php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #36293 zend/php crashes with server side includes in 5.0.4
Submitted: 2006-02-05 15:52 UTC Modified: 2006-02-05 16:03 UTC
From: gw at gnc dot at Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 5.1.2 OS: suse sles9 kernel 2.6.5
Private report: No CVE-ID: None
 [2006-02-05 15:52 UTC] gw at gnc dot at
Description:
------------
php 5.0.4,httpd 2.0.55 on a suse sles 9

httpd crashes when using server side includes.

no idea if this belongs to php only...i'm not using any 3rd party products.just a plain php504 installation.
no changes to php.ini.
upgrade is not possible due to external customer scripts
.
php config:

'./configure' '--with-apxs2=/usr/local/apache2/bin/apxs' '--with-mysql' '--enable-ftp' '--enable-trans-sid' '--enable-track-vars' '--enable-imap' '--with-gettext' '--with-oci8=/opt/oracle/ora9i' '--without-sqlite'






Reproduce code:
---------------
<!--#config timefmt="%d. %m., %H:%M" -->

Actual result:
--------------
zaphod:/usr/local/apache/bin # gdb ./httpd
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i586-suse-linux"...Using host libthread_db library "/lib/tls/libthread_db.so.1".

(gdb) run -X
Starting program: /usr/local/apache2/bin/httpd -X
[Thread debugging using libthread_db enabled]
[New Thread 1076812448 (LWP 29354)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1076812448 (LWP 29354)]
zend_hash_index_find (ht=0x90a3e69, h=2, pData=0x90a3e69) at /root/software/php-5.0.4/Zend/zend_hash.c:955
955         if ((p->h == h) && (p->nKeyLength == 0)) {
(gdb) bt
#0  zend_hash_index_find (ht=0x90a3e69, h=2, pData=0x90a3e69) at /root/software/php-5.0.4/Zend/zend_hash.c:955
#1  0x4045b038 in _zend_list_delete (id=2) at /root/software/php-5.0.4/Zend/zend_list.c:55
#2  0x404305fc in _php_stream_free (stream=0x82f988c, close_options=3) at /root/software/php-5.0.4/main/streams/streams.c:310
#3  0x40420461 in stream_closer_for_zend (handle=0x82f988c) at /root/software/php-5.0.4/main/main.c:843
#4  0x4043f913 in zend_file_handle_dtor (fh=0x82f99ac) at zend_language_scanner.l:246
#5  0x4044cb29 in zend_llist_del_element (l=0x404cf2d4, element=0xbfffef40, compare=0x4043b770 <zend_compare_file_handles>) at /root/software/php-5.0.4/Zend/zend_llist.c:104
#6  0x4043f769 in zend_destroy_file_handle (file_handle=0xbfffef40) at zend_language_scanner.l:284
#7  0x40452909 in zend_execute_scripts (type=2, retval=0x0, file_count=1) at /root/software/php-5.0.4/Zend/zend.c:1066
#8  0x40482466 in php_handler (r=0x82f76e0) at /root/software/php-5.0.4/sapi/apache2handler/sapi_apache2.c:557
#9  0x0808612b in ap_run_handler (r=0x82f76e0) at config.c:152
#10 0x08088aa5 in ap_invoke_handler (r=0x82f76e0) at config.c:364
#11 0x0809b278 in ap_run_sub_req (r=0x82f76e0) at request.c:1855
#12 0x080658cc in handle_include (ctx=0x82d7878, bb=0xbffff1bc, r=0x82e3298, f=0x82dd438, head_ptr=0x82db850, inserted_head=0xbffff1c0) at mod_include.c:742
#13 0x080638f9 in includes_filter (f=0x82dd438, b=0x82dd578) at mod_include.c:3309
#14 0x0809200b in ap_pass_brigade (next=0x82dd438, bb=0x82dd578) at util_filter.c:512
#15 0x08099aad in default_handler (r=0x82e3298) at core.c:3640
#16 0x0808612b in ap_run_handler (r=0x82e3298) at config.c:152
#17 0x08088aa5 in ap_invoke_handler (r=0x82e3298) at config.c:364
#18 0x0806e7af in ap_process_request (r=0x82e3298) at http_request.c:249
#19 0x08069e1c in ap_process_http_connection (c=0x82d7340) at http_core.c:251
#20 0x0809007b in ap_run_process_connection (c=0x82d7340) at connection.c:43
#21 0x08085238 in child_main (child_num_arg=<value optimized out>) at prefork.c:610
#22 0x0808538e in make_child (s=0x80c6c88, slot=0) at prefork.c:650
#23 0x08085451 in startup_children (number_to_start=5) at prefork.c:722
#24 0x08085b1d in ap_mpm_run (_pconf=0x80c20a8, plog=0x80fc190, s=0x80c6c88) at prefork.c:941
#25 0x0808ac7c in main (argc=2, argv=0xbffff614) at main.c:618
