php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #38456 Apache2 segfaults when virtual() is called in .php ErrorDocument
Submitted: 2006-08-14 22:29 UTC Modified: 2006-11-09 19:11 UTC
From: alex dot dean at pni dot com Assigned: iliaa
Status: Closed Package: Apache2 related
PHP Version: 5.2.0RC2-dev OS: RHEL 4
Private report: No CVE-ID:
 [2006-08-14 22:29 UTC] alex dot dean at pni dot com
Description:
------------
Using a PHP script as an Apache ErrorDocument causes PHP to segfault if the PHP script uses the virtual() function.

PHP Configuration :
./configure 
--with-apxs2=/apps/apache_2.0.54/bin/apxs --with-mysql=/usr/local/mysql
--with-zlib --with-mysqli=/usr/local/mysql/bin/mysql_config --with-gettext --enable-ftp --with-cgi --enable-cgi --with-openssl --with-gd --with-jpeg-dir=/usr --enable-mbstring=all --enable-debug

Apache Configuration :
./configure --enable-ssl --prefix=/apps/apache_2.0.54 --enable-so --enable-rewrite --with-mpm=prefork --enable-deflate --enable-headers --enable-file-cache

Reproduce code:
---------------
httpd.conf :
ErrorDocument 404 virtual1.php

virtual1.php :
<html>
<head>
  <title>Virtual and SSI Tests</title>
</head>
<body>
<? virtual('/virtual2.php'); ?>
</body>
</html>

virtual2.php :
<? echo 'Included virtual2.php.' ?>

Start browser and browse to any non-existent URL.

Neither virtual1.php and virtual2.php cause errors when browsed to directly.  Using virtual2.php as an ErrorDocument does not cause any errors.

Expected result:
----------------
I should see 'Included virtual2.php' displayed in the browser window.

Actual result:
--------------
Actual result is a segmentation fault.

[root@dellpe2650-31 htdocs]# gdb /apps/apache_2.0.54/bin/httpd

This GDB was configured as "i386-redhat-linux-gnu"...Using host libthread_db library "/lib/tls/libthread_db.so.1".



(gdb) run -X

Starting program: /apps/apache_2.0.54/bin/httpd -X

[Thread debugging using libthread_db enabled]

[New Thread -1208023360 (LWP 23963)]



Program received signal SIGSEGV, Segmentation fault.

[Switching to Thread -1208023360 (LWP 23963)]

0x010ad9aa in _zval_ptr_dtor (zval_ptr=0x8377314,

    __zend_filename=0x12ebddc "/usr/local/src/php-5.1-cvs/Zend/zend_execute.h", __zend_lineno=146)

    at /usr/local/src/php-5.1-cvs/Zend/zend_execute_API.c:393

393             (*zval_ptr)->refcount--;

(gdb) bt

#0  0x010ad9aa in _zval_ptr_dtor (zval_ptr=0x8377314,

    __zend_filename=0x12ebddc "/usr/local/src/php-5.1-cvs/Zend/zend_execute.h", __zend_lineno=146)

    at /usr/local/src/php-5.1-cvs/Zend/zend_execute_API.c:393

#1  0x010d5410 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffd260) at zend_execute.h:146

#2  0x010d4f11 in execute (op_array=0x83700d4) at zend_vm_execute.h:92

#3  0x010bae5e in zend_execute_scripts (type=8, retval=0x0, file_count=3)

    at /usr/local/src/php-5.1-cvs/Zend/zend.c:1109

#4  0x01082045 in php_execute_script (primary_file=0xbffff5b0) at /usr/local/src/php-5.1-cvs/main/main.c:1737

#5  0x01140898 in php_handler (r=0x835fb30) at /usr/local/src/php-5.1-cvs/sapi/apache2handler/sapi_apache2.c:586

#6  0x080b883a in ap_run_handler (r=0x835fb30) at config.c:152

#7  0x080b8c05 in ap_invoke_handler (r=0x835fb30) at config.c:364

#8  0x080a164d in ap_internal_redirect (new_uri=0x1c <Address 0x1c out of bounds>, r=0x0) at http_request.c:465

