|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #43150 stack overflow in php5ts.dll
Submitted: 2007-10-30 19:56 UTC Modified: 2007-11-08 01:00 UTC
Avg. Score:4.8 ± 0.4
Reproduced:4 of 4 (100.0%)
Same Version:2 (50.0%)
Same OS:3 (75.0%)
From: jeff dot orrok at reedbusiness dot com Assigned:
Status: No Feedback Package: Reproducible crash
PHP Version: 5.2.4 OS: windows xp sp2
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2007-10-30 19:56 UTC] jeff dot orrok at reedbusiness dot com
Invoking a non-existent method on a SOAP service crashes apache.  Although PEAR's SOAP module is involved in the problem, I thought y'all should know about it in case there was something you could do to make your code more robust.

[Tue Oct 30 11:58:42 2007] [notice] Parent: child process exited with status 3221225477 -- Restarting.

Analysys Summary from Debug Diagnostic Tool:
In httpd__PID__5256__Date__10_29_2007__Time_07_05_58PM__48__Second_Chance_Exception_C00000FD.dmp the assembly instruction at php5ts!xbuf_format_converter+5b in C:\wamp\Apache2\bin\php5ts.dll from The PHP Group has caused a stack overflow exception (0xC00000FD) when trying to write to memory location 0x01b82ffc on thread 15

Reproduce code:
This is merely to demonstrate what I'm doing.  I was hoping it might be reproducible with any kind of "hello world" service.  I am behind on my deadline and need to get caught up before I can spend a lot of time on this.  I will try to pare down the amount of code to the smallest necessary to reproduce, if it turns out to be a very specific circumstance.

require_once ('SOAP/Client.php'); // pear soap-0.11.0
define('RBI_COMMON_AUTH_WS_URL', 'http://localhost/WebServices/AuthenticationWS/service.php?wsdl');
define('RBICA_APP', 'BLOG');
$wsdl_ca = new SOAP_WSDL (RBI_COMMON_AUTH_WS_URL,array('timeout' => 30));
$client_ca = $wsdl_ca->getProxy();
$wpUserId = $login->ID;
$result = $client_ca->GetMasterID(RBICA_APP_TOKEN_ID, RBICA_APP, (integer)$wpUserId);  // GetMasterID happens to not exist in the current version of the service.

Expected result:
(be automatically logged in to WordPress via our in-house common authentication service)

Actual result:
Report for httpd__PID__5256__Date__10_29_2007__Time_07_05_58PM__48__Second_Chance_Exception_C00000FD.dmp
Type of Analysis Performed   Crash Analysis 
Machine Name   HRAORROCKJ1D 
Operating System   Windows XP Service Pack 2 
Number Of Processors   2 
Process ID   5256 
Process Image   C:\wamp\Apache2\bin\httpd.exe 
System Up-Time   10 day(s) 08:39:57 
Process Up-Time   00:03:23 

Thread 15 - System ID 784
Entry point   msvcrt!_endthreadex+3a 
Create time   10/29/2007 7:02:35 PM 
Time spent in user mode   0 Days 0:0:0.500 
Time spent in kernel mode   0 Days 0:0:0.62 

Function     Arg 1     Arg 2     Arg 3   Source 
php5ts!xbuf_format_converter+5b     01b83280     00a359ac     01b8332c    
php5ts!vspprintf+29     01b832b8     00000400     00a359ac    
php5ts!php_error_cb+3a     00000800     07da1180     0000015f    
php5ts!zend_error+43e     00000800     00a359ac     0079ca49    
php5ts!zif_is_a+f     00000002     08f9a0f0     00000000    
php5ts!zend_do_fcall_common_helper_SPEC+7d9     01b833b8     05cab000     07dd7fd8    
php5ts!ZEND_DO_FCALL_SPEC_CONST_HANDLER+e5     00000000     05cab000     08f96944    
php5ts!execute+1c5     07d95490     05cab000     05cab000    
php5ts!zend_do_fcall_common_helper_SPEC+8f8     01b83460     05cab000     0079c1e5    
php5ts!ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER+15     01b83460     05cab000     08f94b84    
php5ts!execute+1c5     07dcf3e8     05cab000     05cab000 

... followed by hundreds of lines similar to the following:

php5ts!zend_do_fcall_common_helper_SPEC+8f8     01b835b0     05cab000     0079c1e5    
php5ts!ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER+15     01b835b0     05cab000     08f8ea8c    
php5ts!execute+1c5     07dcf3e8     05cab000     05cab000    

... followed by:

php5ts!zend_do_fcall_common_helper_SPEC+8f8     01bbfbb0     05cab000     0079c1e5    
php5ts!ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER+15     01bbfbb0     05cab000     05cab000    
php5ts!execute+1c5     07d7e2e0     05cab000     00000000    
php5ts!zend_execute_scripts+107     00000008     05cab000     00000000    
php5ts!php_execute_script+20d     01bbfea0     05cab000     00000005    
php5apache2_2!php_handler+5cd     05d40e70     0074c4c0     05d40e70    
libhttpd!ap_run_handler+21     05d40e70     05d40e70     05d40e70    
libhttpd!ap_invoke_handler+ae     00000000     05d3e128     01bbff38    
libhttpd!ap_die+24e     05d40e70     00000000     0068e510    
libhttpd!ap_get_request_note+1c6c     05d3e128     05d3e128     05d3e128    
libhttpd!ap_run_process_connection+21     05d3e128     00716300     01bbff80    
libhttpd!ap_process_connection+33     05d3e128     05cb9050     00000000    
libhttpd!ap_regkey_value_remove+c0c     05d3e120     00000000     00e10050    
msvcrt!_endthreadex+a9     01018b08     00000000     00e10050    
kernel32!BaseThreadStart+37     77c3a341     01018b08     00000000    

PHP5TS!XBUF_FORMAT_CONVERTER+5BIn httpd__PID__5256__Date__10_29_2007__Time_07_05_58PM__48__Second_Chance_Exception_C00000FD.dmp the assembly instruction at php5ts!xbuf_format_converter+5b in C:\wamp\Apache2\bin\php5ts.dll from The PHP Group has caused a stack overflow exception (0xC00000FD) when trying to write to memory location 0x01b82ffc on thread 15

Module Information 
Image Name: C:\wamp\Apache2\bin\php5ts.dll   Symbol Type:  PDB 
Base address: 0x00780000   Time Stamp:  Thu Aug 30 05:06:12 2007  
Checksum: 0x00000000   Comments:   
COM DLL: False   Company Name:  The PHP Group 
ISAPIExtension: False   File Description:  PHP Script Interpreter 
ISAPIFilter: False   File Version: 
Managed DLL: False   Internal Name:  php5ts.dll 
VB DLL: False   Legal Copyright:  Copyright ? 1997-2007 The PHP Group 
Loaded Image Name:  php5ts.dll   Legal Trademarks:  PHP 
Mapped Image Name:  C:\wamp\Apache2\bin\php5ts.dll   Original filename:  php5ts.dll 
Module name:  php5ts   Private Build:   
Single Threaded:  False   Product Name:  PHP Script Interpreter 
Module Size:  4.86 MBytes   Product Version:  5.2.4 
Symbol File Name:  C:\xampp\php\debug\php5ts.pdb   Special Build:  & 


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2007-10-31 10:13 UTC]
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

 [2007-11-08 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Thu Dec 01 13:05:53 2022 UTC