PHP :: Bug #64883 :: SIGSEGV in var.c:363
php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #64883 SIGSEGV in var.c:363
Submitted: 2013-05-20 15:47 UTC Modified: 2013-07-24 10:58 UTC
From: pyo at mail dot ru Assigned:
Status: Duplicate Package: *General Issues
PHP Version: 5.4.15-17 OS: FreeBSD 9.1
Private report: No CVE-ID: None
 [2013-05-20 15:47 UTC] pyo at mail dot ru
Description:
------------
I have old 3rd party script, that was used on shared hosting with PHP 5.2.6 running as apache module. I have no complaints about it from hosting.
Now I moved this code to VPS and have SIGSEGV in both php-fpm or php-cli mode.
The code was not written by me, so I do not know what statements make segmentation fault.

PHP Version => 5.4.15

System => FreeBSD torq1.pyo 9.1-RELEASE-p3 FreeBSD 9.1-RELEASE-p3 #0: Mon Apr 29 18:11:52 UTC 2013     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386
Build Date => May 14 2013 16:21:38
Configure Command =>  './configure'  '--with-layout=GNU' '--localstatedir=/var' '--with-config-file-scan-dir=/usr/local/etc/php' '--disable-all' '--enable-libxml' '--enable-mysqlnd' '--with-libxml-dir=/usr/local' '--with-pcre-regex=/usr/local' '--with-zlib-dir=/usr' '--program-prefix=' '--enable-fpm' '--with-fpm-user=www' '--with-fpm-group=www' '--with-regex=php' '--with-zend-vm=CALL' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=i386-portbld-freebsd9.1'
Server API => Command Line Interface

modified ini settings:
expose_php = Off
max_execution_time = 59
memory_limit = 64M
default_charset = "UTF-8"
date.timezone = "Europe/Moscow"
mysql.allow_persistent = Off
mysqli.allow_persistent = Off
pgsql.allow_persistent = Off

Actual result:
--------------
Current language:  auto; currently minimal
#0  0x081ddddf in php_array_element_export (zv=0xbfbfdf88, num_args=137402536, 
    args=0x13e <Address 0x13e out of bounds>, hash_key=0x81dddce) at var.c:363
	__nl = 0
	__dest = (smart_str *) 0x29f8f894
	tmp_spaces = 0x819a7f0 ""
	tmp_spaces_len = 679495168
	key = 0x819a815 "яй"
	tmp_str = 0xbfbfdf38 "А'"
	key_len = 28
	tmp_len = 704231864
	level = -1077944440
	buf = (smart_str *) 0x29e0d038
#1  0x081af2fa in metaphone (word=0x2a184bb8 "", word_len=702293828, 
    max_phonemes=704185368, phoned_word=0xbfbfdf88, traditional=137402536)
    at metaphone.c:360
	skip_letter = 10720
	w_idx = 318
	p_idx = 136175054
	max_buffer_len = -1077944440
#2  0x081dccce in php_var_export_ex (struc=0x2881602c, level=702608140, 
    buf=0x29e0d038) at var.c:489
	__nl = 3217022776
	__dest = (smart_str *) 0x1c
	myht = (HashTable *) 0x2
	tmp_str = 0x29571668 "8\001"
	tmp_len = -1077944436
	class_name = 0x29f88e84 "Ьна)"
	class_name_len = 20
	tmp_str2 = 0x0
	tmp_len2 = 702606812
#3  0x08202ee4 in php_var_unserialize (rval=0x29e105a4, p=0x29571668, 
    max=0x8202ee4 "MЛ\017¶EЛ=/", var_hash=0xbfbfe028)
    at var_unserializer.c:1179
	yych = 41 ')'
