php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #33958 Crash with processing HTTP_COOKIE with 'doubled' variables
Submitted: 2005-08-02 03:58 UTC Modified: 2005-08-02 19:05 UTC
From: andrey at cherezov dot koenig dot su Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 5CVS-2005-08-02 OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: andrey at cherezov dot koenig dot su
New email:
PHP Version: OS:

 

 [2005-08-02 03:58 UTC] andrey at cherezov dot koenig dot su
Description:
------------
Just downloaded and installed 5.1 snap (2 Aug) and replaced PHP5.1b3 in my server (ISAPI mode). Now I see in log, some users got "error 500" while accessing /forum/ and /forum/viewtopic.php (PhpBB current version). Turn on trace and get error pages:

Mon, 01 Aug 2005 20:48:52 -0500 www.mdaemon.ru/forum/
HTTP/1.0 500 Internal Server Error
Content-Type: text/html

PHP has encountered an Access Violation at 00F9813A


Mon, 01 Aug 2005 20:48:54 -0500 www.mdaemon.ru/forum/
HTTP/1.0 500 Internal Server Error
Content-Type: text/html

PHP has encountered an Access Violation at 00F9813A

After server restart - address changed:

PHP has encountered an Access Violation at 0109813A

Reproduce code:
---------------
I can't reproduce it myself (same pages loaded ok), but there are lot of such dumps in my log. I can install and try any test version there.

Expected result:
----------------
Page load.

Actual result:
--------------
PHP has encountered an Access Violation at 0109813A

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-08-02 08:33 UTC] andrey at cherezov dot koenig dot su
The way to reproduce:

GET /php.php5 HTTP/1.0
Host: localhost
Cookie: phpbb2mysql_data=a%3A0%3A%7B%7D; phpbb2mysql_data=a%3A0%3A%7B%7D
Connection: close

Posted this request (via telnet) to my local web-server and got the same error! (the script php.php5 just "echo 'test'"). PHP has encountered an Access Violation at 00F2813A

If I delete second variable copy, i.e.:
GET /php.php5 HTTP/1.0
Host: localhost
Cookie: phpbb2mysql_data=a%3A0%3A%7B%7D
Connection: close
- the script works ok.
 [2005-08-02 08:46 UTC] andrey at cherezov dot koenig dot su
In the PHP 4.3.11 under the same server with the same test request = 200 OK.
So this bug is PHP5.1 specific.
 [2005-08-02 18:50 UTC] sniper@php.net
Verified with latest CVS and Apache2..

 [2005-08-02 18:56 UTC] sniper@php.net
[Switching to Thread 46912528940992 (LWP 2360)]
0x00002aaab000aec1 in _mem_block_check (ptr=0x555555b3a081, silent=0, 
    __zend_filename=0x2aaab02538a0 "/usr/src/php/php5/main/php_variables.c", __zend_lineno=201, __zend_orig_filename=0x0, 
    __zend_orig_lineno=0) at /usr/src/php/php5/Zend/zend_alloc.c:736
736             memcpy(&end_magic, (((char *) p)+sizeof(zend_mem_header)+MEM_HEADER_PADDING+p->size), sizeof(long));
(gdb) 
(gdb) bt
#0  0x00002aaab000aec1 in _mem_block_check (ptr=0x555555b3a081, silent=0, 
    __zend_filename=0x2aaab02538a0 "/usr/src/php/php5/main/php_variables.c", __zend_lineno=201, __zend_orig_filename=0x0, 
    __zend_orig_lineno=0) at /usr/src/php/php5/Zend/zend_alloc.c:736
#1  0x00002aaab000ae9d in _mem_block_check (ptr=0x555555b3a081, silent=1, 
    __zend_filename=0x2aaab02538a0 "/usr/src/php/php5/main/php_variables.c", __zend_lineno=201, __zend_orig_filename=0x0, 
    __zend_orig_lineno=0) at /usr/src/php/php5/Zend/zend_alloc.c:728
#2  0x00002aaab0009c39 in _efree (ptr=0x555555b3a081, 
    __zend_filename=0x2aaab02538a0 "/usr/src/php/php5/main/php_variables.c", __zend_lineno=201, __zend_orig_filename=0x0, 
    __zend_orig_lineno=0) at /usr/src/php/php5/Zend/zend_alloc.c:287
#3  0x00002aaaaffe030e in php_register_variable_ex (var=0x555555b3a081 "phpbb2mysql_data", val=0x7fffff839990, 
    track_vars_array=0x555555b39ec0) at /usr/src/php/php5/main/php_variables.c:201
#4  0x00002aaaaffdfd3c in php_register_variable_safe (var=0x555555b3a080 " phpbb2mysql_data", 
    strval=0x5555557b5500 "a:0:{}", str_len=6, track_vars_array=0x555555b39ec0) at /usr/src/php/php5/main/php_variables.c:57
#5  0x00002aaaaffe0c8c in php_default_treat_data (arg=2, str=0x0, destArray=0x0)
    at /usr/src/php/php5/main/php_variables.c:345
#6  0x00002aaaaffe1b53 in php_hash_environment () at /usr/src/php/php5/main/php_variables.c:646
#7  0x00002aaaaffcf73b in php_request_startup () at /usr/src/php/php5/main/main.c:1064
#8  0x00002aaab00b850a in php_apache_request_ctor (r=0x555555b23020, ctx=0x555555b27a28)
    at /usr/src/php/php5/sapi/apache2handler/sapi_apache2.c:438
#9  0x00002aaab00b8c87 in php_handler (r=0x555555b23020) at /usr/src/php/php5/sapi/apache2handler/sapi_apache2.c:534

 [2005-08-02 19:05 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 12 20:01:27 2024 UTC