php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #66098 Segfault in zval_addref_p
Submitted: 2013-11-14 21:00 UTC Modified: 2013-11-14 21:11 UTC
From: amueller at grg21 dot ac dot at Assigned: mkoppanen (profile)
Status: Closed Package: imagick (PECL)
PHP Version: 5.5.6 OS: Opensuse 12.3
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2013-11-14 21:00 UTC] amueller at grg21 dot ac dot at 
Description:
------------
PHP-Version:
PHP 5.5.6 (cli) (built: Nov 14 2013 21:16:33) (DEBUG)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2013 Zend Technologies

Diff php.ini:
385c385
< max_execution_time = 999999
---
> max_execution_time = 30
406c406
< memory_limit = 256M
---
> memory_limit = 128M
479c479
< display_errors = On
---
> display_errors = Off
1868,1878d1867
< ;zend_extension=/usr/local/lib64/extensions/debug-non-zts-20121212/xdebug.so
< ;[xdebug]
< ;xdebug.remote_enable=1
< ;xdebug.remote_handler=dbgp
< ;xdebug.remote_mode=req
< ;xdebug.remote_host=127.0.0.1
< ;debug.remote_port=9000
< ;debug.var_display_max_depth=10
< 
< 
< extension=/usr/local/lib64/extensions/debug-non-zts-20121212/imagick.so

Configure line:
./configure -with-apxs2=/usr/sbin/apxs2 --with-mysql --enable-sysvmsg --enable-sysvsem --enable-sysvshm --enable-sockets --enable-mbstring--with-curl --with-mysqli --enable-debug --enable-exif


