|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #33989 extract()/eval()/require() crashes php
Submitted: 2005-08-03 23:09 UTC Modified: 2005-08-04 12:38 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: mdpm2 at rohms dot com Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 5CVS, 4CVS (2005-08-03) OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: mdpm2 at rohms dot com
New email:
PHP Version: OS:


 [2005-08-03 23:09 UTC] mdpm2 at rohms dot com
The use of extract($GLOBALS,EXTR_REFS) appears to corrupt memory when it is followed by an eval()'d series of code which includes another PHP file.

This produces the following error:

httpd process:
  [notice] child pid 46966 exit signal Bus error (10)
  Bus error (core dumped)  (from php standalone)

NOTE: This is a clarification of bug #33985

Reproduce code:
art.php (base script to run to reproduce error):
 echo "<PRE>";
//  $stx="require_once(\"l-catlist.php\"); echo \"inside eval\"; catlist(1,0,9,3,$fcategory,0,1,1,99);";

  $stx="require_once(\"l-catlist.php\"); echo \"inside eval\";";

echo 'EVAL string6='.$stx.'<P>';
echo "\n\ndone run</PRE>";

l-catlist.php (included from eval'd code):
function catlist($ct1,$parentid,$depth=NULL,$distype=1,$selected=NULL,$linktype=2,$zero=1,$action=0,$tt=0)
  echo "inside catlist<P>";

Expected result:
For server to not crash at least..

Actual result:
There are two versions of the $stx assignment - I was debugging a condition where I was having problems with the passing of parameters between functions and I discovered when trimming down the code, I could make the server completely crash with a simplified version so I believe this is related to the problems I'm experiencing.  If you can't reproduce the error, try enabling the alternate assignment of $stx and making sure the variables passed are accurate.  However, I can consistently crash the server using the above code and merely calling art.php.

If you comment out "extract($GLOBALS,EXTR_REFS);" there are no problems.

It's possible the above code could be even more simplified but I've verified the error condition works with it as listed, under Apache 1_3.26/PHP 4.4.0

The problem can also be reproduced outside of apache:

#php -f art.php
<PRE>EVAL string6=require_once("l-catlist.php"); echo "inside eval";<P>inside eval

done run</PRE>
Bus error (core dumped)

NOTE: zend 20050606 was enabled - I'm not sure how to disable it.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2005-08-04 00:12 UTC]
is enough to see errors when Zend MM is disabled (with 5.1-dev too).
 [2005-08-04 12:38 UTC]
Fixed in CVS HEAD, PHP_5_0 and PHP_4_4.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed May 22 22:01:32 2024 UTC