PHP :: Bug #5391 :: user abort during call_user

Bug #5391	user abort during call_user_function() causes crashes
Submitted:	2000-07-06 00:14 UTC	Modified:	2005-03-31 16:13 UTC
From:	priit at bluemoon dot ee	Assigned:
Status:	Wont fix	Package:	Reproducible Crash
PHP Version:	3.0.16	OS:	SunOS 2.7 / RH Linux 6.1
Private report:	No	CVE-ID:	None

View Developer Edit

[2000-07-06 00:14 UTC] priit at bluemoon dot ee

call_user_function() sets GLOBAL(function_state).function_name to p_function_name.value.str.val and passes same p_function_name as parameter to cs_functioncall_pre_variable_passing() witch pushes function_state to function_state_stack and sets its parameter to GLOBAL(function_state).function_name. This results situration where there is 2 references to p_function_name.value.str.val: in function_state and function_state_stack top element OR if user abort is done in deeper level, 2 consecutive function_state_stack elements
This will result in crash php3_request_shutdown() when same pointer is freed twice

Possible fix:
diff -n -r1.1 language-parser.y
d742 1
a742 1
        pval p_function_name,dummy_function_name;
a760 2
        dummy_function_name = p_function_name;
        pval_copy_constructor(&dummy_function_name);
d770 1
a770 1
        GLOBAL(function_state).function_name = dummy_function_name.value.str.val;
a789 1
        pval_destructor(&dummy_function_name);

I don't think it is best one, but it works

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-03-31 16:13 UTC] php-bugs at lists dot php dot net

We are sorry, but we do not support PHP 3 related problems anymore.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Nov 04 15:00:01 2025 UTC