PHP :: Bug #50902 :: Segfault if date.timezone is not set and error

Bug #50902

Segfault if date.timezone is not set and error_log is defined

Submitted:

2010-02-01 23:17 UTC

Modified:

2011-12-06 04:15 UTC

Votes:	9
Avg. Score:	4.9 ± 0.3
Reproduced:	8 of 8 (100.0%)
Same Version:	7 (87.5%)
Same OS:	6 (75.0%)

From:

william at therileys dot freetcp dot com

Assigned:

derick (profile)

Status:

Closed

Package:

SOAP related

PHP Version:

5.*, 6

OS:

Private report:

CVE-ID:

None

View Add Comment Developer Edit

[2010-02-01 23:17 UTC] william at therileys dot freetcp dot com

Description:
------------
When creating a new SoapClient PHP will segfault if the client is 
unreachable or returns a 404. This behavior appears to be "fixed" if 
date.timezone is defined in php.ini or if error_log is not set 
(regardless of whether log_errors is on or off).

Reproduce code:
---------------
try
{
    $client = new SoapClient("http://1.2.3.4/wsdl");
}
catch(Exception $e)
{
    echo "\n\nNO SEG FAULT!\n\n";
}

Expected result:
----------------
See 'NO SEG FAULT' printed to screen

Actual result:
--------------
Segmentation fault

#0  0x0837ed83 in zend_object_store_get_object (zobject=0x0, 
tsrm_ls=0x0) at /usr/src/redhat/BUILD/php-
5.2.12/Zend/zend_objects_API.c:261
#1  0x0837e419 in zend_std_object_get_class (object=0xb7ec6eb8, 
tsrm_ls=0x8bdb050) at /usr/src/redhat/BUILD/php-
5.2.12/Zend/zend_object_handlers.c:1088
#2  0x08228c2b in soap_error_handler (error_num=2048, 
error_filename=0xb7ec746c "Command line code", error_lineno=1, 
format=0x8677f27 "%s", args=0xbff9b038 "@\214??xc?\b\t")
    at /usr/src/redhat/BUILD/php-5.2.12/ext/soap/soap.c:2117
#3  0x0836484a in zend_error (type=2048, format=0x8677f27 "%s") at 
/usr/src/redhat/BUILD/php-5.2.12/Zend/zend.c:976
#4  0x0832316e in php_verror (docref=0xb7ec7d40 "\220}
??client.soapclient", params=0x8663415 "", type=2048,
    format=0x8447b50 "It is not safe to rely on the system's timezone 
settings. Please use the date.timezone setting, the TZ environment 
variable or the date_default_timezone_set() function. In case you used 
any of those m"..., args=0xbff9b0d0 "?\212D\b\030\f?\b", 
tsrm_ls=0x8bdb050) at /usr/src/redhat/BUILD/php-5.2.12/main/main.c:733
#5  0x08323548 in php_error_docref0 (docref=0x0, tsrm_ls=0x8bdb050, 
type=2048,
    format=0x8447b50 "It is not safe to rely on the system's timezone 
settings. Please use the date.timezone setting, the TZ environment 
variable or the date_default_timezone_set() function. In case you used 
any of those m"...) at /usr/src/redhat/BUILD/php-
5.2.12/main/main.c:745
#6  0x080c7385 in guess_timezone (tzdb=Variable "tzdb" is not 
available.
) at /usr/src/redhat/BUILD/php-5.2.12/ext/date/php_date.c:627
#7  0x080c7524 in get_timezone_info (tsrm_ls=0x8bdb050) at 
/usr/src/redhat/BUILD/php-5.2.12/ext/date/php_date.c:684
#8  0x080c80e5 in php_format_date (format=0x8677e3b "d-M-Y H:i:s", 
format_len=11, ts=1265064008, localtime=1, tsrm_ls=0x8bdb050) at 
/usr/src/redhat/BUILD/php-5.2.12/ext/date/php_date.c:934
#9  0x08322ea8 in php_log_err (
    log_message=0xb7ec8950 "PHP Fatal error:  SOAP-ERROR: Parsing 
WSDL: Couldn't load from 'http://1.2.3.4/wsdl' : failed to load 
external entity \"http://1.2.3.4/wsdl\"\n in Command line code on line 
1",
    tsrm_ls=0x8bdb050) at /usr/src/redhat/BUILD/php-
5.2.12/main/main.c:516
#10 0x08323b75 in php_error_cb (type=1, error_filename=0xb7ec746c 
"Command line code", error_lineno=1, format=0x865af24 "SOAP-ERROR: 
Parsing WSDL: Couldn't load from '%s' : %s",
    args=0xbff9b808 "?x?????\b?y???x??\024") at 
/usr/src/redhat/BUILD/php-5.2.12/main/main.c:919
#11 0x08229254 in soap_error_handler (error_num=1, 
error_filename=0xb7ec746c "Command line code", error_lineno=1, 
format=0x865af24 "SOAP-ERROR: Parsing WSDL: Couldn't load from '%s' : 
%s",
    args=0xbff9b808 "?x?????\b?y???x??\024") at 
/usr/src/redhat/BUILD/php-5.2.12/ext/soap/soap.c:2170
#12 0x0836484a in zend_error (type=1, format=0x865af24 "SOAP-ERROR: 
Parsing WSDL: Couldn't load from '%s' : %s") at 
/usr/src/redhat/BUILD/php-5.2.12/Zend/zend.c:976
#13 0x08249a5d in load_wsdl_ex (this_ptr=0xb7ec6eb8, struri=0xb7ec78d8 
"http://1.2.3.4/wsdl", ctx=0xbff9b9d0, include=0, tsrm_ls=0x8bdb050) 
at /usr/src/redhat/BUILD/php-5.2.12/ext/soap/php_sdl.c:307
#14 0x08254c7a in get_sdl (this_ptr=0xb7ec6eb8, uri=0xb7ec78d8 
"http://1.2.3.4/wsdl", cache_wsdl=Variable "cache_wsdl" is not 
available.
) at /usr/src/redhat/BUILD/php-5.2.12/ext/soap/php_sdl.c:713
#15 0x082242e2 in zim_SoapClient_SoapClient (ht=1, 
return_value=0xb7ec6ea0, return_value_ptr=0x0, this_ptr=0xb7ec6eb8, 
return_value_used=0, tsrm_ls=0x8bdb050)
    at /usr/src/redhat/BUILD/php-5.2.12/ext/soap/soap.c:2505
#16 0x08381c06 in zend_do_fcall_common_helper_SPEC 
(execute_data=0xbff9cdf0, tsrm_ls=0x8bdb050) at 
/usr/src/redhat/BUILD/php-5.2.12/Zend/zend_vm_execute.h:200
#17 0x08381221 in execute (op_array=0xb7ec7360, tsrm_ls=0x8bdb050) at 
/usr/src/redhat/BUILD/php-5.2.12/Zend/zend_vm_execute.h:92
#18 0x08358fed in zend_eval_string (str=0xbffceb91 "try { $client = 
new SoapClient(\"http://1.2.3.4/wsdl\"); } catch(Exception $e){ echo 
\"\\n\\nNO SEG FAULT!\\n\\n\"; }", retval_ptr=0x0,
    string_name=0x869af27 "Command line code", tsrm_ls=0x8bdb050) at 
/usr/src/redhat/BUILD/php-5.2.12/Zend/zend_execute_API.c:1222
#19 0x0835918f in zend_eval_string_ex (str=0xbffceb91 "try { $client = 
new SoapClient(\"http://1.2.3.4/wsdl\"); } catch(Exception $e){ echo 
\"\\n\\nNO SEG FAULT!\\n\\n\"; }", retval_ptr=0x0,
    string_name=0x869af27 "Command line code", handle_exceptions=1, 
tsrm_ls=0x8bdb050) at /usr/src/redhat/BUILD/php-
5.2.12/Zend/zend_execute_API.c:1257
#20 0x083d6d39 in main (argc=3, argv=0xbff9d224) at 
/usr/src/redhat/BUILD/php-5.2.12/sapi/cli/php_cli.c:1254

