php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #33958 Crash with processing HTTP_COOKIE with 'doubled' variables
Submitted: 2005-08-02 03:58 UTC Modified: 2005-08-02 19:05 UTC
From: andrey at cherezov dot koenig dot su Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 5CVS-2005-08-02 OS: *
Private report: No CVE-ID: None
 [2005-08-02 03:58 UTC] andrey at cherezov dot koenig dot su
Description:
------------
Just downloaded and installed 5.1 snap (2 Aug) and replaced PHP5.1b3 in my server (ISAPI mode). Now I see in log, some users got "error 500" while accessing /forum/ and /forum/viewtopic.php (PhpBB current version). Turn on trace and get error pages:

Mon, 01 Aug 2005 20:48:52 -0500 www.mdaemon.ru/forum/
HTTP/1.0 500 Internal Server Error
Content-Type: text/html

PHP has encountered an Access Violation at 00F9813A


Mon, 01 Aug 2005 20:48:54 -0500 www.mdaemon.ru/forum/
HTTP/1.0 500 Internal Server Error
Content-Type: text/html

PHP has encountered an Access Violation at 00F9813A

After server restart - address changed:

PHP has encountered an Access Violation at 0109813A

Reproduce code:
---------------
I can't reproduce it myself (same pages loaded ok), but there are lot of such dumps in my log. I can install and try any test version there.

Expected result:
----------------
Page load.

Actual result:
--------------
PHP has encountered an Access Violation at 0109813A

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-08-02 08:33 UTC] andrey at cherezov dot koenig dot su
The way to reproduce:

GET /php.php5 HTTP/1.0
Host: localhost
Cookie: phpbb2mysql_data=a%3A0%3A%7B%7D; phpbb2mysql_data=a%3A0%3A%7B%7D
Connection: close

Posted this request (via telnet) to my local web-server and got the same error! (the script php.php5 just "echo 'test'"). PHP has encountered an Access Violation at 00F2813A

If I delete second variable copy, i.e.:
GET /php.php5 HTTP/1.0
Host: localhost
Cookie: phpbb2mysql_data=a%3A0%3A%7B%7D
Connection: close
- the script works ok.
 [2005-08-02 08:46 UTC] andrey at cherezov dot koenig dot su
In the PHP 4.3.11 under the same server with the same test request = 200 OK.
So this bug is PHP5.1 specific.
 [2005-08-02 18:50 UTC] sniper@php.net
Verified with latest CVS and Apache2..

 [2005-08-02 18:56 UTC] sniper@php.net
[Switching to Thread 46912528940992 (LWP 2360)]
0x00002aaab000aec1 in _mem_block_check (ptr=0x555555b3a081, silent=0, 
    __zend_filename=0x2aaab02538a0 "/usr/src/php/php5/main/php_variables.c", __zend_lineno=201, __zend_orig_filename=0x0, 
    __zend_orig_lineno=0) at /usr/src/php/php5/Zend/zend_alloc.c:736
736             memcpy(&end_magic, (((char *) p)+sizeof(zend_mem_header)+MEM_HEADER_PADDING+p->size), sizeof(long));
(gdb) 
(gdb) bt
#0  0x00002aaab000aec1 in _mem_block_check (ptr=0x555555b3a081, silent=0, 
    __zend_filename=0x2aaab02538a0 "/usr/src/php/php5/main/php_variables.c", __zend_lineno=201, __zend_orig_filename=0x0, 
    __zend_orig_lineno=0) at /usr/src/php/php5/Zend/zend_alloc.c:736
#1  0x00002aaab000ae9d in _mem_block_check (ptr=0x555555b3a081, silent=1, 
    __zend_filename=0x2aaab02538a0 "/usr/src/php/php5/main/php_variables.c", __zend_lineno=201, __zend_orig_filename=0x0, 
    __zend_orig_lineno=0) at /usr/src/php/php5/Zend/zend_alloc.c:728
#2  0x00002aaab0009c39 in _efree (ptr=0x555555b3a081, 
    __zend_filename=0x2aaab02538a0 "/usr/src/php/php5/main/php_variables.c", __zend_lineno=201, __zend_orig_filename=0x0, 
    __zend_orig_lineno=0) at /usr/src/php/php5/Zend/zend_alloc.c:287
#3  0x00002aaaaffe030e in php_register_variable_ex (var=0x555555b3a081 "phpbb2mysql_data", val=0x7fffff839990, 
    track_vars_array=0x555555b39ec0) at /usr/src/php/php5/main/php_variables.c:201
#4  0x00002aaaaffdfd3c in php_register_variable_safe (var=0x555555b3a080 " phpbb2mysql_data", 
    strval=0x5555557b5500 "a:0:{}", str_len=6, track_vars_array=0x555555b39ec0) at /usr/src/php/php5/main/php_variables.c:57
#5  0x00002aaaaffe0c8c in php_default_treat_data (arg=2, str=0x0, destArray=0x0)
    at /usr/src/php/php5/main/php_variables.c:345
#6  0x00002aaaaffe1b53 in php_hash_environment () at /usr/src/php/php5/main/php_variables.c:646
#7  0x00002aaaaffcf73b in php_request_startup () at /usr/src/php/php5/main/main.c:1064
#8  0x00002aaab00b850a in php_apache_request_ctor (r=0x555555b23020, ctx=0x555555b27a28)
    at /usr/src/php/php5/sapi/apache2handler/sapi_apache2.c:438
#9  0x00002aaab00b8c87 in php_handler (r=0x555555b23020) at /usr/src/php/php5/sapi/apache2handler/sapi_apache2.c:534

 [2005-08-02 19:05 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 02 20:01:32 2024 UTC