php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #30513 segfault in cli/cgi interactive mode
Submitted: 2004-10-21 16:49 UTC Modified: 2005-03-26 03:46 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: asm at asm dot flynet dot pl Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 5CVS-2005-03-09 OS: *
Private report: No CVE-ID:
 [2004-10-21 16:49 UTC] asm at asm dot flynet dot pl
Description:
------------
Please forgive, that I haven't attached backtrace, and
whole ./configure options. But I see this behaviour
on diffrent boxes (an old slackware with 2.2 and fedora with 2.4) with diffrent versions
of PHP5's CLI/CGI interactive mode (so it should be easy to recover). It doesn't affect PHP4.


Reproduce code:
---------------
BOX1$ php -v ; php -a
PHP 5.0.0 (cli) (built: Oct 15 2004 17:43:01)
Copyright (c) 1997-2004 The PHP Group
Zend Engine v2.0.0, Copyright (c) 1998-2004 Zend Technologies
Interactive mode enabled

<?

if (preg_match('/.*end$/', 'abcend')) echo 'got it';
?>
got itSegmentation fault


***

BOX2$ php5 -v ; php5 -a
PHP 5.0.2 (cli) (built: Oct 17 2004 00:46:25)
Copyright (c) 1997-2004 The PHP Group
Zend Engine v2.0.2, Copyright (c) 1998-2004 Zend Technologies
Interactive mode enabled

<?

if (preg_match('/.*end$/', 'abcend')) echo 'got it';
?>
got itSegmentation fault


Expected result:
----------------
got it

Actual result:
--------------
expected + segfault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-10-23 18:28 UTC] tony2001@php.net
Actually it segfaults in interactive mode even on this:
<?
if (true) true;
?>
And it's caused by the fact that somehow EX(opline) happens to point to not initilized memory.

bt:
Program received signal SIGSEGV, Segmentation fault.
0x0819681b in execute (op_array=0x831093c) at zend_vm_execute.h:58
58                      if (EX(opline)->handler(&execute_data TSRMLS_CC) > 0) {
(gdb) bt
#0  0x0819681b in execute (op_array=0x831093c) at zend_vm_execute.h:58
#1  0x0816e574 in execute_new_code () at /home/dev/php-src/Zend/zend_execute_API.c:1089
#2  0x08159a24 in zendparse () at zend_language_parser.y:166
#3  0x0815c086 in compile_file (file_handle=0xbffff890, type=2) at zend_language_scanner.l:375
#4  0x08178445 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/dev/php-src/Zend/zend.c:1049
#5  0x0813fd23 in php_execute_script (primary_file=0xbffff890) at /home/dev/php-src/main/main.c:1634
#6  0x081f6250 in main (argc=2, argv=0xbffff914) at /home/dev/php-src/sapi/cli/php_cli.c:943
 [2005-03-03 19:06 UTC] mweierophinney at gmail dot com
I have reproduced the problem with the similar code:

<test.php>:
<?php if (1) { echo "Working." } ?>

and 'php -a test.php' produces a segfault.

I can confirm it for PHP versions 5.0.1, 5.0.2, and 5.0.3 -- 5.0.3 on Gentoo GNU/Linux and 5.0.1 and 5.0.2 on Fedora Core 1.
 [2005-03-09 00:43 UTC] sniper@php.net
See bug #28839

 [2005-03-09 00:44 UTC] sniper@php.net
see also bug #32229
 [2005-03-26 03:46 UTC] sniper@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 10:02:06 2014 UTC