21:30 UTC] iliaa@php.net
I've tried to replicate the crash using the latest CVS of 
PHP 4.2.3 but it does not crash and valgrind does not show 
any possible overflows or corruptions that could cause it. 
 
That said Moriyoshi, who is currently away sent me the 
following patch that may solve the problem. Try it, maybe 
it'll address the problem for you. 
 
Index: ext/mbstring/libmbfl/filters/mbfilter_htmlent.c 
=================================================================== 
RCS 
file: /repository/php-src/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c,v 
retrieving revision 1.3.2.2 
diff -u -r1.3.2.2 mbfilter_htmlent.c 
--- ext/mbstring/libmbfl/filters/mbfilter_htmlent.c	10 
Dec 2003 17:10:05 -0000	1.3.2.2 
+++ ext/mbstring/libmbfl/filters/mbfilter_htmlent.c	4 
Feb 2004 06:27:23 -0000 
@@ -67,7 +67,7 @@ 
 const mbfl_encoding mbfl_encoding_html_ent = { 
 	mbfl_no_encoding_html_ent, 
 	"HTML-ENTITIES", 
-	"US-ASCII", 
+	"HTML-ENTITIES", 
 	(const char *(*)[])&mbfl_encoding_html_ent_aliases, 
 	NULL, /* mblen_table_html, Do not use table instead 
calulate length based on entities actually used */ 
 	MBFL_ENCTYPE_HTML_ENT 
 
 [2004-02-05 04:40 UTC] jan at horde dot org
Yep, that fixed it.
 [2004-02-05 21:23 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 10:02:09 2014 UTC