PHP :: Bug #77099 :: PHP crashes with segfault

Bug #77099

PHP crashes with segfault

Submitted:

2018-11-03 14:58 UTC

Modified:

2021-05-28 11:30 UTC

Votes:	3
Avg. Score:	4.3 ± 0.5
Reproduced:	3 of 3 (100.0%)
Same Version:	1 (33.3%)
Same OS:	1 (33.3%)

From:

info at phpgangsta dot de

Assigned:

cmb (profile)

Status:

Not a bug

Package:

Pspell related

PHP Version:

7.2.11

OS:

Ubuntu 18.04

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	info at phpgangsta dot de
New email:
PHP Version:		OS:

New/Additional Comment:

[2018-11-03 14:58 UTC] info at phpgangsta dot de

Description:
------------
If I use pspell for spellchecking, it sometimes crashes with a segfault. Every 3-5 times I call the script via Apache, Apache crashes:

[Sat Nov 03 15:36:12.592943 2018] [core:notice] [pid 5264] AH00051: child pid 29189 exit signal Segmentation fault (11), possible coredump in /etc/apache2
[Sat Nov 03 15:37:33.689349 2018] [core:notice] [pid 5264] AH00051: child pid 29965 exit signal Segmentation fault (11), possible coredump in /etc/apache2
[Sat Nov 03 15:40:12.879852 2018] [core:notice] [pid 5264] AH00051: child pid 30367 exit signal Segmentation fault (11), possible coredump in /etc/apache2

The small script below can reproduce the problem: If you call it from outside via HTTP, it crashes every 3-5 requests:

curl https://url.de/spellchecker.php

See segmentation faults above.

$ php -v
PHP 7.2.11-3+ubuntu18.04.1+deb.sury.org+1 (cli) (built: Oct 25 2018 06:44:08) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.2.11-3+ubuntu18.04.1+deb.sury.org+1, Copyright (c) 1999-2018, by Zend Technologies


It seems to just happen with de_DE. If I change it to en_US, it does not crash. Maybe it has to do with Umlauts oder similar?
Interestingly I'm not able to reproduce it on the command line...

Segmentation fault also happens on Ubuntu 16.04 with PHP 7.1:

$ php -v
PHP 7.1.23-3+ubuntu16.04.1+deb.sury.org+1 (cli) (built: Oct 25 2018 06:43:19) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.1.0, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.1.23-3+ubuntu16.04.1+deb.sury.org+1, Copyright (c) 1999-2018, by Zend Technologies

Test script:
---------------
<?php
$plink = pspell_new('de_DE', "", "", "utf-8", PSPELL_FAST);
pspell_suggest($plink, '___');

Expected result:
----------------
no crash

Actual result:
--------------
crash with segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-08-13 09:33 UTC] ih at vollzeitjobs dot de

I'm experiencing the same, the small testscript crashes every 3-5 times I call it.

Debian 9.9 
ii  php7.3                         7.3.8-1+0~20190807.43+debian9~1.gbp7731bf
ii  php7.3-pspell                  7.3.8-1+0~20190807.43+debian9~1.gbp7731bf 


PHP 7.3.8-1+0~20190807.43+debian9~1.gbp7731bf (cli) (built: Aug  7 2019 19:46:25) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.8, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.3.8-1+0~20190807.43+debian9~1.gbp7731bf, Copyright (c) 1999-2018, by Zend Technologies

---

Aug 13 11:30:55 jobs-herford kernel: [353562.678985] traps: php-fpm7.3[8795] general protection ip:7f1fc1622828 sp:7fffa675bfe0 error:0
Aug 13 11:30:57 jobs-herford kernel: [353563.968722] traps: php-fpm7.3[8845] general protection ip:7f1fc16227ec sp:7fffa675bfe0 error:0
Aug 13 11:30:58 jobs-herford kernel: [353565.366368] traps: php-fpm7.3[8801] general protection ip:7f1fc16227ec sp:7fffa675bfe0 error:0
Aug 13 11:31:03 jobs-herford kernel: [353570.736281] traps: php-fpm7.3[8857] general protection ip:7f1fc16227ec sp:7fffa675bfe0 error:0
Aug 13 11:31:05 jobs-herford kernel: [353572.048257] php-fpm7.3[8851]: segfault at 8 ip 00007f1fc1622828 sp 00007fffa675bfe0 error 4 in libaspell.so.15.2.0[7f1fc15a8000+a3000]
Aug 13 11:31:06 jobs-herford kernel: [353573.510952] traps: php-fpm7.3[8842] general protection ip:7f1fc1622828 sp:7fffa675bfe0 error:0

[2019-08-13 09:57 UTC] nikic@php.net

-Status: Open +Status: Verified

[2019-08-13 09:57 UTC] nikic@php.net

Confirming the crash after a couple reloads. Valgrind also produces the following error on a simple run:

==18344== Conditional jump or move depends on uninitialised value(s)
==18344==    at 0x57D5F28: aspeller::AffixMgr::suffix_check(aspeller::LookupInfo const&, acommon::ParmString, acommon::CheckInfo&, aspeller::GuessInfo*, int, aspeller::AffEntry*) const (in /usr/lib/x86_64-linux-gnu/libaspell.so.15.2.0)
==18344==    by 0x57D676A: aspeller::AffixMgr::affix_check(aspeller::LookupInfo const&, acommon::ParmString, acommon::CheckInfo&, aspeller::GuessInfo*) const (in /usr/lib/x86_64-linux-gnu/libaspell.so.15.2.0)
==18344==    by 0x57AF79F: ??? (in /usr/lib/x86_64-linux-gnu/libaspell.so.15.2.0)
==18344==    by 0x57B3965: ??? (in /usr/lib/x86_64-linux-gnu/libaspell.so.15.2.0)
==18344==    by 0x57C2103: aspeller::SpellerImpl::suggest(acommon::MutableString) (in /usr/lib/x86_64-linux-gnu/libaspell.so.15.2.0)
==18344==    by 0x57EA6CB: aspell_speller_suggest (in /usr/lib/x86_64-linux-gnu/libaspell.so.15.2.0)
==18344==    by 0x713C26: zif_pspell_suggest (pspell.c:536)
==18344==    by 0xA7C44B: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:573)
==18344==    by 0xB0311D: execute_ex (zend_vm_execute.h:59747)
==18344==    by 0xB08529: zend_execute (zend_vm_execute.h:63776)
==18344==    by 0xA179D5: zend_execute_scripts (zend.c:1498)
==18344==    by 0x97B072: php_execute_script (main.c:2599)

This looks like a bug in libaspell to me.

[2021-03-16 18:33 UTC] mason dot malone at gmail dot com

We ran into this too, and I'm pretty sure it's due to the following bug in libaspell: https://github.com/GNUAspell/aspell/issues/496

The fix was released as version 0.60.8. I confirmed that installing that fixes the issue locally, but updating our Debian servers is going to be tricky since that version isn't in Debian stable and hasn't been backported as far as I can tell.

[2021-05-28 11:30 UTC] cmb@php.net

-Status: Verified +Status: Not a bug -Assigned To: +Assigned To: cmb

[2021-05-28 11:30 UTC] cmb@php.net

> This looks like a bug in libaspell to me.

That.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Jun 19 07:01:34 2025 UTC