php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #35940 virtual() and header('Location:') crashes
Submitted: 2006-01-09 10:55 UTC Modified: 2006-04-18 01:00 UTC
Votes:4
Avg. Score:4.0 ± 0.7
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (50.0%)
From: cristic at interaktonline dot com Assigned:
Status: No Feedback Package: Apache related
PHP Version: 5CVS-2006-01-09 (snap) OS: Windows XP
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2006-01-09 10:55 UTC] cristic at interaktonline dot com
Description:
------------
When a redirect (header('Location:')) is used with a virtual include the Apache crash:

---------------------------
Apache.exe - Application Error
---------------------------
The instruction at "0x008736ac" referenced memory at "0x0001ee6c". The memory could not be "read".


Click on OK to terminate the program
Click on CANCEL to debug the program
---------------------------
OK   Cancel   
---------------------------


Reproduce code:
---------------
a.php:
<?php virtual(/b.php);?>
<?php header('Location: http://server.com/c.php');?>

b.php:
<?php ?>

c.php:
<?php phpinfo(); ?>

Expected result:
----------------
When doing this I just expect to be redirected to the c.php.

Actual result:
--------------
1. Windows XP and Apache/1.3.33(Win32):
---------------------------
Apache.exe - Application Error
---------------------------
The instruction at "0x008736ac" referenced memory at "0x0001ee6c". The memory could not be "read".


Click on OK to terminate the program
Click on CANCEL to debug the program
---------------------------
OK   Cancel   
---------------------------

The php.ini differences with php.ini-dist:

short_open_tag = Off
output_buffering = 65535
output_handler = ob_gzhandler
allow_call_time_pass_reference = Off
memory_limit = 100M
error_reporting  = E_ALL 
log_errors = On
error_log = errors_php
register_long_arrays = Off
register_argc_argv = Off

2.Linux Fedora RC 4, Apache 2.0.54:

The Apache is not crashing anymore but the header() is still not working: 

Warning: Cannot modify header information - headers already sent by (output started at /var/www/html/a.php:1) in /var/www/html/a.php on line 0

------------------------------------
The problem I could reproduce on Linux on PHP 4.3.11 as well.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-01-11 12:29 UTC] cristic at interaktonline dot com
I don't know if this is correct but here is what appears into the call stack window:

 	>	php5ts.dll!zend_get_executed_lineno(void * * * tsrm_ls=0x015ee1a0)  Line 367 + 0x2 bytes	C
 	php5ts.dll!zend_error(int type=2, const char * format=0x00a60e3c, ...)  Line 930 + 0x8 bytes	C
 	php5ts.dll!sapi_header_op(int op=0, void * arg=0x0175fa00, void * * * tsrm_ls=0x015ee1a0)  Line 533 + 0xf bytes	C
 	php5ts.dll!zif_header(int ht=1, _zval_struct * return_value=0x013c2d98, _zval_struct * * return_value_ptr=0x00000000, _zval_struct * this_ptr=0x00000000, int return_value_used=0, void * * * tsrm_ls=0x015ee1a0)  Line 49 + 0x17 bytes	C
 	php5ts.dll!zend_do_fcall_common_helper_SPEC(_zend_execute_data * execute_data=0x0175fa98, void * * * tsrm_ls=0x015ee1a0)  Line 192 + 0x35 bytes	C
 	php5ts.dll!ZEND_DO_FCALL_SPEC_CONST_HANDLER(_zend_execute_data * execute_data=0x00000000, void * * * tsrm_ls=0x015ee1a0)  Line 1587 + 0xe bytes	C
 	php5ts.dll!execute(_zend_op_array * op_array=0x00000000, void * * * tsrm_ls=0x00000000)  Line 92 + 0xc bytes	C
 	msvcrt.dll!77c39f8e() 	
 	[Frames below may be incorrect and/or missing, no symbols loaded for msvcrt.dll]	
 	user32.dll!77d510c7() 	
 	user32.dll!77d5110e() 	
 	php5ts.dll!php_execute_script(_zend_file_handle * primary_file=0x0175fdcc, void * * * tsrm_ls=0x015ee1a0)  Line 1720 + 0x12 bytes	C
 	php5apache.dll!apache_php_module_main(request_rec * r=0x007bd2f8, int display_source_mode=0, void * * * tsrm_ls=0x015ee1a0)  Line 53 + 0x1b bytes	C
 	php5apache.dll!send_php(request_rec * r=0x007bd2f8, int display_source_mode=0, char * filename=0x007bde68)  Line 643 + 0xb bytes	C
 	php5apache.dll!send_parsed_php(request_rec * r=0x007bd2f8)  Line 657 + 0xe bytes	C
 	ApacheCore.dll!6ff64bc7() 	
 	ApacheCore.dll!6ff74a73() 	
 	ApacheCore.dll!6ff74746() 	
 	ApacheCore.dll!6ff6be0f() 	
 	ws2_32.dll!71ab3a91() 	
 	ApacheCore.dll!6ff6bc5a() 	
 	msvcrt.dll!77c3a3b0() 	
 	ws2_32.dll!71ab3a91() 	
 	ws2_32.dll!71ab87a9() 	
 	kernel32.dll!7c80b50b() 	
 	ws2_32.dll!71ab3a91() 	
 	ws2_32.dll!71ab87a9() 	
 	kernel32.dll!7c8399f3() 	


for the following error:

The thread 'Win32 Thread' (0x13d4) has exited with code 0 (0x0).
Unhandled exception at 0x00876d6c (php5ts.dll) in Apache.exe: 0xC0000005: Access violation reading location 0x0001ee6c.


with this build: php5.1-win32-200601110730.zip
 [2006-01-11 12:52 UTC] cristic at interaktonline dot com
Now I am able to understand better the problem after studying the manual.

http://www.php.net/virtual
" To run the sub-request, all buffers are terminated and flushed to the browser, pending headers are sent too."

This means that the headers are sent to the browser when virtual() is used.

Now, my code from the a.php beeing:

<?php virtual('/b.php'); ?>
<?php header('Location:c.php'); ?>

The normal PHP error message should be on both Linux and Windows machines:

Warning: Cannot modify header information - headers already sent by (output started at /var/www/html/a.php:1) in /var/www/html/a.php on line 2

Windows Bug: Right now the PHP on Windows crashes (by seeing the trace), I suppose, when tries to get the line number either where the headers were sent or where the Warning is generated.

Linux Bug: The error line that is reported to generate the Warning is 0 instead of the line where the header() statement is used meaning line 2.
 [2006-04-10 13:08 UTC] sniper@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5.1-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.1-win32-latest.zip

I can not reproduce this bug.
 [2006-04-18 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Mon Jun 01 05:01:26 2020 UTC