php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #43150 stack overflow in php5ts.dll
Submitted: 2007-10-30 19:56 UTC Modified: 2007-11-08 01:00 UTC
Votes:4
Avg. Score:4.8 ± 0.4
Reproduced:4 of 4 (100.0%)
Same Version:2 (50.0%)
Same OS:3 (75.0%)
From: jeff dot orrok at reedbusiness dot com Assigned:
Status: No Feedback Package: Reproducible crash
PHP Version: 5.2.4 OS: windows xp sp2
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: jeff dot orrok at reedbusiness dot com
New email:
PHP Version: OS:

 

 [2007-10-30 19:56 UTC] jeff dot orrok at reedbusiness dot com
Description:
------------
Invoking a non-existent method on a SOAP service crashes apache.  Although PEAR's SOAP module is involved in the problem, I thought y'all should know about it in case there was something you could do to make your code more robust.

C:\wamp\logs\apache_error.log:
[Tue Oct 30 11:58:42 2007] [notice] Parent: child process exited with status 3221225477 -- Restarting.

Analysys Summary from Debug Diagnostic Tool:
In httpd__PID__5256__Date__10_29_2007__Time_07_05_58PM__48__Second_Chance_Exception_C00000FD.dmp the assembly instruction at php5ts!xbuf_format_converter+5b in C:\wamp\Apache2\bin\php5ts.dll from The PHP Group has caused a stack overflow exception (0xC00000FD) when trying to write to memory location 0x01b82ffc on thread 15



Reproduce code:
---------------
This is merely to demonstrate what I'm doing.  I was hoping it might be reproducible with any kind of "hello world" service.  I am behind on my deadline and need to get caught up before I can spend a lot of time on this.  I will try to pare down the amount of code to the smallest necessary to reproduce, if it turns out to be a very specific circumstance.

require_once ('SOAP/Client.php'); // pear soap-0.11.0
define('RBI_COMMON_AUTH_WS_URL', 'http://localhost/WebServices/AuthenticationWS/service.php?wsdl');
define('RBICA_APP', 'BLOG');
define('RBICA_APP_TOKEN_ID', 'PERM_BLOG');
$wsdl_ca = new SOAP_WSDL (RBI_COMMON_AUTH_WS_URL,array('timeout' => 30));
$client_ca = $wsdl_ca->getProxy();
$wpUserId = $login->ID;
$result = $client_ca->GetMasterID(RBICA_APP_TOKEN_ID, RBICA_APP, (integer)$wpUserId);  // GetMasterID happens to not exist in the current version of the service.


Expected result:
----------------
(be automatically logged in to WordPress via our in-house common authentication service)

Actual result:
--------------
Report for httpd__PID__5256__Date__10_29_2007__Time_07_05_58PM__48__Second_Chance_Exception_C00000FD.dmp
Type of Analysis Performed   Crash Analysis 
Machine Name   HRAORROCKJ1D 
Operating System   Windows XP Service Pack 2 
Number Of Processors   2 
Process ID   5256 
Process Image   C:\wamp\Apache2\bin\httpd.exe 
System Up-Time   10 day(s) 08:39:57 
Process Up-Time   00:03:23 

Thread 15 - System ID 784
Entry point   msvcrt!_endthreadex+3a 
Create time   10/29/2007 7:02:35 PM 
Time spent in user mode   0 Days 0:0:0.500 
Time spent in kernel mode   0 Days 0:0:0.62 

