php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68396 iconv null pointer write with zend_mm
Submitted: 2014-11-11 09:04 UTC Modified: 2016-08-21 04:22 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: mattficken@php.net Assigned: cmb (profile)
Status: No Feedback Package: CGI/CLI related
PHP Version: 5.5.18 OS: Windows
Private report: No CVE-ID: None
 [2014-11-11 09:04 UTC] mattficken@php.net
Description:
------------
Actually PHP Version: 5.5.13 <could be any more recent version>

Event: NULL_CLASS_PTR_WRITE 0xc0000005 in php5.dll
SAPI: php-cgi.exe

OS: Windows 7.0, 8.0, mostly French and Chinese LCIDs


The fact it happens in 5 different threads suggests it may not be fault of iconv ext, instead could be some other threading/mm issue in core providing iconv an invalid pointer which it uses at the the right/wrong time to cause crash.


Stack traces of user-mode application crashes on Windows can (with user consent) be reported to Microsoft (see Windows Error Reporting and Watson). This bug is based on one of those reports.

Note: can request additional information including memory dumps to help investigate this issue further.

Watson #73491156297

Actual result:
--------------
NOTE: `aaaaaaaa` indicates NULL, indicates either stack corruption or some frames missing due to dump -> minidump conversion

Thread 0
01bd84ac aaaaaaaa php5!_zend_mm_free_int+0x2ae [c:\php-sdk\php55\vc11\x86\php-5.5.13\zend\zend_alloc.c @ 2110]
01bd84b0 01000000 0xaaaaaaaa
01bd84b4 aaaaaaaa iconv+0x20000
01bd84b8 aaaaaaaa 0xaaaaaaaa
01bd84bc 00000000 0xaaaaaaaa

Thread 1
01bd84ac aaaaaaaa php5!_zend_mm_free_int+0x2ae [c:\php-sdk\php55\vc11\x86\php-5.5.13\zend\zend_alloc.c @ 2110]
01bd84b0 01000000 0xaaaaaaaa
01bd84b4 aaaaaaaa iconv+0x20000
01bd84b8 aaaaaaaa 0xaaaaaaaa
01bd84bc 00000000 0xaaaaaaaa

Thread 2
01bd84ac aaaaaaaa php5!_zend_mm_free_int+0x2ae [c:\php-sdk\php55\vc11\x86\php-5.5.13\zend\zend_alloc.c @ 2110]
01bd84b0 01000000 0xaaaaaaaa
01bd84b4 aaaaaaaa iconv+0x20000
01bd84b8 aaaaaaaa 0xaaaaaaaa
01bd84bc 00000000 0xaaaaaaaa

Thread 3
01bd84ac aaaaaaaa php5!_zend_mm_free_int+0x2ae [c:\php-sdk\php55\vc11\x86\php-5.5.13\zend\zend_alloc.c @ 2110]
01bd84b0 01000000 0xaaaaaaaa
01bd84b4 aaaaaaaa iconv+0x20000
01bd84b8 aaaaaaaa 0xaaaaaaaa
01bd84bc 00000000 0xaaaaaaaa

Thread 4
01bd84ac aaaaaaaa php5!_zend_mm_free_int+0x2ae [c:\php-sdk\php55\vc11\x86\php-5.5.13\zend\zend_alloc.c @ 2110]
01bd84b0 01000000 0xaaaaaaaa
01bd84b4 aaaaaaaa iconv+0x20000
01bd84b8 aaaaaaaa 0xaaaaaaaa
01bd84bc 00000000 0xaaaaaaaa

Thread 5
01bd84ac aaaaaaaa php5!_zend_mm_free_int+0x2ae [c:\php-sdk\php55\vc11\x86\php-5.5.13\zend\zend_alloc.c @ 2110]
01bd84b0 01000000 0xaaaaaaaa
01bd84b4 aaaaaaaa iconv+0x20000
01bd84b8 aaaaaaaa 0xaaaaaaaa
01bd84bc 00000000 0xaaaaaaaa


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-08 12:22 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2016-08-08 12:22 UTC] cmb@php.net
I'm afraid this issue can't be resolved without a reproduce script
or at the very least a more meaningful stack backtrace. Can you
still get one, Matt?
 [2016-08-21 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 26 15:01:32 2024 UTC