php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #35571 SSI + php (not using virtual()) crashes with Apache2 (only Apache 2.0.55)
Submitted: 2005-12-06 16:57 UTC Modified: 2005-12-14 04:39 UTC
From: kclair at gmail dot com Assigned: iliaa
Status: Closed Package: Apache2 related
PHP Version: 5CVS, 4CVS (2005-12-09) (snap) OS: linux
Private report: No CVE-ID:
 [2005-12-06 16:57 UTC] kclair at gmail dot com
Description:
------------
SSI files which include php scripts are behaving differently after upgrading from php 4.3.10 to php 4.4.1.
Apache version is 2.0.54.

I tried it with two different configure options:
./configure --with-apxs2=/usr/local/apache2/bin/apxs --enable-debug=no --enable-versioning --enable-track-vars --with-openssl --with-jpeg-dir=/home/sys/src/jpeg-6b --with-expat=/usr/lib --with-mcrypt --with-config-file-path=/home/sys/etc/php-noZend/ --with-png-dir=/usr --with-zlib-dir=/usr --with-ttf --with-freetype-dir=/usr --with-curl --with-mysql=/usr --with-gd --with-sablot --with-xslt-sablot --enable-xslt --disable-zend-memory-manager

./configure --with-apxs2=/usr/local/apache2/bin/apxs --enable-debug=no --enable-versioning --enable-track-vars --with-openssl --with-jpeg-dir=/home/sys/src/jpeg-6b --with-expat=/usr/lib --with-mcrypt --with-config-file-path=/home/sys/etc/ --with-png-dir=/usr --with-zlib-dir=/usr --with-ttf --with-freetype-dir=/usr --with-curl --with-mysql=/usr --with-gd --with-sablot --with-xslt-sablot --enable-xslt

I also tried it both with Zend optimizer enabled and with Zend optimizer disabled in php.ini.

Reproduce code:
---------------
The includes from the files which segfault look like:
<!--#include file="eventsdb.php?ID=81&fld=2" -->

The php code is a short db query:

if ($conn == false){
 echo mysql_errno() . ": " . mysql_error() . "<BR>";
 exit;
       }
else {
  $rtn = mysql_select_db ("[tablename]");
  $sql = "select * from events where ID = ".$ID;
  $result = mysql_query ($sql);
  if ( ($row = mysql_fetch_row($result)) && ($today<=$row[4]
) ){
     mysql_fetch_row($result)) {
         [snip echo mysql results]
       }
     }
   }
}

Expected result:
----------------
Results from mysql query should be displayed on page.

Actual result:
--------------
Blank pages.

The backtrace is the same regardless of which compile options I used:

#0  0xb7e095cc in zend_hash_index_update_or_next_insert (ht=0xb7ea29c0, h=0,
   pData=0xbfffdc60, nDataSize=12, pDest=0x0, flag=1)
   at /home/sys/src/php-4.4.1/Zend/zend_hash.c:390
390         p = ht->arBuckets[nIndex];
(gdb) bt full
#0  0xb7e095cc in zend_hash_index_update_or_next_insert (ht=0xb7ea29c0, h=0,
   pData=0xbfffdc60, nDataSize=12, pDest=0x0, flag=1)
   at /home/sys/src/php-4.4.1/Zend/zend_hash.c:390
       nIndex = 0
       p = Variable "p" is not available.
(gdb)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-12-06 18:26 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2005-12-09 22:33 UTC] kclair at gmail dot com
The fix applied for this fixes the segfault for Apache 2.0.54.

Apache 2.0.55, however, still segfaults for the same SSI pages.  I recompiled php with the same configure options as before.

gdb backtrace is:
#0  0xb7de28dd in yy_push_state (new_state=1)
    at Zend/zend_language_scanner.c:5760
5760        yy_start_stack[yy_start_stack_ptr++] = YY_START;
(gdb) bt full
#0  0xb7de28dd in yy_push_state (new_state=1)
    at Zend/zend_language_scanner.c:5760
        new_size = Variable "new_size" is not available.


Thanks!  Especially for the first fix!
 [2005-12-10 12:43 UTC] sniper@php.net
Ilia, the fix wasn't enough? There have also been other reports with Apache 2.0.55..

 [2005-12-10 12:46 UTC] sniper@php.net
See also bug #35484
 [2005-12-14 04:39 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 18:01:58 2014 UTC