php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #38534 segmentation fault
Submitted: 2006-08-21 13:15 UTC Modified: 2006-08-28 20:00 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: dgehl at inverse dot ca Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 4.4.4 OS: RHEL 4
Private report: No CVE-ID:
 [2006-08-21 13:15 UTC] dgehl at inverse dot ca
Description:
------------
PHP segfaults on the setlocale function. I can reproduce this bug also with php 4.3.9

Here are the PHP and apache versions:

# httpd -v
Server version: Apache/2.0.52
Server built:   Aug  2 2006 05:21:10

# php -v
PHP 4.4.4 (cgi) (built: Aug 21 2006 08:52:53) (DEBUG)
Copyright (c) 1997-2006 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies



Reproduce code:
---------------
1. Install Horde 3.1.3, IMP 4.1.3 (http://www.horde.org)
2. Configure horde with
$conf['log']['priority'] = PEAR_LOG_DEBUG
$conf['sessionhandler']['type'] = 'pgsql';
3. Open the Horde login page in a browser, followed by several other pages. The bug is not related to one particular page, but will appear sometime ...

Expected result:
----------------
no segfault

Actual result:
--------------
PHP was compiled with
'./configure' '--host=i686-redhat-linux-gnu' '--build=i686-redhat-linux-gnu' '--target=i386-redhat-linux' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--cache-file=../config.cache' '--with-config-file-path=/etc' '--with-config-file-scan-dir=/etc/php.d' '--enable-force-cgi-redirect' '--enable-debug' '--enable-pic' '--disable-rpath' '--enable-inline-optimization' '--with-bz2' '--with-db4=/usr' '--with-exec-dir=/usr/bin' '--with-freetype-dir=/usr' '--with-png-dir=/usr' '--with-gd=shared' '--enable-gd-native-ttf' '--without-gdbm' '--with-gettext' '--with-ncurses=shared' '--with-gmp' '--with-iconv' '--with-jpeg-dir=/usr' '--with-openssl' '--with-png' '--with-pspell' '--with-xml' '--with-expat-dir=/usr' '--with-dom=shared,/usr' '--with-dom-xslt=/usr' '--with-dom-exslt=/usr' '--with-xmlrpc=shared' '--with-pcre-regex=/usr' '--with-zlib' '--with-mcrypt' '--with-layout=GNU' '--enable-exif' '--enable-ftp' '--enable-magic-quotes' '--enable-sockets' '--enable-sysvsem' '--enable-sysvshm' '--enable-track-vars' '--enable-trans-sid' '--with-pear=/usr/share/pear' '--with-imap=shared' '--with-imap-ssl' '--with-kerberos' '--with-ldap=shared' '--with-mysql=shared,/usr' '--with-pgsql=shared' '--with-snmp=shared,/usr' '--with-snmp=shared' '--enable-ucd-snmp-hack' '--with-unixODBC=shared,/usr' '--disable-memory-limit' '--disable-ipv6' '--enable-shmop' '--enable-calendar' '--enable-dbx' '--enable-dio' '--enable-mbstring=shared' '--enable-mbstr-enc-trans' '--enable-mbregex' '--with-mime-magic=/usr/share/file/magic.mime' '--with-apxs2=/usr/sbin/apxs'



And here's a gdb backtrace:

