php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #63434 Segfault if apc.shm_strings_buffer excceed apc.shm_size
Submitted: 2012-11-04 05:47 UTC Modified: 2014-02-11 10:19 UTC
From: laruence@php.net Assigned: laruence (profile)
Status: Closed Package: APC (PECL)
PHP Version: 5.4.8 OS:
Private report: No CVE-ID: None
 [2012-11-04 05:47 UTC] laruence@php.net
Description:
------------
if apc.shm_strings_buffer excceed apc.shm_size  

then interned_strings will fail at memory allocating.

but apc_new_interned_string dosen't check that


Test script:
---------------
php54 -d apc.shm_size=1M -d apc.shm_strings_buffer=2M index.php

index.php
----------------
<?php
file_put_contents(__FILE__ . ".tmp", "<?php return array('xxx' => 'xxx'); ?>");
include(__FILE__ . ".tmp");

Expected result:
----------------
no seg

Actual result:
--------------
#0  0x00002b53f9e54c98 in apc_new_interned_string (arKey=0x2b53f67464d0 
"/tmp/1.php", nKeyLength=11)
    at /home/huixinchen/opensource/pecl/apc/apc_string.c:77
77	    if (arKey >= APCSG(interned_strings_start) && arKey < 
APCSG(interned_strings_end)) {
(gdb) bt
#0  0x00002b53f9e54c98 in apc_new_interned_string (arKey=0x2b53f67464d0 
"/tmp/1.php", nKeyLength=11)
    at /home/huixinchen/opensource/pecl/apc/apc_string.c:77
#1  0x00002b53f9e42657 in apc_string_pmemcpy (str=0x2b53f67464d0 "/tmp/1.php", 
len=11, pool=0x2b53fa6da268)
    at /home/huixinchen/opensource/pecl/apc/apc_compile.c:292
#2  0x00002b53f9e42929 in my_copy_zval (dst=0x2b53fa6da400, src=0x2b53f670b108, 
ctxt=0x7fff7b39db20)
    at /home/huixinchen/opensource/pecl/apc/apc_compile.c:349
#3  0x00002b53f9e44ba9 in apc_copy_op_array (dst=0x2b53fa6da2f8, 
src=0x2b53f6709c40, ctxt=0x7fff7b39db20)
    at /home/huixinchen/opensource/pecl/apc/apc_compile.c:1215

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-11-04 06:23 UTC] laruence@php.net
Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=328229
Log: Fixed bug #63434 (Segfault if apc.shm_strings_buffer excceed apc.shm_size)

It's a little weird, I can not make a expect segfault phpt.
 [2012-11-04 06:23 UTC] laruence@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: laruence
 [2012-11-04 06:23 UTC] laruence@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2012-11-05 06:44 UTC] laruence@php.net
Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=328241
Log: Add test for #63434
Add warning message for interned string buffer startup failed

however, I am not sure whether the warning message is proper. could somebody confirm that?

thanks
 [2012-11-05 06:47 UTC] laruence@php.net
I Add warning message for interned string buffer startup failed

however, I am not sure whether the warning message is proper. could somebody 
confirm that?

thanks

http://svn.php.net/viewvc?view=revision&revision=328241
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Aug 19 17:01:27 2019 UTC