PHP :: Bug #42093 :: php5ts.dll causes the IIS application pool to crash

Bug #42093

php5ts.dll causes the IIS application pool to crash

Submitted:

2007-07-25 03:40 UTC

Modified:

2007-07-26 21:21 UTC

Votes:	2
Avg. Score:	5.0 ± 0.0
Reproduced:	2 of 2 (100.0%)
Same Version:	2 (100.0%)
Same OS:	2 (100.0%)

From:

ailene dot nichol at tandberg dot com

Assigned:

Status:

Not a bug

Package:

IIS related

PHP Version:

5.2CVS-2007-07-24

OS:

Windows Server 2003 SP2

Private report:

CVE-ID:

None

View Add Comment Developer Edit

[2007-07-25 03:40 UTC] ailene dot nichol at tandberg dot com

Description:
------------
I have a script that does digest authentication. The script works as expected and the page will load correctly, but as soon as I run this script, the IIS default application pool will crash when requesting any other page. Occasionally I see in the Event Logs that the application pool crashes with other scripts, but with the digest authentication it is always reproducible.

I have also tried the latest php found in php5.2-win32-200707241230.zip and can still produce the crash.

Reproduce code:
---------------
// This is the guts of the digest authentication code. It is all taken from samples on php.net.

if (isset($headers['AUTHORIZATION']))
{
	if($data = http_digest_parse($headers['AUTHORIZATION']))
	{
		$A1 = md5($user . ':' . $realm . ':' . $pwd);
		$A2 = md5($_SERVER['REQUEST_METHOD'].':'.$data['uri']);
		$valid_response = md5($A1.':'.$data['nonce'].':'.$data['nc'].':'.$data['cnonce'].':'.$data['qop'].':'.$A2);

		if ($data['response'] == $valid_response)
		{
			$_SERVER['AUTH_USER'] = $data['username'];
			return 0;
		}
	}
}

header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="' . $realm . '",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');

Actual result:
--------------
FAULTING_IP: 
php5ts!_zend_mm_free_int+66 [Zend\zend_alloc.c @ 1921]
020ea9d6 8a0437          mov     al,byte ptr [edi+esi] 

EXCEPTION_RECORD:  ffffffff -- (.exr ffffffffffffffff)
ExceptionAddress: 020ea9d6 (php5ts!_zend_mm_free_int+0x00000066)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 06b8d148
Attempt to read from address 06b8d148

DEFAULT_BUCKET_ID:  APPLICATION_FAULT
PROCESS_NAME:  w3wp.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
READ_ADDRESS:  06b8d148 
BUGCHECK_STR:  ACCESS_VIOLATION
LAST_CONTROL_TRANSFER:  from 020ebad9 to 020ea9d6
STACK_TEXT:  

00f7e68c 020ebad9 02edb0b0 02edb168 02196397 php5ts!_zend_mm_free_int+0x66 [Zend\zend_alloc.c @ 1921]

00f7e71c 77f76bfa 77f76c2f 00f7e860 80000000 php5ts!_efree+0x39 [Zend\zend_alloc.c @ 2254]

00f7f90c 10002128 00000000 0105f8b8 5a3211a0 advapi32!LocalBaseRegOpenKey+0xe9

00f7fe04 5a322991 0105f8b8 0105e5f8 0105f248 php5isapi!HttpExtensionProc+0x348 [sapi\isapi\php5isapi.c @ 917]

00f7fe24 5a3968ff 0105f828 10001de0 00f7fe50 w3isapi!ProcessIsapiRequest+0x214

00f7fe58 5a3967e0 00000000 00000000 0105e5f8 w3core!W3_ISAPI_HANDLER::IsapiDoWork+0x3fd

00f7fe78 5a396764 00f7fee8 0105e5f8 00000000 w3core!W3_ISAPI_HANDLER::DoWork+0xb0

00f7fe98 5a3966f4 0105e5f8 00000000 00f7fec4 w3core!W3_HANDLER::MainDoWork+0x16e

00f7fea8 5a3966ae 0105e600 0105e5f8 00000001 w3core!W3_CONTEXT::ExecuteCurrentHandler+0x53

00f7fec4 5a396648 00000001 00f7fee8 0026b480 w3core!W3_CONTEXT::ExecuteHandler+0x51

00f7feec 5a392264 00000000 00000000 00000000 w3core!W3_STATE_HANDLE_REQUEST::DoWork+0x9a

00f7ff10 5a3965ea 00000000 00000000 00000000 w3core!W3_MAIN_CONTEXT::DoWork+0xa6

00f7ff2c 5a36169f 0105db30 0105db30 5a361650 w3core!W3_MAIN_CONTEXT::OnNewRequest+0x55

00f7ff38 5a361650 00268838 00268844 00f7ff5c w3dt!UL_NATIVE_REQUEST::DoStateProcess+0x48

00f7ff48 5a3616ca 000002d4 00000000 0105db34 w3dt!UL_NATIVE_REQUEST::DoWork+0x7f

00f7ff5c 5a3024ce 00000000 000002d4 0105db34 w3dt!OverlappedCompletionRoutine+0x1a

00f7ff8c 5a3026ac 00000000 002688b0 5a300000 w3tp!THREAD_POOL_DATA::ThreadPoolThread+0x73

00f7ffa0 5a301da9 00268838 00000000 00000000 w3tp!THREAD_POOL_DATA::ThreadPoolThread+0x24

00f7ffb8 77e64829 002688b0 00000000 00000000 w3tp!THREAD_MANAGER::ThreadManagerThread+0x39

00f7ffec 00000000 5a301d70 002688b0 00000000 kernel32!BaseThreadStart+0x34

STACK_COMMAND:  ~3s; .ecxr ; kb

FAULTING_THREAD:  00000498

FOLLOWUP_IP: 
php5ts!_zend_mm_free_int+66 [Zend\zend_alloc.c @ 1921]
020ea9d6 8a0437          mov     al,byte ptr [edi+esi]

SYMBOL_STACK_INDEX:  0
SYMBOL_NAME:  php5ts!_zend_mm_free_int+66
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: php5ts
IMAGE_NAME:  php5ts.dll
DEBUG_FLR_IMAGE_TIMESTAMP:  465ecf7f
FAILURE_BUCKET_ID:  ACCESS_VIOLATION_php5ts!_zend_mm_free_int+66
BUCKET_ID:  ACCESS_VIOLATION_php5ts!_zend_mm_free_int+66

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-07-26 09:51 UTC] jani@php.net

We are aware of PHP's problems with stability under IIS and are working 
to rectify the problem. Unfortunatly your bug report does not contain any
extra useful information and we already have enough bug reports open about
this issue. If you can provide more detailed information such as a 
reproducable crash or a backtrace please do so and reopen this bug. 
Otherwise please keep trying new releases as we are working to resolve 
the problems on this platform
 
Thanks for your interest in PHP.

[2007-07-26 21:21 UTC] ailene dot nichol at tandberg dot com

Thank you for your reply. If there is anything I can do to give you more information, please let me know.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 19:01:28 2024 UTC