|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #51588 calling zend_parse_ini_string/file recursively core dump
Submitted: 2010-04-18 12:28 UTC Modified: 2013-02-18 00:34 UTC
From: Assigned:
Status: No Feedback Package: Reproducible crash
PHP Version: 5.3.2 OS: any
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2010-04-18 12:28 UTC]
when zend_parse_ini_string or zend_parse_ini_file is called recursively, it 
crashes. The lexical state variable is global, calling those function recursively 
overwrites previous version and crashes at liberation/destruction.

to prevent this behaviour, the following patch makes zend_parse_ini_string or 
zend_parse_ini_file returning an error when called recursively.

Test script:
void fpm_conf_ini_load_file(filename);

static void fpm_conf_ini_parser(zval *arg1, zval *arg2, zval *arg3,
int callback_type, void *arg TSRMLS_DC) {
 if (!arg1) return;
 if (callback_type != ZEND_INI_PARSER_ENTRY) return;
 if (!strcmp(Z_STRVAL_P(arg1), "include")) {

void fpm_conf_ini_load_file(filename)  {
 zend_file_handle fh;

 fh.handle.fp = VCWD_FOPEN(filename, "r");
 fh.opened_path = NULL;
 fh.free_filename = 0;
 fh.filename = filename;

 zend_parse_ini_file(&fh, 1, ZEND_INI_SCANNER_RAW,
(zend_ini_parser_cb_t)fpm_conf_ini_parser, NULL TSRMLS_CC);

Expected result:
it doesn't crash, it works or returns an error

Actual result:
core dump

#0  _zend_mm_free_int (heap=0x8271c000, p=0x8271c000) at /LIBRE/dev/php-
#1  0x1c23154a in _efree (ptr=0x7d3fe1f8) at /LIBRE/dev/php-
#2  0x1c245b5b in zend_stack_destroy (stack=0x3c2c2804) at /LIBRE/dev/php-
#3  0x1c22bd1c in shutdown_ini_scanner () at zend_ini_scanner.l:201
#4  0x1c22b035 in zend_parse_ini_file (fh=0xcfbd3c70, unbuffered_errors=1 
'\001', scanner_mode=0, ini_parser_cb=0x8271c000, arg=0x8271c000) at 
#5  0x1c2aefa8 in fpm_conf_load_ini_file (filename=0xcfbd602e "/usr/local/php-
5.3.2/etc/fpm.ini") at /LIBRE/dev/php-5.3.2/sapi/fpm/fpm/fpm_conf.c:739
#6  0x1c2af002 in fpm_conf_load_ini_file (filename=0xcfbd602e "/usr/local/php-
5.3.2/etc/fpm.ini") at /LIBRE/dev/php-5.3.2/sapi/fpm/fpm/fpm_conf.c:751
#7  0x1c2ad489 in fpm_init (argc=-2106474496, argv=0x8271c000, config=0x8271c000 
"\001", base=0x3c2bf81c) at /LIBRE/dev/php-5.3.2/sapi/fpm/fpm/fpm.c:32
#8  0x1c2b14ff in main (argc=3, argv=0xcfbd5eac) at /LIBRE/dev/php-


zend_ini_parser.y.patch (last revision 2010-04-18 10:29 UTC by

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2010-04-18 12:29 UTC]
The following patch has been added/updated:

Patch Name: zend_ini_parser.y.patch
Revision:   1271586553
 [2011-08-30 13:50 UTC]
-Status: Open +Status: Feedback
 [2011-08-30 13:50 UTC]
Any particular reason you haven't committed this yet?
 [2013-02-18 00:34 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sat Dec 03 00:05:54 2022 UTC