#0  zend_hash_index_find (ht=0x90a3e69, h=2, pData=0x90a3e69) at /root/software/php-5.0.4/Zend/zend_hash.c:955
        nIndex = 2
        p = (Bucket *) 0x90a3e69
#1  0x4045b038 in _zend_list_delete (id=2) at /root/software/php-5.0.4/Zend/zend_list.c:55
        le = <value optimized out>
#2  0x404305fc in _php_stream_free (stream=0x82f988c, close_options=3) at /root/software/php-5.0.4/main/streams/streams.c:310
        ret = 1
        remove_rsrc = <value optimized out>
        release_cast = 1
#3  0x40420461 in stream_closer_for_zend (handle=0x82f988c) at /root/software/php-5.0.4/main/main.c:843
No locals.
#4  0x4043f913 in zend_file_handle_dtor (fh=0x82f99ac) at zend_language_scanner.l:246
No locals.
#5  0x4044cb29 in zend_llist_del_element (l=0x404cf2d4, element=0xbfffef40, compare=0x4043b770 <zend_compare_file_handles>) at /root/software/php-5.0.4/Zend/zend_llist.c:104
        current = (zend_llist_element *) 0x82f99a4
        next = (zend_llist_element *) 0x0
#6  0x4043f769 in zend_destroy_file_handle (file_handle=0xbfffef40) at zend_language_scanner.l:284
No locals.
#7  0x40452909 in zend_execute_scripts (type=2, retval=0x0, file_count=1) at /root/software/php-5.0.4/Zend/zend.c:1066
        params = <value optimized out>
        retval2 = (zval *) 0x1
        old_exception = (zval *) 0x82f950c
        ex_class_name = "`\223/\b??#@\"\000\000F(?\024@?\217/\bIRCS8???s?\023@?\002\v\b?\002\v\b????????\033\000\000\000\220\021/\000\"", '\0' <repeats 11 times>, "\023\000\000\000H\220/\b?\217/\b?\201/\b?\002\v\b\bz/\b v/\b3?\n\b\bz/\bh???%?\b\b\bz/\b?\002\v\b?\201/\b\020\225/\b"
        files = <value optimized out>
        i = 0
        file_handle = (zend_file_handle *) 0xbfffef40
        orig_op_array = (zend_op_array *) 0x0
        local_retval = (zval *) 0x0
#8  0x40482466 in php_handler (r=0x82f76e0) at /root/software/php-5.0.4/sapi/apache2handler/sapi_apache2.c:557
        zfd = {type = 5 '\005', filename = 0x82f84d0 "/home/webspace/www.waa.at/htdocs/feat_modules/mod_sem_wise.html",
  opened_path = 0x82f97ac "/data1/webspace/www.waa.at/htdocs/feat_modules/mod_sem_wise.html", handle = {fd = 137336972, fp = 0x82f988c, stream = {handle = 0x82f988c,
      reader = 0x4042f9e0 <_php_stream_read>, closer = 0x40420450 <stream_closer_for_zend>, interactive = 0}}, free_filename = 0 '\0'}
        orig_bailout = {{__jmpbuf = {0, 0, 0, 0, 0, 0}, __mask_was_saved = 0, __saved_mask = {__val = {0 <repeats 32 times>}}}}
        ctx = (php_struct *) 0x82f7518
        brigade = (apr_bucket_brigade *) 0x82f7590
        bucket = <value optimized out>
        rv = <value optimized out>
        parent_req = (request_rec *) 0x82f56d8
        content_type = <value optimized out>
        content_length = <value optimized out>
        auth = <value optimized out>
#9  0x0808612b in ap_run_handler (r=0x82f76e0) at config.c:152
        pHook = (ap_LINK_handler_t *) 0x81e5a7c
        n = 7
        rv = 151666281
#10 0x08088aa5 in ap_invoke_handler (r=0x82f76e0) at config.c:364
        new_handler = <value optimized out>
        p2 = <value optimized out>
        handler = 0x816b9d8 "application/x-httpd-php"
        result = <value optimized out>
        old_handler = 0x0
#11 0x0809b278 in ap_run_sub_req (r=0x82f76e0) at request.c:1855
        retval = 0
#12 0x080658cc in handle_include (ctx=0x82d7878, bb=0xbffff1bc, r=0x82e3298, f=0x82dd438, head_ptr=0x82db850, inserted_head=0xbffff1c0) at mod_include.c:742
        tag_plus = <value optimized out>
        tag = <value optimized out>
        tag_val = 0x82e5348 "/feat_modules/mod_sem_wise.html"
        tmp_buck = <value optimized out>
        parsed_string = <value optimized out>
#13 0x080638f9 in includes_filter (f=0x82dd438, b=0x82dd578) at mod_include.c:3309
        dummy = (apr_bucket *) 0x0
        tag = <value optimized out>
        tag_len = <value optimized out>
        carg = <value optimized out>