	cursor = (const unsigned char *) 0x16 <Address 0x16 out of bounds>
	limit = (const unsigned char *) 0x29e0f30c "\002p\036),са)Ьна)"
	marker = (const unsigned char *) 0x2881602c "\234юа)\fуа)"
	start = (const unsigned char *) 0x2881602c "\234юа)\fуа)"
	rval_ref = (zval **) 0x29e0f30c
	yybm = '\0' <repeats 48 times>, "\200\200\200\200\200\200\200\200\200\200", '\0' <repeats 197 times>
#4  0x081de716 in php_array_element_export (zv=0xbfe068, num_args=702608140, 
    args=0xbfe180 <Address 0xbfe180 out of bounds>, hash_key=0x8320ae0)
    at var.c:375
	__nl = 3217023000
	level = -1077944200
	buf = (smart_str *) 0x1c
#5  0x081b0bb0 in _php_gettimeofday (ht=-1077944024, return_value=0x0, 
    return_value_ptr=0x0, this_ptr=0x0, return_value_used=0, mode=0)
    at microtime.c:77
	offset = (timelib_time_offset *) 0x0
	get_as_float = 0 '\0'
	tp = {tv_sec = 0, tv_usec = 0}
#6  0x081ceeb6 in php_strtr_array_do_repl (text=0x0, d=0x0, return_value=0x101)
    at string.c:3113
	__nl = 3217023396
	__dest = (smart_str *) 0xbfbfe1a8
	pnr = (PATNREPL *) 0x0
	h2 = 10583
	offset_start = 32
	i = -1077944036
	prefix_h = 5736
	offset_end = -1077943896
	h = 0
	shift = 36
	pos = 693573224
	nextwpos = 3217023332
	lastpos = 0
	result = {c = 0xbfbfe170 "\034бїїЁбїї ", len = 0, a = 3217023340}
#7  0x081d8967 in zif_get_headers (ht=702608140, return_value=0x29571668, 
    return_value_ptr=0x0, this_ptr=0x0, return_value_used=0) at url.c:755
	c = 0 '\0'
	s = 0x101 <Address 0x101 out of bounds>
	p = 0x29571668 "8\001"
	url = 0x0
	prev_val = (zval **) 0x29e0eddc
	pos = 0xbfbfe1f8
	hashT = (HashTable *) 0x0
	url_len = 10
	stream = (php_stream *) 0xbfbfe1e8
	hdr = (zval **) 0xbfbfe1e4
	h = (zval **) 0x81d8967
	context = (php_stream_context *) 0x82fa235
	format = 312
#8  0x081ddb72 in php_array_element_export (zv=0xbfbfe248, num_args=312, 
    args=0x29f88e84 "Ьна)", hash_key=0x81ddb72) at var.c:355
	__nl = 0
	__dest = (smart_str *) 0x101
	level = -1077943784
	buf = (smart_str *) 0x26e0
#9  0x081af3ae in metaphone (word=0x2879fd0c "hш\020", word_len=693361284, 
    max_phonemes=136080733, phoned_word=0xbfbf127f, traditional=-1077943680)
    at metaphone.c:362
	skip_letter = 49087
	w_idx = -1077943176
	p_idx = -1077943704
	max_buffer_len = -1077943780
#10 0x081bc23e in _zval_copy_ctor () at zend_variables.h:46
	rot13_to = "nopqrstuvwxyzabcdefghijklmNOPQRSTUVWXYZABCDEFGHIJKLM"
	hexconvtab = "0123456789abcdef"
	rot13_from = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
#11 0x08167702 in zif_putenv (ht=0, return_value=0x0, return_value_ptr=0x0, 
    this_ptr=0x0, return_value_used=0) at basic_functions.c:4102
	p = 0x0
	env = (char **) 0xbfbfeb60
	pe = {putenv_string = 0x81676d2 "є", previous_value = 0xbfbfeb01 "", 
  key = 0xbfbfe2bc "\002w\026\bxдїї", key_len = -1077943064}
	setting = 0x0
	setting_len = 4735
#12 0x0823e98d in mysqlnd_mbcharlen_gb2312 (gb=137388869)
    at mysqlnd_charset.c:308
No locals.
