PHP :: Bug #35017 :: PHP crashes Apache

Bug #35017

PHP crashes Apache

Submitted:

2005-10-29 10:56 UTC

Modified:

2005-10-31 20:40 UTC

Votes:	4
Avg. Score:	4.5 ± 0.9
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

assen dot todorov at onvista dot de

Assigned:

dmitry (profile)

Status:

Closed

Package:

Scripting Engine problem

PHP Version:

5CVS-2005-10-29 (cvs)

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

[2005-10-29 10:56 UTC] assen dot todorov at onvista dot de

Description:
------------
The code below was tested on WindowsXP + PHP(5.0.5) + Apache(1.3.33) AND Linux + PHP(5.0.5) + Apache(Apache/2.0.53).In both cases this code leads to crash in Apache.The message is "Segmentation fault ......."

Reproduce code:
---------------
set_error_handler('errorHandler');
$crashApache = new crashApache;
try {
	$a = array('test'); $result = array();
	foreach($a as $b) {
		$result[] = $b; $nullValue = null;
		foreach($nullValue as $c) {
			$result[] = $c;
		}
	}
	$crashApache->start($result);
}
catch(Exception $e) { echo 'This Exception should be catched'; }
class crashApache {
	public $someVar = array();
	public function start(&$crashParam) {
		$this->someVar = $crashParam;
	}
}
function errorHandler($errno, $errstr, $errfile, $errline, $vars) {
	throw new Exception('Some Exception');
}

Expected result:
----------------
I expect to see the the message "This Exception should be catched"

Actual result:
--------------
Apache crashes with "segmentation fault" message.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-10-29 11:07 UTC] assen dot todorov at onvista dot de

On the seccond "foreach" the error handler is called and an exception is thrown.In spite of this the line "$crashApache->start($result);" is executed and the exception is newer catched

[2005-10-29 12:57 UTC] derick@php.net

With PHP 5.1.0RC4-dev I get:

Fatal error: Invalid opcode 137/16/8. in - on line 18

And on PHP 5.0.6-dev I get:
Segmentation fault

And the following backtrace:
#0  0x00000000 in ?? ()
#1  0x08320690 in execute (op_array=0x860e42c)
    at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:1438
#2  0x08323ef0 in zend_do_fcall_common_helper (execute_data=0xbfffd4a0,
    opline=0x860bca4, op_array=0x8606cbc)
    at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:2790
#3  0x0832439d in zend_do_fcall_by_name_handler (execute_data=0xbfffd4a0,
    opline=0x860bca4, op_array=0x8606cbc)
    at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:2877
#4  0x08320690 in execute (op_array=0x8606cbc)
    at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:1438
#5  0x082f7726 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /dat/dev/php/php-5.0dev/Zend/zend.c:1064
#6  0x082af0d5 in php_execute_script (primary_file=0xbffff8e0)
    at /dat/dev/php/php-5.0dev/main/main.c:1643
#7  0x0832dbc0 in main (argc=1, argv=0xbffff9a4)
    at /dat/dev/php/php-5.0dev/sapi/cli/php_cli.c:946

Some more info:
(gdb) frame 1
#1  0x08320690 in execute (op_array=0x860e42c)
    at /dat/dev/php/php-5.0dev/Zend/zend_execute.c:1438
warning: Source file is more recent than executable.

1438                    if (EX(opline)->handler(&execute_data, EX(opline), op_array TSRMLS_CC)) {
(gdb) print executor_globals.current_execute_data.opline
$1 = (struct _zend_op *) 0x860d1cc
(gdb) print executor_globals.current_execute_data.opline.handler
$2 = 0

[2005-10-31 20:40 UTC] dmitry@php.net

Fixed in CVS HEAD and PHP 5.1.

The reason if memory leaks in the given test after fix - is bug #34065

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Oct 28 14:00:01 2025 UTC