#9  0x080a1976 in ap_process_request (r=0x83584f0) at http_request.c:262

#10 0x0809d691 in ap_process_http_connection (c=0x8352258) at http_core.c:251

#11 0x080c1cd2 in ap_run_process_connection (c=0x8352258) at connection.c:43

#12 0x080b7015 in child_main (child_num_arg=28) at prefork.c:610

#13 0x080b7209 in make_child (s=0x81c9ba8, slot=0) at prefork.c:650

#14 0x080b72d0 in startup_children (number_to_start=100) at prefork.c:722

#15 0x080b79a3 in ap_mpm_run (_pconf=0xbffff910, plog=0x8200198, s=0xbffff914) at prefork.c:941

#16 0x080bca73 in main (argc=2, argv=0xbffffab4) at main.c:618

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-08-15 06:39 UTC] tony2001@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip


 [2006-08-15 15:36 UTC] alex dot dean at pni dot com
The problem recurs in 5.2.0RC2-dev.

Initially, this version of php failed to compile, citing errors with openssl.  Rather than debug that, I removed --with-openssl from the configure line and it compiled correctly.  Just to be sure this wasn't relevant, I also recompiled 5.1.5RC1 (which is the version I initially reported the bug in) with the same configure line, and the problem continued to exist there as well.  If you think this might be relevant, I'll try to get 5.2.0RC2-dev to build --with-openssl.

Here's the backtrace for 5.2.0RC2-dev.  The process was the same : set up apache and php as described in my original report, and then browse to a non-existent page.

#0  0x0118ab7b in zif_virtual (ht=1, return_value=0xb7d7dccc, return_value_ptr=0x0, this_ptr=0x0,

    return_value_used=0) at /usr/local/src/php5.2-200608151430/sapi/apache2handler/php_functions.c:109

#1  0x01143885 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffd250) at zend_vm_execute.h:200

#2  0x01148174 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbfffd250) at zend_vm_execute.h:1657

#3  0x01143496 in execute (op_array=0xb7d7dad0) at zend_vm_execute.h:92

#4  0x01125c2f in zend_execute_scripts (type=8, retval=0x0, file_count=3)

    at /usr/local/src/php5.2-200608151430/Zend/zend.c:1095

#5  0x010e06e9 in php_execute_script (primary_file=0xbffff5b0)

    at /usr/local/src/php5.2-200608151430/main/main.c:1759

#6  0x0118a3c8 in php_handler (r=0x8367c10)

    at /usr/local/src/php5.2-200608151430/sapi/apache2handler/sapi_apache2.c:592

#7  0x080b883a in ap_run_handler (r=0x8367c10) at config.c:152

#8  0x080b8c05 in ap_invoke_handler (r=0x8367c10) at config.c:364

#9  0x080a164d in ap_internal_redirect (new_uri=0xb7d7dccc <Address 0xb7d7dccc out of bounds>, r=0x1)

    at http_request.c:465

#10 0x080a1976 in ap_process_request (r=0x8360618) at http_request.c:262

#11 0x0809d691 in ap_process_http_connection (c=0x835a380) at http_core.c:251

#12 0x080c1cd2 in ap_run_process_connection (c=0x835a380) at connection.c:43

#13 0x080b7015 in child_main (child_num_arg=-1210590004) at prefork.c:610

#14 0x080b7209 in make_child (s=0x81c9ba8, slot=0) at prefork.c:650

#15 0x080b72d0 in startup_children (number_to_start=100) at prefork.c:722

#16 0x080b79a3 in ap_mpm_run (_pconf=0xbffff910, plog=0x8200198, s=0xbffff914) at prefork.c:941

#17 0x080bca73 in main (argc=2, argv=0xbffffab4) at main.c:618
 [2006-08-15 15:51 UTC] alex dot dean at pni dot com
Note : 5.2 was php5.2-200608151430
 [2006-09-11 14:41 UTC] alex dot dean at pni dot com
Hello.  Has anyone had a chance to look at this yet?
 [2006-10-14 22:21 UTC] alex dot dean at pni dot com
no interest in this one?
 [2006-11-09 19:11 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 24 21:01:55 2014 UTC