        handle_func = (include_handler_fn_t *) 0x8065610 <handle_include>
        r = <value optimized out>
        ctx = <value optimized out>
        conf = (include_dir_config *) 0x81016a8
        sconf = (include_server_config *) 0x81001a0
#14 0x0809200b in ap_pass_brigade (next=0x82dd438, bb=0x82dd578) at util_filter.c:512
        e = <value optimized out>
#15 0x08099aad in default_handler (r=0x82e3298) at core.c:3640
        req_cfg = <value optimized out>
        c = (conn_rec *) 0x82d7340
        bb = (apr_bucket_brigade *) 0x82dd578
        e = (apr_bucket *) 0x82db3f0
        d = (core_dir_config *) 0x82e5170
        errstatus = 137221500
        fd = (apr_file_t *) 0x82dd488
        status = <value optimized out>
        bld_content_md5 = 137212912
#16 0x0808612b in ap_run_handler (r=0x82e3298) at config.c:152
        pHook = (ap_LINK_handler_t *) 0x81e5aa4
        n = 9
        rv = 151666281
#17 0x08088aa5 in ap_invoke_handler (r=0x82e3298) at config.c:364
        new_handler = <value optimized out>
        p2 = <value optimized out>
        handler = 0x1 <Address 0x1 out of bounds>
        result = <value optimized out>
        old_handler = 0x80a4afe "default-handler"
#18 0x0806e7af in ap_process_request (r=0x82e3298) at http_request.c:249
        access_status = <value optimized out>
#19 0x08069e1c in ap_process_http_connection (c=0x82d7340) at http_core.c:251
        r = (request_rec *) 0x82e3298
        csd_set = 1
        csd = (apr_socket_t *) 0x82d7268
#20 0x0809007b in ap_run_process_connection (c=0x82d7340) at connection.c:43
        pHook = (ap_LINK_process_connection_t *) 0x81e5e88
        n = 0
        rv = 151666281
#21 0x08085238 in child_main (child_num_arg=<value optimized out>) at prefork.c:610
        ptrans = (apr_pool_t *) 0x82d7230
        allocator = (apr_allocator_t *) 0x82d51a0
        current_conn = (conn_rec *) 0x82d7340
        status = <value optimized out>
        i = <value optimized out>
        lr = <value optimized out>
        curr_pollfd = <value optimized out>
        last_pollfd = 0
        pollset = (apr_pollfd_t *) 0x82d52c0
        offset = <value optimized out>
        csd = (void *) 0x82d7268
        sbh = (ap_sb_handle_t *) 0x82d52a0
        rv = <value optimized out>
        bucket_alloc = (apr_bucket_alloc_t *) 0x82db240
#22 0x0808538e in make_child (s=0x80c6c88, slot=0) at prefork.c:650
        pid = <value optimized out>
#23 0x08085451 in startup_children (number_to_start=5) at prefork.c:722
        i = 0
#24 0x08085b1d in ap_mpm_run (_pconf=0x80c20a8, plog=0x80fc190, s=0x80c6c88) at prefork.c:941
        pidfile = <value optimized out>
        index = <value optimized out>
        remaining_children_to_start = 5
        rv = <value optimized out>
#25 0x0808ac7c in main (argc=2, argv=0xbffff614) at main.c:618
        exit_status = <value optimized out>
        c = <value optimized out>
        configtestonly = 0
        confname = 0x80ae586 "conf/httpd.conf"
        def_server_root = 0x80af104 "/usr/local/apache2"
        temp_error_log = 0x0
        process = <value optimized out>
        server_conf = (server_rec *) 0x80c6c88
        pglobal = (apr_pool_t *) 0x80c00a0
        pconf = (apr_pool_t *) 0x80c20a8
        plog = (apr_pool_t *) 0x80fc190
        ptemp = (apr_pool_t *) 0x81051b0
        pcommands = (apr_pool_t *) 0x80c40b0
        opt = <value optimized out>
        rv = <value optimized out>
        mod = <value optimized out>
        optarg = 0x0
        signal_server = <value optimized out>


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-02-05 16:03 UTC] tony2001@php.net
Thank you for your bug report. This issue has already been fixed
in the latest released version of PHP, which you can download at 
http://www.php.net/downloads.php

Fixed long time ago in 5.1.x branch.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sat Mar 28 22:01:23 2020 UTC