php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #54580 get_browser() segmentation fault
Submitted: 2011-04-21 00:06 UTC Modified: 2011-05-01 20:38 UTC
From: tomas dot brastavicius at quantum dot lt Assigned: cataphract
Status: Closed Package: Unknown/Other Function
PHP Version: trunk-SVN-2011-04-20 (SVN) OS: Ubuntu 10.10 (x86_64)
Private report: No CVE-ID:
 [2011-04-21 00:06 UTC] tomas dot brastavicius at quantum dot lt
Description:
------------
PHP is running as an Apache module. The following configuration was used to compile PHP:
./configure --with-apxs2=/usr/bin/apxs2 --enable-debug --disable-all

Test script:
---------------
1. Be sure browscap directive is commented out in php.ini
2. Set browscap setting in Apache configuration file, i.e. php_admin_value browscap "/some/path/browscap.ini"
3. Run the following PHP script:
<?php
ini_set('browscap', '/some/path/browscap.ini');
get_browser();

Expected result:
----------------
Notice or another type of message that indicates a misconfiguration (browscap directive is of the PHP_INI_SYSTEM type and can not be set/changed with ini_set() function or in Apache configuration file)

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff09db2af in zend_hash_find (ht=0x7ffff0e6e100, 
    arKey=0x7ffff7f6b760 "User-Agent", nKeyLength=109, pData=0x7fffffffbdb8)
    at /a/php-trunk/Zend/zend_hash.c:905
905		p = ht->arBuckets[nIndex];

Full backtrace:

#0  0x00007ffff09db2af in zend_hash_find (ht=0x7ffff0e6e100, 
    arKey=0x7ffff7f6b760 "User-Agent", nKeyLength=109, pData=0x7fffffffbdb8)
    at /a/php-trunk/Zend/zend_hash.c:905
#1  0x00007ffff08ac3b1 in zif_get_browser (ht=0, return_value=0x7ffff7f62be8, return_value_ptr=0x0, 
    this_ptr=0x0, return_value_used=1) at /a/php-trunk/ext/standard/browscap.c:360
#2  0x00007ffff0a09972 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f2e338)
    at /a/php-trunk/Zend/zend_vm_execute.h:642
#3  0x00007ffff0a0ffd2 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f2e338)
    at /a/php-trunk/Zend/zend_vm_execute.h:1963
#4  0x00007ffff0a08077 in execute (op_array=0x7ffff7f611c0)
    at /a/php-trunk/Zend/zend_vm_execute.h:410
#5  0x00007ffff09c88a3 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /a/php-trunk/Zend/zend.c:1212
#6  0x00007ffff0933982 in php_execute_script (primary_file=0x7fffffffe670)
    at /a/php-trunk/main/main.c:2349
#7  0x00007ffff0b0de48 in php_handler (r=0x7ffff84bbea0)
    at /a/php-trunk/sapi/apache2handler/sapi_apache2.c:667
#8  0x00007ffff7fd6310 in ap_run_handler (r=0x7ffff84bbea0) at /build/buildd/apache2-2.2.16/server/config.c:159
#9  0x00007ffff7fd9c9e in ap_invoke_handler (r=0x7ffff84bbea0)
    at /build/buildd/apache2-2.2.16/server/config.c:377
#10 0x00007ffff7fe77b8 in ap_process_request (r=0x7ffff84bbea0)
    at /build/buildd/apache2-2.2.16/modules/http/http_request.c:282
#11 0x00007ffff7fe4748 in ap_process_http_connection (c=0x7ffff84adc90)
    at /build/buildd/apache2-2.2.16/modules/http/http_core.c:190
#12 0x00007ffff7fddef8 in ap_run_process_connection (c=0x7ffff84adc90)
    at /build/buildd/apache2-2.2.16/server/connection.c:43
#13 0x00007ffff7fec177 in child_main (child_num_arg=<value optimized out>)
    at /build/buildd/apache2-2.2.16/server/mpm/prefork/prefork.c:662
#14 0x00007ffff7fec446 in make_child (s=0x7ffff8214938, slot=0)
    at /build/buildd/apache2-2.2.16/server/mpm/prefork/prefork.c:702
#15 0x00007ffff7feca93 in ap_mpm_run (_pconf=<value optimized out>, plog=<value optimized out>, 
    s=<value optimized out>) at /build/buildd/apache2-2.2.16/server/mpm/prefork/prefork.c:978
#16 0x00007ffff7fc2530 in main (argc=2, argv=0x7fffffffecf8) at /build/buildd/apache2-2.2.16/server/main.c:742

Patches

browscap.diff (last revision 2011-04-26 02:01 UTC) by cataphract@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-04-21 13:54 UTC] cataphract@php.net
The problem is not ini_set, the segault occurs because PHP assumes the parse result of the code is initialized when the ini setting is non-empty; however, by using php_admin_value, the ini setting value is set after when the parsing code runs, so when it runs it leaves memory initialized because the ini setting is empty.

This should be fixed by having the ini setting change via php_admin_value trigger the ini reading and structure initialization.
 [2011-04-21 16:05 UTC] cataphract@php.net
-Assigned To: +Assigned To: cataphract
 [2011-04-26 04:01 UTC] cataphract@php.net
The following patch has been added/updated:

Patch Name: browscap.diff
Revision:   1303783306
URL:        http://bugs.php.net/patch-display.php?bug=54580&patch=browscap.diff&revision=1303783306
 [2011-05-01 20:37 UTC] cataphract@php.net
Automatic comment from SVN on behalf of cataphract
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=310691
Log: - Fixed bug #54580 (get_browser() segmentation fault when the browscap ini
  directive is set in activation time). This commit fixes this by adding a per
  request parsing of the browscap file that's when get_browser is called the
  first time and the directive is set on activation time.w
 [2011-05-01 20:38 UTC] cataphract@php.net
-Status: Assigned +Status: Closed
 [2011-05-01 20:38 UTC] cataphract@php.net
Fixed in SVN. Since the fix is non-trivial, I would ask you to try it out and report any problem you may find.

Thanks for your report.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 19:02:15 2014 UTC