php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #36079 Crash in session encode
Submitted: 2006-01-19 10:35 UTC Modified: 2006-01-19 14:44 UTC
From: njewell at matrix-data dot co dot uk Assigned:
Status: Not a bug Package: Session related
PHP Version: 5CVS-2006-01-19 (snap) OS: Windows XP
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2006-01-19 10:35 UTC] njewell at matrix-data dot co dot uk 
Description:
------------
I am seeing Apache crash upon saving a session.  This is reproducable in 5.0.5, 5.1.x and current snap.

PHP is configured as php.ini-recommended, but with:

curl, gd2 on
display errors on
correct session save path


Actual result:
--------------
php5ts.dll!zend_hash_internal_pointer_reset_ex(_hashtable * ht=0x3e612f3c, bucket * * pos=0x00000000)  Line 1000 + 0x4	C
 	php5ts.dll!ps_srlzr_encode_php(char * * newstr=0x00913eb4, int * newlen=0x0546fa44, void * * * tsrm_ls=0x0546fa68)  Line 483 + 0x20	C
 	php5ts.dll!php_session_encode(int * newlen=0x00f6ffe0, void * * * tsrm_ls=0x00bf8a60)  Line 571 + 0xe	C
 	php5ts.dll!php_session_flush(void * * * tsrm_ls=0x00f6ffe0)  Line 1806 + 0x6	C
 	php5ts.dll!zm_deactivate_session(int type=1, int module_number=11, void * * * tsrm_ls=0x00f6ffe0)  Line 1821	C
 	php5ts.dll!module_registry_cleanup(_zend_module_entry * module=0x0068baf0, void * * * tsrm_ls=0x00f6ffe0)  Line 1797 + 0x11	C
 	php5ts.dll!zend_hash_apply(_hashtable * ht=0x007e24bd, int (void *, void * * *)* apply_func=0x00bf8a60, void * * * tsrm_ls=0x007e70e0)  Line 664 + 0x7	C
 	php5ts.dll!zend_deactivate_modules(void * * * tsrm_ls=0x00f6ffe0)  Line 824 + 0x10	C
 	php5ts.dll!php_request_shutdown(void * dummy=0x00000000)  Line 1267	C
 	php5apache2.dll!php_apache_request_dtor(request_rec * r=0x012d37e0, void * * * tsrm_ls=0x00f6ffe0)  Line 442 + 0x8	C
 	php5apache2.dll!php_handler(request_rec * r=0x012d37e0)  Line 602	C
 	libhttpd.dll!ap_run_handler(request_rec * r=0x012d37e0)  Line 153 + 0x1f	C
 	libhttpd.dll!ap_invoke_handler(request_rec * r=0x6ff09a56)  Line 368	C
 	libhttpd.dll!ap_process_http_connection(conn_rec * c=0x6ff0426f)  Line 251 + 0x6	C
 	libhttpd.dll!ap_run_process_connection(conn_rec * c=0x012619d8)  Line 43 + 0x1f	C
 	libhttpd.dll!ap_process_connection(conn_rec * c=0x012619d8, void * csd=0x01261908)  Line 176 + 0x6	C
 	libhttpd.dll!worker_main(void * thread_num_val=0x77c3a3b0)  Line 733	C
 	msvcrt.dll!77c3a3b0() 	
 	kernel32.dll!7c80b50b()

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-01-19 14:38 UTC] njewell at matrix-data dot co dot uk 
Code to reproduce:

<?php
function r($a = array(), $l = 0)
{
        if ($l == 5) return;
        $a = array(0, 1);
        for ($i=0; $i<count($a); $i++)
                $a[$i] = r($a, $l+1);
        return $a;
}

session_name("foo");
session_start();

for ($i=0;$i<1000;$i++)
        $_SESSION['STUFF_'.$i] = r();

// Kills PHP
foreach ($_SESSION as $key => $value)
        unset($_SESSION[$key]);

// Works
//foreach (array_keys($_SESSION) as $key)
//      unset($_SESSION[$key]);
?>
 [2006-01-19 14:44 UTC] sniper@php.net 
You simply run out of memory and stack. No real bug here. 
free hint: Don't do that.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat May 18 09:01:33 2024 UTC