php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60708 segmentation fault, use max_input_vars
Submitted: 2012-01-11 07:04 UTC Modified: 2012-02-02 13:03 UTC
Votes:10
Avg. Score:4.1 ± 0.8
Reproduced:7 of 7 (100.0%)
Same Version:6 (85.7%)
Same OS:5 (71.4%)
From: masugata at gmail dot com Assigned: dmitry
Status: Closed Package: *General Issues
PHP Version: 5.3.9 OS: x86_64 GNU/Linux
Private report: No CVE-ID:
 [2012-01-11 07:04 UTC] masugata at gmail dot com
Description:
------------
segmentation fault, use max_input_vars

$ gdb  /tmp/php-5.3.9/sapi/cgi/php-cgi
(gdb) run -d max_input_vars=1 /tmp/cgitest.php a[]=1 v[]=2
Starting program: /tmp/php-5.3.9/sapi/cgi/php-cgi -d max_input_vars=1 
/tmp/cgitest.php a[]=1 v[]=2
warning: no loadable sections found in added symbol-file system-supplied DSO at 
0x2aaaaaaab000
[Thread debugging using libthread_db enabled]
Unknown(0) : Warning - Unknown: Input variables exceeded 1. To increase the 
limit change max_input_vars in php.ini.
Unknown(0) : Warning - Unknown: Input variables exceeded 1. To increase the 
limit change max_input_vars in php.ini.
Unknown(0) : Warning - Unknown: Input variables exceeded 1. To increase the 
limit change max_input_vars in php.ini.

Program received signal SIGSEGV, Segmentation fault.
0x000000000077ba65 in php_register_variable_ex (var_name=0xfe6618 "v[]", 
val=0x7fffffffc100, track_vars_array=0xfe5eb8)
    at /tmp/php-5.3.9/main/php_variables.c:207
207                             symtable1 = Z_ARRVAL_PP(gpc_element_p);
(gdb) bt
#0  0x000000000077ba65 in php_register_variable_ex (var_name=0xfe6618 "v[]", 
val=0x7fffffffc100, track_vars_array=0xfe5eb8)
    at /tmp/php-5.3.9/main/php_variables.c:207
#1  0x00000000005886d9 in php_sapi_filter (arg=1, var=0xfe6618 "v[]", 
val=0x7fffffffc1c0, val_len=1, new_val_len=0x7fffffffc1b4)
    at /tmp/php-5.3.9/ext/filter/filter.c:461
#2  0x000000000077c6ca in php_default_treat_data (arg=1, str=0x0, destArray=0x0) 
at /tmp/php-5.3.9/main/php_variables.c:408
#3  0x000000000077d5b0 in php_hash_environment () at /tmp/php-
5.3.9/main/php_variables.c:716
#4  0x0000000000769448 in php_request_startup () at /tmp/php-
5.3.9/main/main.c:1468
#5  0x00000000008d0438 in main (argc=6, argv=0x7fffffffe928) at /tmp/php-
5.3.9/sapi/cgi/cgi_main.c:2035

Test script:
---------------
<?php

print_r( $_GET );



Patches

memleak_fix_for_bug60708 (last revision 2012-02-02 09:12 UTC) by laruence@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-02-02 05:58 UTC] nickg at client9 dot com
Confirmed.  Input could be a=1 v[]=2. Last arg past max_input_var just needs to 
be array-like.  Test file could be a EMPTY FILE.  Does not need to be CLI but any 
SAPI source.
 [2012-02-02 07:17 UTC] pajoye@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: stas
 [2012-02-02 07:29 UTC] stas@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

Thanks, should be fine in current SVN.
 [2012-02-02 07:29 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2012-02-02 07:55 UTC] pajoye@php.net
Are you sure the fix is complete? There are leaks afaik.
 [2012-02-02 08:00 UTC] huzaifas at redhat dot com
Is this bug fixed by the following svn commit?
http://svn.php.net/viewvc?view=revision&revision=323007
 [2012-02-02 08:58 UTC] laruence@php.net
fix for leaks referred by Pierre:
--- php_variables.c	(revision 323011)
+++ php_variables.c	(working copy)
@@ -187,6 +187,10 @@
 						array_init(gpc_element);
 						zend_symtable_update(symtable1, 
escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) 
&gpc_element_p);
 					} else {
+						if (index != escaped_index) {
+							efree(escaped_index);
+						}
+						zval_dtor(val);
 						free_alloca(var_orig, use_heap);
 						return;
 					}
 [2012-02-02 09:02 UTC] pajoye@php.net
Assign to Dmitry as he is working on that now.
 [2012-02-02 09:02 UTC] pajoye@php.net
-Status: Closed +Status: Assigned -Assigned To: stas +Assigned To: dmitry
 [2012-02-02 09:12 UTC] laruence@php.net
The following patch has been added/updated:

Patch Name: memleak_fix_for_bug60708
Revision:   1328173952
URL:        https://bugs.php.net/patch-display.php?bug=60708&patch=memleak_fix_for_bug60708&revision=1328173952
 [2012-02-02 13:03 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2012-02-02 13:03 UTC] dmitry@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 01:01:56 2014 UTC