PHP :: Bug #28565 :: overrun / crash

Bug #28565	overrun / crash
Submitted:	2004-05-29 02:26 UTC	Modified:	2004-06-08 01:00 UTC
From:	gavin at vess dot com	Assigned:
Status:	No Feedback	Package:	Scripting Engine problem
PHP Version:	4CVS-2004-05-29 (stable)	OS:	Linux 2.6.5
Private report:	No	CVE-ID:	None

View Developer Edit

[2004-05-29 02:26 UTC] gavin at vess dot com

Description:
------------
First, this is a Zend engine 1 problem (but I don't see that as an option in the bug report form). I am using a copy of php4-STABLE from 2 days ago, compiled with debuging enabled.  Backtrace included below showing SEGV.

Zend's output
=============

pws/setup/set_config.php
---------------------------------------
Zend/zend_ini.c(53) : Block 0x08A06B40 status:
Beginning:      Overrun (magic=0x6D6F682F, expected=0x7312F8DC)


The fast cgi process then terminated itself.

Reproduce code:
---------------
Download http://phpwebsite.appstate.edu/downloads/daily-cvs/phpwebsite-cvs-core.tar.gz

In setup/set_config.php, find "PHPWS_Form::formHidden" near line 234.

Replace all code from there to end of file with:
     echo PHPWS_Form::formHidden($back);
     echo PHPWS_Form::formSubmit("Return to Setup");
   }
}

?>
</body>
</html>


Expected result:
----------------
PHP process dies when accesing the web page /pws/.

Strangely, commenting out either one of the two echo's above  results in a normal page creation.

Also, replacing the trivial method bodies of formHidden and/or formSubmit with a simple "return 'hello world'" does not stop PHP from dying.

Also odd, adding "<? exit(); ?>" to the end of the file results in a normal page creation .. but looking at the backtrace, I can see how that is related to the area seg faulting.

Actual result:
--------------
 '/home/vess/tiffany.vess.com/pws/setup/set_config.php'
---------------------------------------
/var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_ini.c(53) : Block 0x082D7348 status:
Beginning:      Overrun (magic=0x6D6F682F, expected=0x7312F8DC)

Program received signal SIGSEGV, Segmentation fault.
_mem_block_check (ptr=0x82d736c, silent=0,
    __zend_filename=0x81bb228 "/var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_ini.c",
    __zend_lineno=53, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_alloc.c:675
675             memcpy(&end_magic, (((char *) p)+sizeof(zend_mem_header)+MEM_HEADER_PADDING+p->size), sizeof(long));
(gdb) bt
#0  _mem_block_check (ptr=0x82d736c, silent=0,
    __zend_filename=0x81bb228 "/var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_ini.c",
    __zend_lineno=53, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_alloc.c:675
#1  0x08151592 in _mem_block_check (ptr=0x82d736c, silent=1,
    __zend_filename=0x81bb228 "/var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_ini.c",
    __zend_lineno=53, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_alloc.c:683
#2  0x08150ae2 in _efree (ptr=0x82d736c, __zend_lineno=53, __zend_orig_lineno=0)
    at /var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_alloc.c:243
#3  0x08168cdd in zend_restore_ini_entry_cb (ini_entry=0x81dfda8, stage=8)
    at /var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_ini.c:53
#4  0x08163d7c in zend_hash_apply_with_argument (ht=0x81dbbe0, apply_func=0x8168c93 <zend_restore_ini_entry_cb>,
    argument=0x8) at /var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_hash.c:717
#5  0x08168dda in zend_ini_deactivate () at /var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend_ini.c:89
#6  0x0815ee33 in zend_deactivate () at /var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/Zend/zend.c:674
#7  0x081353d9 in php_request_shutdown (dummy=0x0)
    at /var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/main/main.c:996
#8  0x08175c80 in main (argc=7, argv=0xbffff7e4)
    at /var/tmp/portage/gb_phpbeta-4.3.7/work/gb_phpbeta-4.3.7/sapi/cgi/cgi_main.c:1774
(gdb)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-05-31 12:04 UTC] derick@php.net

Recategorize, and you really need to come up with a small piece of example code, otherwise it's very hard to debug this.

[2004-06-08 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri May 09 05:01:27 2025 UTC