(gdb) bt
#0  0x00377a2c in memcpy () from /lib/tls/libc.so.6
#1  0x01125795 in _mem_block_check (ptr=0x9a286dc, silent=0,
    __zend_filename=0x116a1f0 "/usr/src/redhat/BUILD/php-4.4.4/ext/standard/stri
ng.c", __zend_lineno=3153, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /usr/src/redhat/BUILD/php-4.4.4/Zend/zend_alloc.c:698
#2  0x01125757 in _mem_block_check (ptr=0x9a286dc, silent=1,
    __zend_filename=0x116a1f0 "/usr/src/redhat/BUILD/php-4.4.4/ext/standard/stri
ng.c", __zend_lineno=3153, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /usr/src/redhat/BUILD/php-4.4.4/Zend/zend_alloc.c:690
#3  0x01124aa4 in _efree (ptr=0x9a286dc,
    __zend_filename=0x116a1f0 "/usr/src/redhat/BUILD/php-4.4.4/ext/standard/stri
ng.c", __zend_lineno=3153, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /usr/src/redhat/BUILD/php-4.4.4/Zend/zend_alloc.c:258
#4  0x010d6c42 in zif_setlocale (ht=2, return_value=0x9a7045c, this_ptr=0x0,
    return_value_used=0)
    at /usr/src/redhat/BUILD/php-4.4.4/ext/standard/string.c:3153
#5  0x0114bd8a in execute (op_array=0x95d9cb4)
    at /usr/src/redhat/BUILD/php-4.4.4/Zend/zend_execute.c:1675
#6  0x0114bfb6 in execute (op_array=0x979af2c)
    at /usr/src/redhat/BUILD/php-4.4.4/Zend/zend_execute.c:1719
#7  0x0112d7ab in call_user_function_ex (function_table=0x97ac060,
    object_pp=0x97a4610, function_name=0x979b6fc, retval_ptr_ptr=0xbff187b8,
    param_count=2, params=0x9a68f9c, no_separation=1, symbol_table=0x0)
---Type <return> to continue, or q <return> to quit---
    at /usr/src/redhat/BUILD/php-4.4.4/Zend/zend_execute_API.c:570
#8  0x0112ce4d in call_user_function (function_table=0x94a9140, object_pp=0x0,
    function_name=0x97a46ec, retval_ptr=0x9ad6de4, param_count=2,
    params=0xbff18838)
    at /usr/src/redhat/BUILD/php-4.4.4/Zend/zend_execute_API.c:407
#9  0x01076fad in ps_call_handler (func=0x97a46ec, argc=2, argv=0xbff18838)
    at /usr/src/redhat/BUILD/php-4.4.4/ext/session/mod_user.c:60
#10 0x01077576 in ps_write_user (mod_data=0x1195b50,
    key=0x97509a4 "0c603dda253af1e1e712d42b20dfb3c7",
    val=0x9b27f0c "imp|a:29:{s:5:\"cache\";a:0:{}s:4:\"pass\";s:8:\"\200&\224_\2
36\036L\";s:11:\"_logintasks\";i:0;s:4:\"user\";s:11:\"xxxxxxxxxxx\";s:8:\"uniqu
ser\";s:23:\"xxxxxxxxxxx@xxxxxxx.xxx\";s:6:\"server\";s:9:\"localhost\";s:3:\"ac
l\";b:0;s:5:"..., vallen=80442)
    at /usr/src/redhat/BUILD/php-4.4.4/ext/session/mod_user.c:148
#11 0x01072f90 in php_session_save_current_state ()
    at /usr/src/redhat/BUILD/php-4.4.4/ext/session/session.c:727
#12 0x0107610c in php_session_flush ()
    at /usr/src/redhat/BUILD/php-4.4.4/ext/session/session.c:1683
#13 0x01076150 in zm_deactivate_session (type=1, module_number=8)
    at /usr/src/redhat/BUILD/php-4.4.4/ext/session/session.c:1697
#14 0x0113a76c in module_registry_cleanup (module=0x9546760)
    at /usr/src/redhat/BUILD/php-4.4.4/Zend/zend_API.c:1168
#15 0x0113d57e in zend_hash_apply (ht=0x1199f60,
---Type <return> to continue, or q <return> to quit---
    apply_func=0x113a729 <module_registry_cleanup>)
    at /usr/src/redhat/BUILD/php-4.4.4/Zend/zend_hash.c:703
#16 0x011369bf in zend_deactivate_modules ()
    at /usr/src/redhat/BUILD/php-4.4.4/Zend/zend.c:674
#17 0x010fe32b in php_request_shutdown (dummy=0x0)
    at /usr/src/redhat/BUILD/php-4.4.4/main/main.c:984
#18 0x01151543 in php_apache_request_dtor (r=0x95adf30)
    at /usr/src/redhat/BUILD/php-4.4.4/sapi/apache2handler/sapi_apache2.c:443
#19 0x01151baf in php_handler (r=0x95adf30)
    at /usr/src/redhat/BUILD/php-4.4.4/sapi/apache2handler/sapi_apache2.c:598
#20 0x00f7c9d7 in ap_run_handler () from /usr/sbin/httpd
#21 0x00f7ce43 in ap_invoke_handler () from /usr/sbin/httpd
#22 0x00f798c5 in ap_process_request () from /usr/sbin/httpd
#23 0x00f7463f in _start () from /usr/sbin/httpd
#24 0x095adf30 in ?? ()
#25 0x00000004 in ?? ()
#26 0x095adf30 in ?? ()
#27 0x095a1a38 in ?? ()
#28 0x095a1ee7 in ?? ()
#29 0x00000000 in ?? ()
(gdb) frame 5
#5  0x0114bd8a in execute (op_array=0x95d9cb4)
    at /usr/src/redhat/BUILD/php-4.4.4/Zend/zend_execute.c:1675
1675    /usr/src/redhat/BUILD/php-4.4.4/Zend/zend_execute.c: No such file or directory.
        in /usr/src/redhat/BUILD/php-4.4.4/Zend/zend_execute.c

(gdb) print (char *)(executor_globals.function_state_ptr->function)->common.function_name
$1 = 0x1161c1d "setlocale"

(gdb) print (char *)executor_globals.active_op_array->function_name
$2 = 0x95d1bc4 "logmessage"

(gdb) print (char *)executor_globals.active_op_array->filename
$3 = 0x95d8a2c "/var/www/html/horde-3.1.3/lib/Horde.php"


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-08-21 13:17 UTC] tony2001@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.


 [2006-08-28 17:21 UTC] dgehl at inverse dot ca
<?php

session_set_save_handler('open', 'close', 'read', 'write', 'destroy', 'gc');
@session_start();

$lang_charset='en_US.UTF8';
setlocale(LC_ALL, $lang_charset);
@putenv('LANG=' . $lang_charset);
@putenv('LANGUAGE=' . $lang_charset);


$locale = setlocale(LC_TIME, 0);
setlocale(LC_TIME, 'C');
setlocale(LC_TIME, $locale);



function open($save_path, $session_name) {
  return true;
}

function close() {
  return true;
}

function read($id) {
  $locale = setlocale(LC_TIME, 0);
  setlocale(LC_TIME, 'C');
  setlocale(LC_TIME, $locale);
}

function write($id, $session_data) {
  $locale = setlocale(LC_TIME, 0);
  setlocale(LC_TIME, 'C');
  setlocale(LC_TIME, $locale);
}

function destroy($id) {
  $locale = setlocale(LC_TIME, 0);
  setlocale(LC_TIME, 'C');
  setlocale(LC_TIME, $locale);
}

function gc($maxlifetime = 300) {
  $locale = setlocale(LC_TIME, 0);
  setlocale(LC_TIME, 'C');
  setlocale(LC_TIME, $locale);
}
?>
 [2006-08-28 20:00 UTC] tony2001@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 24 02:02:10 2014 UTC