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2010-02-01 23:18 UTC] william at therileys dot freetcp dot com

php.ini below

[PHP]
expose_php=Off
safe_mode = Off
memory_limit = 128M
short_open_tag = On
soap.wsdl_cache_enabled=0

upload_max_filesize = 10M
post_max_size = 10M

display_errors=Off
log_errors=On
error_log=/var/log/php.log

include_path = 
".:/php/include:/usr/local/include/php/include:/usr/local/lib/php"
extension_dir = "/usr/local/lib/php/extensions"

[2010-02-02 08:43 UTC] jani@php.net

Please try using this snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

[2010-02-02 17:59 UTC] william at therileys dot freetcp dot com

Same behavior with php5.2-201002021330 from 
http://snaps.php.net/php5.2-latest.tar.gz

I tried to paste in the back trace but I get "Please do not SPAM our bug 
system."

[2010-02-03 00:42 UTC] derick@php.net

Please put it on pastebin.com and provide a link then.

[2010-02-03 21:31 UTC] william at therileys dot freetcp dot com

It is essentially the same back trace. Full content here: http://pastebin.com/f47226472

[2010-02-03 22:00 UTC] jani@php.net

That was not the backtrace of the build with the snapshot. Please, provide the correct backtrace.

[2010-02-03 22:23 UTC] william at therileys dot freetcp dot com

I did another back trace just to verify the correct php version was 
being used and with the source code in place on the system on which I 
ran gdb.