Function     Arg 1     Arg 2     Arg 3   Source 
php5ts!xbuf_format_converter+5b     01b83280     00a359ac     01b8332c    
php5ts!vspprintf+29     01b832b8     00000400     00a359ac    
php5ts!php_error_cb+3a     00000800     07da1180     0000015f    
php5ts!zend_error+43e     00000800     00a359ac     0079ca49    
php5ts!zif_is_a+f     00000002     08f9a0f0     00000000    
php5ts!zend_do_fcall_common_helper_SPEC+7d9     01b833b8     05cab000     07dd7fd8    
php5ts!ZEND_DO_FCALL_SPEC_CONST_HANDLER+e5     00000000     05cab000     08f96944    
php5ts!execute+1c5     07d95490     05cab000     05cab000    
php5ts!zend_do_fcall_common_helper_SPEC+8f8     01b83460     05cab000     0079c1e5    
php5ts!ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER+15     01b83460     05cab000     08f94b84    
php5ts!execute+1c5     07dcf3e8     05cab000     05cab000 

... followed by hundreds of lines similar to the following:

php5ts!zend_do_fcall_common_helper_SPEC+8f8     01b835b0     05cab000     0079c1e5    
php5ts!ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER+15     01b835b0     05cab000     08f8ea8c    
php5ts!execute+1c5     07dcf3e8     05cab000     05cab000    

... followed by:

php5ts!zend_do_fcall_common_helper_SPEC+8f8     01bbfbb0     05cab000     0079c1e5    
php5ts!ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER+15     01bbfbb0     05cab000     05cab000    
php5ts!execute+1c5     07d7e2e0     05cab000     00000000    
php5ts!zend_execute_scripts+107     00000008     05cab000     00000000    
php5ts!php_execute_script+20d     01bbfea0     05cab000     00000005    
php5apache2_2!php_handler+5cd     05d40e70     0074c4c0     05d40e70    
libhttpd!ap_run_handler+21     05d40e70     05d40e70     05d40e70    
libhttpd!ap_invoke_handler+ae     00000000     05d3e128     01bbff38    
libhttpd!ap_die+24e     05d40e70     00000000     0068e510    
libhttpd!ap_get_request_note+1c6c     05d3e128     05d3e128     05d3e128    
libhttpd!ap_run_process_connection+21     05d3e128     00716300     01bbff80    
libhttpd!ap_process_connection+33     05d3e128     05cb9050     00000000    
libhttpd!ap_regkey_value_remove+c0c     05d3e120     00000000     00e10050    
msvcrt!_endthreadex+a9     01018b08     00000000     00e10050    
kernel32!BaseThreadStart+37     77c3a341     01018b08     00000000    

PHP5TS!XBUF_FORMAT_CONVERTER+5BIn httpd__PID__5256__Date__10_29_2007__Time_07_05_58PM__48__Second_Chance_Exception_C00000FD.dmp the assembly instruction at php5ts!xbuf_format_converter+5b in C:\wamp\Apache2\bin\php5ts.dll from The PHP Group has caused a stack overflow exception (0xC00000FD) when trying to write to memory location 0x01b82ffc on thread 15

Module Information 
Image Name: C:\wamp\Apache2\bin\php5ts.dll   Symbol Type:  PDB 
Base address: 0x00780000   Time Stamp:  Thu Aug 30 05:06:12 2007  
Checksum: 0x00000000   Comments:   
COM DLL: False   Company Name:  The PHP Group 
ISAPIExtension: False   File Description:  PHP Script Interpreter 
ISAPIFilter: False   File Version:  5.2.4.4 
Managed DLL: False   Internal Name:  php5ts.dll 
VB DLL: False   Legal Copyright:  Copyright ? 1997-2007 The PHP Group 
Loaded Image Name:  php5ts.dll   Legal Trademarks:  PHP 
Mapped Image Name:  C:\wamp\Apache2\bin\php5ts.dll   Original filename:  php5ts.dll 
Module name:  php5ts   Private Build:   
Single Threaded:  False   Product Name:  PHP Script Interpreter 
Module Size:  4.86 MBytes   Product Version:  5.2.4 
Symbol File Name:  C:\xampp\php\debug\php5ts.pdb   Special Build:  & 


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-10-31 10:13 UTC] jani@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.


 [2007-11-08 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Nov 09 22:01:29 2024 UTC