#13 0x08305ebc in lex_scan (zendlval=0x0) at zend_language_scanner.l:1467
	yych = 8 '\b'
	yyaccept = 136572551
	yybm = "\000\000\000\000\000\000\000\000\000\200\200\000\000\200", '\0' <repeats 18 times>, "\200", '\0' <repeats 222 times>
	yybm = '\0' <repeats 48 times>, "\200\200\200\200\200\200\200\200\200\200\000\000\000\000\000\000\000", '\200' <repeats 26 times>, "\000\000\000\000\200\000", '\200' <repeats 26 times>, "\000\000\000\000", '\200' <repeats 129 times>
	yybm = '\0' <repeats 48 times>, "\200\200\200\200\200\200\200\200\200\200\000\000\000\000\000\000\000", '\200' <repeats 26 times>, "\000\000\000\000\200\000", '\200' <repeats 26 times>, "\000\000\000\000", '\200' <repeats 129 times>
	yybm = '\0' <repeats 48 times>, "\200\200\200\200\200\200\200\200\200\200\000\000\000\000\000\000\000", '\200' <repeats 26 times>, "\000\000\000\000\200\000", '\200' <repeats 26 times>, "\000\000\000\000", '\200' <repeats 129 times>
	yybm = "\000\000\000\000\000\000\000\000\000А@\000\000@", '\0' <repeats 18 times>, "А", '\0' <repeats 15 times>, "<<,,,,,,,,\000\000\000\000\000\000\000$$$$$$", '\004' <repeats 20 times>, "\000\000\000\000\004\000$$$$$$", '\004' <repeats 20 times>, "\000\000\000\000", '\004' <repeats 129 times>
	yybm = "\000\000\000\000\000\000\000\000\000\200\200\000\000\200", '\0' <repeats 18 times>, "\200", '\0' <repeats 15 times>, "@@@@@@@@@@\000\000\000\000\000\000\000", '@' <repeats 26 times>, "\000\000\000\000@\000", '@' <repeats 26 times>, "\000\000\000\000", '@' <repeats 129 times>
	yybm = '\0' <repeats 48 times>, "\200\200\200\200\200\200\200\200\200\200\000\000\000\000\000\000\000", '\200' <repeats 26 times>, "\000\000\000\000\200\000", '\200' <repeats 26 times>, "\000\000\000\000", '\200' <repeats 129 times>
	yybm = '\0' <repeats 48 times>, "ррpppppppp\000\000\000\000\000\000\000PPPPPP", '\020' <repeats 20 times>, "\000\000\000\000\020\000PPPPPP", '\020' <repeats 20 times>, "\000\000\000\000", '\020' <repeats 129 times>
#14 0x0823d7bf in mysqlnd_build_trace_args (arg=0x0, num_args=1, 
    args=0x218 <Address 0x218 out of bounds>, hash_key=0x0) at mysqlnd_bt.c:318
	l_added = -1077941268
	str = (char **) 0xbfbfeba8
	len = (int *) 0xbfbfebf8
#15 0x0806ee87 in fileno@plt ()
No symbol table info available.
#16 0x00000002 in ?? ()
No symbol table info available.
#17 0xbfbfebec in ?? ()
No symbol table info available.
#18 0xbfbfebf8 in ?? ()
No symbol table info available.
#19 0xbfbfebd0 in ?? ()
No symbol table info available.
#20 0xbfbfebe8 in ?? ()
No symbol table info available.
#21 0x00000000 in ?? ()
No symbol table info available.
#22 0xbfbfebe4 in ?? ()
No symbol table info available.
#23 0x0806edf8 in __isnanf@plt ()
No symbol table info available.
#24 0x28310380 in ?? ()
No symbol table info available.
#25 0x00000002 in ?? ()
No symbol table info available.
#26 0xbfbfebec in ?? ()
No symbol table info available.
#27 0x00000000 in ?? ()
No symbol table info available.
#28 0x00000000 in ?? ()
No symbol table info available.
#29 0x00000000 in ?? ()
No symbol table info available.
#30 0x00000002 in ?? ()
No symbol table info available.
#31 0xbfbfed24 in ?? ()
No symbol table info available.
#32 0xbfbfed28 in ?? ()
No symbol table info available.
#33 0x00000000 in ?? ()
No symbol table info available.
#34 0xbfbfed34 in ?? ()
No symbol table info available.
#35 0xbfbfed41 in ?? ()
No symbol table info available.
#36 0xbfbfed58 in ?? ()
No symbol table info available.