Please note that the back trace will say 5.2.12 (even though this is the 
snapshot) because I used that directory name so I did not have to 
rewrite the spec file to build an RPM.

http://pastebin.com/f19f1446a

$ /usr/local/bin/php --version
PHP 5.2.13RC1-dev (cli) (built: Feb  2 2010 10:17:42)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2010 Zend Technologies

[2010-02-03 22:33 UTC] jani@php.net

The shortest way to reproduce:

# php -n -dlog_errors=on -derror_log=./foo \
 -r 'new SoapClient("http://localhost/wsdl");

[2010-02-03 23:19 UTC] jani@php.net

This is bug in SOAP extension which has a funky error handler defined.

[2010-03-31 12:25 UTC] derick@php.net

-Assigned To: dmitry +Assigned To: derick

[2011-02-24 13:48 UTC] indeyets@php.net

(copypaste from #54087, which is marked as duplicate of this bug)

Description:
------------
In case there is some problem with extension loaded from php.ini (shared 
dependency not available), php segfaults while trying to show error.

it happens in debug+zts mode at least.

Debugger output:


(lldb) run
Process 23067 launched: '/opt/php53/bin/php' (x86_64)
(lldb) Process 23067 stopped
* thread #1: tid = 0x2d03, 0x00000001000097f0 php`guess_timezone + 48 at 
php_date.c:843, stop reason = EXC_BAD_ACCESS (code=13, address=0x0)
 840   		char *env;
 841   	
 842   		/* Checking configure timezone */
 843 ->		if (DATEG(timezone) && (strlen(DATEG(timezone)) > 0)) {
 844   			return DATEG(timezone);
 845   		}
 846   		/* Check environment variable */
(lldb) frame s 3
frame #3: 0x000000010053edb1 php`php_log_err + 369 at main.c:585
 582   				char *error_time_str;
 583   	
 584   				time(&error_time);
 585 ->				error_time_str = php_format_date("d-M-Y H:i:s", 
11, error_time, 1 TSRMLS_CC);
 586   				len = spprintf(&tmp, 0, "[%s] %s%s", 
error_time_str, log_message, PHP_EOL);
 587   	#ifdef PHP_WIN32
 588   				php_flock(fd, 2);
(lldb) print log_message
(char *) log_message = 0x0000000101807a50 "PHP Warning:  PHP Startup: Unable to 
load dynamic library '/opt/php53/lib/php/extensions/debug-zts-
20090626/gobject.so' - dlopen(/opt/php53/lib/php/extensions/debug-zts-
20090626/gobject.so, 9): Library not loaded: /opt/homebrew/Cellar/gobject-
introspection/0.10.2/lib/libgirepository-1.0.1.dylib\n  Referenced from: 
/opt/php53/lib/php/extensions/debug-zts-20090626/gobject.so\n  Reason: image not 
found in Unknown on line 0"
(lldb) bt
thread #1: tid = 0x2d03, stop reason = EXC_BAD_ACCESS (code=13, address=0x0)
  frame #0: 0x00000001000097f0 php`guess_timezone + 48 at php_date.c:843
  frame #1: 0x0000000100009c69 php`get_timezone_info + 89 at php_date.c:940
  frame #2: 0x000000010000a05b php`php_format_date + 59 at php_date.c:1190
  frame #3: 0x000000010053edb1 php`php_log_err + 369 at main.c:585
  frame #4: 0x0000000100543b76 php`php_error_cb + 2342 at main.c:1003
  frame #5: 0x00000001005f6da3 php`zend_error + 1139 at zend.c:1020
  frame #6: 0x000000010053fdb5 php`php_verror + 3301 at main.c:807
  frame #7: 0x000000010053ff9c php`php_error_docref0 + 364 at main.c:819
  frame #8: 0x000000010040d031 php`php_load_extension + 561 at dl.c:158
  frame #9: 0x0000000100554d32 php`php_load_php_extension_cb + 50 at 
php_ini.c:351
  frame #10: 0x00000001005e8661 php`zend_llist_apply + 65 at zend_llist.c:193
  frame #11: 0x0000000100554cb7 php`php_ini_register_extensions + 87 at 
php_ini.c:751
  frame #12: 0x0000000100542f89 php`php_module_startup + 3529 at main.c:2029
  frame #13: 0x000000010071b944 php`php_cli_startup + 36 at php_cli.c:402
  frame #14: 0x000000010071895f php`main + 2575 at php_cli.c:776
  frame #15: 0x0000000100000c64 php`start + 52
(lldb) 


Expected result:
----------------
Error is displayed

Actual result:
--------------
Segfaul

[2011-12-06 04:15 UTC] derick@php.net

-Status: Assigned +Status: Closed

[2011-12-06 04:15 UTC] derick@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

I've fixed this about a week ago.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 25 12:01:31 2024 UTC