php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #29707 When execute the global requisition bellow the thread crashes
Submitted: 2004-08-16 18:06 UTC Modified: 2006-01-01 01:00 UTC
Votes:3
Avg. Score:3.3 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: edernucci at hotmail dot com Assigned: andi (profile)
Status: No Feedback Package: Scripting Engine problem
PHP Version: 4CVS-2005-06-19 OS: *
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2004-08-16 18:06 UTC] edernucci at hotmail dot com
Description:
------------
I know this is a erroneous code, but the thread hangs on the server (Apache 1.3.29 / Windows XP Professional SP1).
I don't know how to solve this.

Reproduce code:
---------------
<?php

/**
 * @return FatalError
 * @desc This function kills the PHP thread on the server.
 */
function boom()
{
	$foo = "one.simple.dot.tokenized.string";
	$bar = strtok($foo,'.');
	global $$bar[0]; //<--- The script dies here :P
}

boom(); //<--- Here you will tell the server to go sleep :D

?>

Expected result:
----------------
Just trying to hang the webserver.
Any user can do this in my shared enviroment.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-08-17 08:01 UTC] derick@php.net
Confirmed with both PHP 4 and PHP 5:

valgrind:
==12558== Invalid read of size 4
==12558==    at 0x8305A91: zend_pzval_unlock_func (zend_execute.c:65)
==12558==    by 0x8305B94: _get_zval_ptr (zend_execute.c:100)
==12558==    by 0x82FBF85: zend_fetch_var_address (zend_execute.c:737)
==12558==    by 0x82FECBF: zend_fetch_w_handler (zend_execute.c:2004)
==12558==  Address 0x9 is not stack'd, malloc'd or (recently) free'd
==12558==
==12558== Process terminating with default action of signal 11 (SIGSEGV)
==12558==  Access not within mapped region at address 0x9
==12558==    at 0x8305A91: zend_pzval_unlock_func (zend_execute.c:65)
==12558==    by 0x8305B94: _get_zval_ptr (zend_execute.c:100)
==12558==    by 0x82FBF85: zend_fetch_var_address (zend_execute.c:737)
==12558==    by 0x82FECBF: zend_fetch_w_handler (zend_execute.c:2004)
==12558==

gdb trace:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 12626)]
0x08305a91 in zend_pzval_unlock_func (z=0x1)
    at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:65
65              z->refcount--;
(gdb) bt
#0  0x08305a91 in zend_pzval_unlock_func (z=0x1)
    at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:65
#1  0x08305b95 in _get_zval_ptr (node=0x85bec78, Ts=0x85bd704,
    should_free=0xbfffd31c) at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:100
#2  0x082fbf86 in zend_fetch_var_address (opline=0x85bec60, Ts=0x85bd704,
    type=1) at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:737
#3  0x082fecc0 in zend_fetch_w_handler (execute_data=0xbfffd380,
    opline=0x85bec60, op_array=0x85bede8)
    at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:2004
#4  0x082fd8f1 in execute (op_array=0x85bede8)
    at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:1391
#5  0x408c7318 in xdebug_execute (op_array=0x85bede8)
    at /dat/dev/php/xdebug/xdebug.c:1041
#6  0x08301078 in zend_do_fcall_common_helper (execute_data=0xbfffd4d0,
    opline=0x85bd254, op_array=0x85b8de4)
    at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:2728
#7  0x083015fb in zend_do_fcall_handler (execute_data=0xbfffd4d0,
    opline=0x85bd254, op_array=0x85b8de4)
    at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:2828
#8  0x082fd8f1 in execute (op_array=0x85b8de4)
    at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:1391
#9  0x408c7318 in xdebug_execute (op_array=0x85b8de4)
    at /dat/dev/php/xdebug/xdebug.c:1041

(And yes, it also segfaults without Xdebug at the same place)

Derick
 [2004-09-22 00:21 UTC] andi@php.net
Please check latest version of PHP 5 CVS (Latest CVS (5.1.x-dev) at snaps.php.net).
Not sure about PHP 4.3.x and PHP 5.0.x yet because we might want to run this patch for a while before we merge into them.
 [2005-04-29 17:00 UTC] tony2001@php.net
Still valid with 5.0.x and 4.3.x, but HEAD works fine.
 [2005-06-19 20:51 UTC] sniper@php.net
This still crashes in PHP_4_4 branch, HEAD is fine.

 [2005-06-19 21:02 UTC] sniper@php.net
This is what Andi did for HEAD:
http://www.php.net/~jani/patches/bug29707.HEAD.patch

 [2006-01-01 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sat Dec 03 19:05:55 2022 UTC