php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #33989 extract()/eval()/require() crashes php
Submitted: 2005-08-03 23:09 UTC Modified: 2005-08-04 12:38 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: mdpm2 at rohms dot com Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 5CVS, 4CVS (2005-08-03) OS: *
Private report: No CVE-ID:
 [2005-08-03 23:09 UTC] mdpm2 at rohms dot com
Description:
------------
The use of extract($GLOBALS,EXTR_REFS) appears to corrupt memory when it is followed by an eval()'d series of code which includes another PHP file.

This produces the following error:

httpd process:
  [notice] child pid 46966 exit signal Bus error (10)
or
  Bus error (core dumped)  (from php standalone)


NOTE: This is a clarification of bug #33985

Reproduce code:
---------------
art.php (base script to run to reproduce error):
<?
 echo "<PRE>";
  $fcategory=20;
//  $stx="require_once(\"l-catlist.php\"); echo \"inside eval\"; catlist(1,0,9,3,$fcategory,0,1,1,99);";

  $stx="require_once(\"l-catlist.php\"); echo \"inside eval\";";

echo 'EVAL string6='.$stx.'<P>';
  extract($GLOBALS,EXTR_REFS);
  eval($stx);
echo "\n\ndone run</PRE>";
?>

l-catlist.php (included from eval'd code):
<?
##
function catlist($ct1,$parentid,$depth=NULL,$distype=1,$selected=NULL,$linktype=2,$zero=1,$action=0,$tt=0)
{
  echo "inside catlist<P>";
  return(0);
}
?>


Expected result:
----------------
For server to not crash at least..

Actual result:
--------------
There are two versions of the $stx assignment - I was debugging a condition where I was having problems with the passing of parameters between functions and I discovered when trimming down the code, I could make the server completely crash with a simplified version so I believe this is related to the problems I'm experiencing.  If you can't reproduce the error, try enabling the alternate assignment of $stx and making sure the variables passed are accurate.  However, I can consistently crash the server using the above code and merely calling art.php.

If you comment out "extract($GLOBALS,EXTR_REFS);" there are no problems.

It's possible the above code could be even more simplified but I've verified the error condition works with it as listed, under Apache 1_3.26/PHP 4.4.0

The problem can also be reproduced outside of apache:

#php -f art.php
<PRE>EVAL string6=require_once("l-catlist.php"); echo "inside eval";<P>inside eval

done run</PRE>
Bus error (core dumped)

NOTE: zend 20050606 was enabled - I'm not sure how to disable it.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-08-04 00:12 UTC] tony2001@php.net
<?php
$a="a";
extract($GLOBALS, EXTR_REFS);
?>
is enough to see errors when Zend MM is disabled (with 5.1-dev too).
 [2005-08-04 12:38 UTC] dmitry@php.net
Fixed in CVS HEAD, PHP_5_0 and PHP_4_4.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 07:02:06 2014 UTC