php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #5391 user abort during call_user_function() causes crashes
Submitted: 2000-07-06 00:14 UTC Modified: 2005-03-31 16:13 UTC
From: priit at bluemoon dot ee Assigned:
Status: Wont fix Package: Reproducible Crash
PHP Version: 3.0.16 OS: SunOS 2.7 / RH Linux 6.1
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2000-07-06 00:14 UTC] priit at bluemoon dot ee
call_user_function() sets GLOBAL(function_state).function_name to p_function_name.value.str.val and passes same p_function_name as parameter to cs_functioncall_pre_variable_passing() witch pushes function_state to function_state_stack and sets its parameter to GLOBAL(function_state).function_name. This results situration where there is 2 references to p_function_name.value.str.val: in function_state and function_state_stack top element OR if user abort is done in deeper level, 2 consecutive function_state_stack elements
This will result in crash php3_request_shutdown() when same pointer is freed twice

Possible fix:
diff -n -r1.1 language-parser.y
d742 1
a742 1
        pval p_function_name,dummy_function_name;
a760 2
        dummy_function_name = p_function_name;
        pval_copy_constructor(&dummy_function_name);
d770 1
a770 1
        GLOBAL(function_state).function_name = dummy_function_name.value.str.val;
a789 1
        pval_destructor(&dummy_function_name);

I don't think it is best one, but it works


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-03-31 16:13 UTC] php-bugs at lists dot php dot net
We are sorry, but we do not support PHP 3 related problems anymore.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Apr 17 08:01:23 2021 UTC