GDB Dump:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff30c8c23 in zval_addref_p (pz=0x0) at /home/alex/src/php-5.5.6/Zend/zend.h:405
405             return ++pz->refcount__gc;
(gdb) bt
#0  0x00007ffff30c8c23 in zval_addref_p (pz=0x0) at /home/alex/src/php-5.5.6/Zend/zend.h:405
#1  0x00007ffff31251e1 in zend_fetch_property_address_read_helper_SPEC_CV_CONST (execute_data=0x7ffff2b105b8) at /home/alex/src/php-5.5.6/Zend/zend_vm_execute.h:32411
#2  0x00007ffff3125242 in ZEND_FETCH_OBJ_R_SPEC_CV_CONST_HANDLER (execute_data=0x7ffff2b105b8) at /home/alex/src/php-5.5.6/Zend/zend_vm_execute.h:32427
#3  0x00007ffff30cf47f in execute_ex (execute_data=0x7ffff2b105b8) at /home/alex/src/php-5.5.6/Zend/zend_vm_execute.h:363
#4  0x00007ffff30cf507 in zend_execute (op_array=0x7ffff1941bc8) at /home/alex/src/php-5.5.6/Zend/zend_vm_execute.h:388
#5  0x00007ffff307d819 in zend_call_function (fci=0x7fffffffa350, fci_cache=0x7fffffffa320) at /home/alex/src/php-5.5.6/Zend/zend_execute_API.c:939
#6  0x00007ffff2ef3828 in zif_call_user_func_array (ht=2, return_value=0x7ffff18d14a8, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0) at /home/alex/src/php-5.5.6/ext/standard/basic_functions.c:4806
#7  0x00007ffff30cfd8e in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff2b0f080) at /home/alex/src/php-5.5.6/Zend/zend_vm_execute.h:550
#8  0x00007ffff30d0560 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7ffff2b0f080) at /home/alex/src/php-5.5.6/Zend/zend_vm_execute.h:685
#9  0x00007ffff30cf47f in execute_ex (execute_data=0x7ffff2b0f080) at /home/alex/src/php-5.5.6/Zend/zend_vm_execute.h:363
#10 0x00007ffff30cf507 in zend_execute (op_array=0x7ffff19407d0) at /home/alex/src/php-5.5.6/Zend/zend_vm_execute.h:388
#11 0x00007ffff307d819 in zend_call_function (fci=0x7fffffffa670, fci_cache=0x7fffffffa640) at /home/alex/src/php-5.5.6/Zend/zend_execute_API.c:939
#12 0x00007ffff2ef3675 in zif_call_user_func (ht=2, return_value=0x7ffff193cd38, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at /home/alex/src/php-5.5.6/ext/standard/basic_functions.c:4781
#13 0x00007ffff30cfd8e in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff2b0cba8) at /home/alex/src/php-5.5.6/Zend/zend_vm_execute.h:550
#14 0x00007ffff30d0560 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7ffff2b0cba8) at /home/alex/src/php-5.5.6/Zend/zend_vm_execute.h:685
#15 0x00007ffff30cf47f in execute_ex (execute_data=0x7ffff2b0cba8) at /home/alex/src/php-5.5.6/Zend/zend_vm_execute.h:363
#16 0x00007ffff30cf507 in zend_execute (op_array=0x7ffff2b3ae60) at /home/alex/src/php-5.5.6/Zend/zend_vm_execute.h:388
#17 0x00007ffff307d819 in zend_call_function (fci=0x7fffffffa980, fci_cache=0x7fffffffa950) at /home/alex/src/php-5.5.6/Zend/zend_execute_API.c:939
#18 0x00007ffff2ef3675 in zif_call_user_func (ht=2, return_value=0x7ffff1928d48, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at /home/alex/src/php-5.5.6/ext/standard/basic_functions.c:4781
#19 0x00007ffff30cfd8e in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff2b0af90) at /home/alex/src/php-5.5.6/Zend/zend_vm_execute.h:550
#20 0x00007ffff30d0560 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7ffff2b0af90) at /home/alex/src/php-5.5.6/Zend/zend_vm_execute.h:685
#21 0x00007ffff30cf47f in execute_ex (execute_data=0x7ffff2b0af90) at /home/alex/src/php-5.5.6/Zend/zend_vm_execute.h:363
#22 0x00007ffff30cf507 in zend_execute (op_array=0x7ffff1a8c038) at /home/alex/src/php-5.5.6/Zend/zend_vm_execute.h:388
#23 0x00007ffff307d819 in zend_call_function (fci=0x7fffffffac90, fci_cache=0x7fffffffac60) at /home/alex/src/php-5.5.6/Zend/zend_execute_API.c:939
#24 0x00007ffff2ef3675 in zif_call_user_func (ht=2, return_value=0x7ffff19293a0, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at /home/alex/src/php-5.5.6/ext/standard/basic_functions.c:4781
#25 0x00007ffff30cfd8e in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff2b099e8) at /home/alex/src/php-5.5.6/Zend/zend_vm_execute.h:550
#26 0x00007ffff30d0560 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7ffff2b099e8) at /home/alex/src/php-5.5.6/Zend/zend_vm_execute.h:685
#27 0x00007ffff30cf47f in execute_ex (execute_data=0x7ffff2b099e8) at /home/alex/src/php-5.5.6/Zend/zend_vm_execute.h:363
#28 0x00007ffff30cf507 in zend_execute (op_array=0x7ffff2b3ae60) at /home/alex/src/php-5.5.6/Zend/zend_vm_execute.h:388
#29 0x00007ffff307d819 in zend_call_function (fci=0x7fffffffafa0, fci_cache=0x7fffffffaf70) at /home/alex/src/php-5.5.6/Zend/zend_execute_API.c:939
#30 0x00007ffff2ef3675 in zif_call_user_func (ht=2, return_value=0x7ffff192a4e0, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at /home/alex/src/php-5.5.6/ext/standard/basic_functions.c:4781
#31 0x00007ffff30cfd8e in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff2b07dd0) at /home/alex/src/php-5.5.6/Zend/zend_vm_execute.h:550
#32 0x00007ffff30d0560 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7ffff2b07dd0) at /home/alex/src/php-5.5.6/Zend/zend_vm_execute.h:685
#33 0x00007ffff30cf47f in execute_ex (execute_data=0x7ffff2b07dd0) at /home/alex/src/php-5.5.6/Zend/zend_vm_execute.h:363
#34 0x00007ffff30cf507 in zend_execute (op_array=0x7ffff2b39ca0) at /home/alex/src/php-5.5.6/Zend/zend_vm_execute.h:388
#35 0x00007ffff3091338 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/alex/src/php-5.5.6/Zend/zend.c:1320
#36 0x00007ffff2ffe19e in php_execute_script (primary_file=0x7fffffffd4c0) at /home/alex/src/php-5.5.6/main/main.c:2489
#37 0x00007ffff313e537 in php_handler (r=0x7ffff4242268) at /home/alex/src/php-5.5.6/sapi/apache2handler/sapi_apache2.c:667
#38 0x000055555559abb0 in ap_run_handler ()
#39 0x000055555559affb in ap_invoke_handler ()
#40 0x00005555555a7f2c in ap_internal_redirect ()
#41 0x00007ffff1467cf8 in ?? () from /usr/lib64/apache2-prefork/mod_rewrite.so
#42 0x000055555559abb0 in ap_run_handler ()
#43 0x000055555559affb in ap_invoke_handler ()
#44 0x00005555555a88b8 in ap_process_request ()
#45 0x00005555555a5768 in ?? ()
#46 0x00005555555a15e0 in ap_run_process_connection ()
#47 0x00005555555ad479 in ?? ()
#48 0x00005555555adb4e in ?? ()
#49 0x00005555555ae2a2 in ap_mpm_run ()
#50 0x0000555555585772 in main ()


Test script:
---------------
<?php

$img = new Imagick();

echo $img->foobar; //any bogus here will crash it

Expected result:
----------------
Notice: Undefined property: Imagick::$foobar in /tmp/tmp.qFBXe89EMl/test.php on line 4


Actual result:
--------------
Segfault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-11-14 21:11 UTC] mkoppanen@php.net 
Thanks for the report, fixed in git
 [2013-11-14 21:11 UTC] mkoppanen@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: mkoppanen
 [2013-11-14 21:11 UTC] mkoppanen@php.net 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri May 17 08:01:35 2024 UTC