Description:
------------
First, this is a Zend engine 1 problem (but I don't see that as an option in the bug report form). I am using a copy of php4-STABLE from 2 days ago, compiled with debuging enabled.  Backtrace included below showing SEGV.

Zend's output
=============

pws/setup/set_config.php
---------------------------------------
Zend/zend_ini.c(53) : Block 0x08A06B40 status:
Beginning:      Overrun (magic=0x6D6F682F, expected=0x7312F8DC)


The fast cgi process then terminated itself.

Reproduce code:
---------------
Download http://phpwebsite.appstate.edu/downloads/daily-cvs/phpwebsite-cvs-core.tar.gz

In setup/set_config.php, find "PHPWS_Form::formHidden" near line 234.

Replace all code from there to end of file with:
     echo PHPWS_Form::formHidden($back);
     echo PHPWS_Form::formSubmit("Return to Setup");
   }
}

?>
</body>
</html>


Expected result:
----------------
PHP process dies when accesing the web page /pws/.

Strangely, commenting out either one of the two echo's above  results in a normal page creation.

Also, replacing the trivial method bodies of formHidden and/or formSubmit with a simple "return 'hello world'" does not stop PHP from dying.

Also odd, adding "<? exit(); ?>" to the end of the file results in a normal page creation .. but looking at the backtrace, I can see how that is related to the area seg faulting.

Actual result:
--------------
 '/home/vess/tiffany.vess.com/pws/setup/set_config.php'
---------------------------------------
/var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_ini.c(53) : Block 0x082D7348 status:
Beginning:      Overrun (magic=0x6D6F682F, expected=0x7312F8DC)

Program received signal SIGSEGV, Segmentation fault.
_mem_block_check (ptr=0x82d736c, silent=0,
    __zend_filename=0x81bb228 "/var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_ini.c",
    __zend_lineno=53, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_alloc.c:675
675             memcpy(&end_magic, (((char *) p)+sizeof(zend_mem_header)+MEM_HEADER_PADDING+p->size), sizeof(long));
(gdb) bt
#0  _mem_block_check (ptr=0x82d736c, silent=0,
    __zend_filename=0x81bb228 "/var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_ini.c",
    __zend_lineno=53, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_alloc.c:675
#1  0x08151592 in _mem_block_check (ptr=0x82d736c, silent=1,
    __zend_filename=0x81bb228 "/var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_ini.c",
    __zend_lineno=53, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_alloc.c:683
#2  0x08150ae2 in _efree (ptr=0x82d736c, __zend_lineno=53, __zend_orig_lineno=0)
    at /var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_alloc.c:243
#3  0x08168cdd in zend_restore_ini_entry_cb (ini_entry=0x81dfda8, stage=8)
    at /var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_ini.c:53
#4  0x08163d7c in zend_hash_apply_with_argument (ht=0x81dbbe0, apply_func=0x8168c93 <zend_restore_ini_entry_cb>,
    argument=0x8) at /var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_hash.c:717
#5  0x08168dda in zend_ini_deactivate () at /var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_ini.c:89
#6  0x0815ee33 in zend_deactivate () at /var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend.c:674
#7  0x081353d9 in php_request_shutdown (dummy=0x0)
    at /var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/main/main.c:996
#8  0x08175c80 in main (argc=7, argv=0xbffff7e4)
    at /var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/sapi/cgi/cgi_main.c:1774
(gdb)