php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69288 Regression introduced in fix for bug 69085 leads to segmentation fault
Submitted: 2015-03-24 14:24 UTC Modified: 2015-03-25 08:28 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: thomas at shadowweb dot org Assigned: laruence (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.4.39 OS:
Private report: No CVE-ID: None
 [2015-03-24 14:24 UTC] thomas at shadowweb dot org
Description:
------------
A bug/regression introduced in commit c8eaca013a3922e8383def6158ece2b63f6ec483 (for PHP 5.4) and b3ac3522534a75edb76312cf9a576e4624372123 (Merge to PHP 5.5) leads to reproductible segmentation faults, when using SOAP with PHP versions 5.4.39 and 5.5.23.

I will not include a testscript, since the bug is obvious from the commit:

-               if (zend_hash_find(ht, "enc_namens", sizeof("enc_namens"), (void **)&znamens) == SUCCESS) {
+               if (zend_hash_find(ht, "enc_namens", sizeof("enc_namens"), (void **)&znamens) == SUCCESS &&
+                   Z_TYPE_PP(zname) == IS_STRING) {
                        xmlNsPtr nsp = encode_add_ns(node, Z_STRVAL_PP(znamens));
                        xmlSetNs(node, nsp);
                }


"Z_TYPE_PP(zname) == IS_STRING" should be "Z_TYPE_PP(znamens)", the included patch is for PHP 5.4.39.


Patches

regression_bug_69085 (last revision 2015-03-24 14:24 UTC by thomas at shadowweb dot org)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-03-25 05:38 UTC] laruence@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: laruence
 [2015-03-25 05:38 UTC] laruence@php.net
oh....... I just committed a same fix for #69293, didn't see your report and patch :<

anyway, thanks for the reporting and fix
 [2015-03-25 08:28 UTC] ondrej@php.net
JFTR the crash has not been fixed in PHP-5.4 branch, just in this PHP-5.5 commit:

https://github.com/php/php-src/commit/76c1ec5e96640e3076c105bde2cccfceb7557690
 [2015-04-11 04:35 UTC] tarik at opticempire dot com dot au
How is this one closed as its still evident in 5.4.39
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 23:01:29 2024 UTC