php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #51588 calling zend_parse_ini_string/file recursively core dump
Submitted: 2010-04-18 12:28 UTC Modified: 2013-02-18 00:34 UTC
From: fat@php.net Assigned:
Status: No Feedback Package: Reproducible crash
PHP Version: 5.3.2 OS: any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: fat@php.net
New email:
PHP Version: OS:

 

 [2010-04-18 12:28 UTC] fat@php.net
Description:
------------
when zend_parse_ini_string or zend_parse_ini_file is called recursively, it 
crashes. The lexical state variable is global, calling those function recursively 
overwrites previous version and crashes at liberation/destruction.

to prevent this behaviour, the following patch makes zend_parse_ini_string or 
zend_parse_ini_file returning an error when called recursively.

Test script:
---------------
void fpm_conf_ini_load_file(filename);

static void fpm_conf_ini_parser(zval *arg1, zval *arg2, zval *arg3,
int callback_type, void *arg TSRMLS_DC) {
 if (!arg1) return;
 if (callback_type != ZEND_INI_PARSER_ENTRY) return;
 if (!strcmp(Z_STRVAL_P(arg1), "include")) {
   fpm_conf_load_ini_file(Z_STRVAL_P(arg1));
 }
}

void fpm_conf_ini_load_file(filename)  {
 zend_file_handle fh;

 fh.handle.fp = VCWD_FOPEN(filename, "r");
 fh.opened_path = NULL;
 fh.free_filename = 0;
 fh.filename = filename;
 Z_TYPE(fh) = ZEND_HANDLE_FP;

 zend_parse_ini_file(&fh, 1, ZEND_INI_SCANNER_RAW,
(zend_ini_parser_cb_t)fpm_conf_ini_parser, NULL TSRMLS_CC);
}

Expected result:
----------------
it doesn't crash, it works or returns an error

Actual result:
--------------
core dump


#0  _zend_mm_free_int (heap=0x8271c000, p=0x8271c000) at /LIBRE/dev/php-
5.3.2/Zend/zend_alloc.c:2018
#1  0x1c23154a in _efree (ptr=0x7d3fe1f8) at /LIBRE/dev/php-
5.3.2/Zend/zend_alloc.c:2351
#2  0x1c245b5b in zend_stack_destroy (stack=0x3c2c2804) at /LIBRE/dev/php-
5.3.2/Zend/zend_stack.c:104
#3  0x1c22bd1c in shutdown_ini_scanner () at zend_ini_scanner.l:201
#4  0x1c22b035 in zend_parse_ini_file (fh=0xcfbd3c70, unbuffered_errors=1 
'\001', scanner_mode=0, ini_parser_cb=0x8271c000, arg=0x8271c000) at 
/LIBRE/dev/php-5.3.2/Zend/zend_ini_parser.c:322
#5  0x1c2aefa8 in fpm_conf_load_ini_file (filename=0xcfbd602e "/usr/local/php-
5.3.2/etc/fpm.ini") at /LIBRE/dev/php-5.3.2/sapi/fpm/fpm/fpm_conf.c:739
#6  0x1c2af002 in fpm_conf_load_ini_file (filename=0xcfbd602e "/usr/local/php-
5.3.2/etc/fpm.ini") at /LIBRE/dev/php-5.3.2/sapi/fpm/fpm/fpm_conf.c:751
#7  0x1c2ad489 in fpm_init (argc=-2106474496, argv=0x8271c000, config=0x8271c000 
"\001", base=0x3c2bf81c) at /LIBRE/dev/php-5.3.2/sapi/fpm/fpm/fpm.c:32
#8  0x1c2b14ff in main (argc=3, argv=0xcfbd5eac) at /LIBRE/dev/php-
5.3.2/sapi/fpm/fpm/fpm_main.c:1695


Patches

zend_ini_parser.y.patch (last revision 2010-04-18 10:29 UTC by fat@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-04-18 12:29 UTC] fat@php.net
The following patch has been added/updated:

Patch Name: zend_ini_parser.y.patch
Revision:   1271586553
URL:        http://bugs.php.net/patch-display.php?bug=51588&patch=zend_ini_parser.y.patch&revision=1271586553
 [2011-08-30 13:50 UTC] bjori@php.net
-Status: Open +Status: Feedback
 [2011-08-30 13:50 UTC] bjori@php.net
Any particular reason you haven't committed this yet?
 [2013-02-18 00:34 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Fri Jan 28 00:03:34 2022 UTC