#37 0xbfbfed67 in ?? ()
No symbol table info available.
#38 0xbfbfed89 in ?? ()
No symbol table info available.
#39 0xbfbfed96 in ?? ()
No symbol table info available.
#40 0xbfbfeda1 in ?? ()
No symbol table info available.
#41 0xbfbfedb2 in ?? ()
No symbol table info available.
#42 0xbfbfedcb in ?? ()
No symbol table info available.
#43 0xbfbfee22 in ?? ()
No symbol table info available.
#44 0xbfbfee2c in ?? ()
No symbol table info available.
#45 0xbfbfee40 in ?? ()
No symbol table info available.
#46 0xbfbfee87 in ?? ()
No symbol table info available.
#47 0xbfbfee92 in ?? ()
No symbol table info available.
#48 0xbfbfeea5 in ?? ()
No symbol table info available.
#49 0xbfbfeeb0 in ?? ()
No symbol table info available.
#50 0xbfbfeeba in ?? ()
No symbol table info available.
#51 0xbfbfeeee in ?? ()
No symbol table info available.
#52 0xbfbfeefa in ?? ()
No symbol table info available.
#53 0xbfbfef0b in ?? ()
No symbol table info available.
#54 0xbfbfef18 in ?? ()
No symbol table info available.
#55 0xbfbfef27 in ?? ()
No symbol table info available.
#56 0xbfbfef35 in ?? ()
No symbol table info available.
#57 0xbfbfef3d in ?? ()
No symbol table info available.
#58 0xbfbfef49 in ?? ()
No symbol table info available.
#59 0xbfbfef58 in ?? ()
No symbol table info available.
#60 0x00000000 in ?? ()
No symbol table info available.
#61 0x00000003 in ?? ()
No symbol table info available.
#62 0x08048034 in ?? ()
No symbol table info available.
#63 0x00000004 in ?? ()
No symbol table info available.
#64 0x00000020 in ?? ()
No symbol table info available.
#65 0x00000005 in ?? ()
No symbol table info available.
#66 0x00000008 in ?? ()
No symbol table info available.
#67 0x00000006 in ?? ()
No symbol table info available.
#68 0x00001000 in ?? ()
No symbol table info available.
#69 0x00000008 in ?? ()
No symbol table info available.
#70 0x00000000 in ?? ()
No symbol table info available.
#71 0x00000009 in ?? ()
No symbol table info available.
#72 0x0806ede0 in getpid@plt ()
No symbol table info available.
#73 0x00000007 in ?? ()
No symbol table info available.
#74 0x28308000 in ?? ()
No symbol table info available.
#75 0x0000000f in ?? ()
No symbol table info available.
#76 <signal handler called>
No symbol table info available.
Cannot access memory at address 0x5c

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-05-20 19:30 UTC] pyo at mail dot ru
Moved to General Issues.
 [2013-05-20 19:30 UTC] pyo at mail dot ru
-Package: Scripting Engine problem +Package: *General Issues
 [2013-06-06 22:09 UTC] felipe@php.net
-Status: Open +Status: Feedback
 [2013-06-06 22:09 UTC] felipe@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.


 [2013-06-07 09:30 UTC] pyo at mail dot ru
-Status: Feedback +Status: Open
 [2013-06-07 09:30 UTC] pyo at mail dot ru
Sorry, as I stated before, it is not possible.
 [2013-06-08 18:36 UTC] pyo at mail dot ru
-PHP Version: 5.4.15 +PHP Version: 5.4.15(16)
 [2013-06-08 18:36 UTC] pyo at mail dot ru
PHP 5.4.16 - same crash.
 [2013-07-24 10:19 UTC] ab@php.net
-Status: Open +Status: Duplicate
 [2013-07-24 10:19 UTC] ab@php.net
see bug #52752
 [2013-07-24 10:58 UTC] pyo at mail dot ru
-PHP Version: 5.4.15(16) +PHP Version: 5.4.15-17
 [2013-07-24 10:58 UTC] pyo at mail dot ru
Same with 5.4.17
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Wed Aug 15 20:01:25 2018 UTC