php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #8746 Crash on comparing GLOBALS Variabel
Submitted: 2001-01-16 15:45 UTC Modified: 2001-01-17 16:10 UTC
From: korenhof at planet dot nl Assigned:
Status: Closed Package: Reproducible Crash
PHP Version: 4.0.4pl1 OS: Win 2000 pro
Private report: No CVE-ID:
 [2001-01-16 15:45 UTC] korenhof at planet dot nl
I installed php 4.04 just as is. No settings are changed.

I fill the globals varibel with these functions:
-------------
function ReadSettingsFile($filename){
		if (file_exists($filename)){
			$FileContest = file ($filename);
			while (list ($line_num, $line) = each ($FileContest)) {
			    $line = ereg_replace("[\n\r]", "", $line);
				list ($name, $value) = split("=", $line);
				if ($name != null && $value != null){
					$GLOBALS[$name] = $value;
				}
			}
		}
	}
	///////////////////////////////////////////////////////////////////////////////////////////////////
	function ReadSetFile($filename){
		if (file_exists($filename)){
			$FileContest = split("\n", pack("H*", join("", file ('./'. $filename))));
			while (list ($line_num, $line) = each ($FileContest)) {
			    $line = ereg_replace("[\n\r]", "", $line);
				list ($name, $value) = split("=", $line);
				if ($name != null && $value != null){
					$GLOBALS[$name] = $value;
				}
			}
		}	
	}	

-------------
When I run this peas of script later in the program the program terminates:
-------------

while(ereg ("%%([^%\/]*)%%", $workingtemplate, $name)){
			if ($tempinput{$name[1]} != null){
				$workingtemplate = ereg_replace("%%$name[1]%%", $tempinput{$name[1]}, $workingtemplate);
			}elseif($HTTP_ENV_VARS{$name[1]} != null){
				$workingtemplate = ereg_replace("%%$name[1]%%", $HTTP_ENV_VARS{$name[1]}, $workingtemplate);
			}elseif($GLOBALS[$name[1]] != null){
				$workingtemplate = ereg_replace("%%$name[1]%%", $GLOBALS[$name[1]], $workingtemplate);
			}else{
				$workingtemplate = ereg_replace("%%$name[1]%%", "", $workingtemplate);
			}
		}

-------------
When I comment these lines, the script won;t crash:

//}elseif($GLOBALS[$name[1]] != null){
//$workingtemplate = ereg_replace("%%$name[1]%%", $GLOBALS[$name[1]], $workingtemplate);


-------------
It seams like the global variable is to big or something like that. But when I don't fill the variables at the top the program still terminates. Then I get a DrWatson Like error but then the win 2000 way. I also use MySQL. Closing MySQL didn't help eather. I restart didn't bother eather.

If there are any questions please let me know.

thx,

Sebas



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-01-17 14:30 UTC] korenhof at planet dot nl
DR WATSON DUMP:
---------------

Toepassingsuitzondering:
        Toep:  (PID=2004)
        Tijd: 16-01-2001 @ 22:00:18.053
        Uitzonderingsnummer: c0000005 (schending van toegang)

*----> Systeemgegevens <----*
        Computernaam: SEKONT
        Gebruikersnaam: Administrator
        Aantal processors: 1
        Processortype: x86 Family 6 Model 8 Stepping 3
        Windows 2000-versie: 5.0
        Actieve gecompileerde versie: 2195
        Service Pack: 1
        Huidig type: Uniprocessor Free
        Geregistreerde organisatie: 
        Geregistreerde eigenaar: Sebastiaan Korenhof

*----> Taakoverzicht <----*
   0 Idle.exe
   8 System.exe
 152 SMSS.exe
 180 csrss.exe
 200 WINLOGON.exe
 228 services.exe
 240 LSASS.exe
 404 svchost.exe
 448 SPOOLSV.exe
 488 CTSVCCDA.exe
 504 svchost.exe
 560 regsvc.exe
 588 mstask.exe
 620 stisvc.exe
 692 vsmon.exe
 740 WinMgmt.exe
 540 MsPMSPSv.exe
 356 ZIPTOA.exe
 860 minilog.exe
1056 explorer.exe
1028 devldr32.exe
 516 tisdnmon.exe
 316 CTNotify.exe
 532 ahqtb.exe
1004 cwd.exe
1216 PlexTool.exe
1224 Mediadet.exe
1248 zonealarm.exe
1260 getright.exe
1212 Apache.exe
1096 Apache.exe
1172 homesite45.exe
 296 mysqld-nt.exe
1540 IEXPLORE.exe
1952 mdm.exe
2004 php.exe
1648 DRWTSN32.exe
1820 DRWTSN32.exe
   0 _Total.exe

(00400000 - 00405000) 
(77F80000 - 77FFF000) 
(10000000 - 100F8000) 
(77E80000 - 77F3C000) 
(77E10000 - 77E74000) 
(77F40000 - 77F7C000) 
(75000000 - 75009000) 
(74FE0000 - 74FF4000) 
(78000000 - 78046000) 
(77DB0000 - 77E0A000) 
(77D40000 - 77DB0000) 
(74FD0000 - 74FD8000) 
(77A50000 - 77B45000) 
(779B0000 - 77A45000) 
(1F7D0000 - 1F804000) 
(76B10000 - 76B4D000) 
(77C70000 - 77CBA000) 
(77B50000 - 77BD9000) 
(77590000 - 777D8000) 
(780A0000 - 780B2000) 
(1F8C0000 - 1F8D8000) 

Statusdump voor subproces-ID 0x684

eax=00793d98 ebx=00000000 ecx=00793b30 edx=00793b30 esi=00793d98 edi=00000000
eip=1008d02b esp=0012feac ebp=0012ff4c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000206


functie: virtual_fopen
        1008d010 a198c90e10                                      ds:100ec998=00000002
                                  mov     eax,[php_ini_path+0x718 (100ec998)]
        1008d015 83ec08           sub     esp,0x8
        1008d018 53               push    ebx
        1008d019 56               push    esi
        1008d01a 6a00             push    0x0
        1008d01c 50               push    eax
        1008d01d e82ec8ffff       call    ts_resource_ex (10089850)
        1008d022 8b5c241c         mov     ebx,[esp+0x1c]         ss:00bcd483=????????
        1008d026 8bf0             mov     esi,eax
        1008d028 83c408           add     esp,0x8
Fout ->1008d02b 803b00           cmp     byte ptr [ebx],0x0           ds:00000000=??
        1008d02e 7508             jnz     do_bind_function_or_class+0xa78 (10092e38)
        1008d030 5e               pop     esi
        1008d031 33c0             xor     eax,eax
        1008d033 5b               pop     ebx
        1008d034 83c408           add     esp,0x8
        1008d037 c3               ret
        1008d038 8b4e04           mov     ecx,[esi+0x4]          ds:0123136e=????????
        1008d03b 57               push    edi
        1008d03c 894c2410         mov     [esp+0x10],ecx         ss:00bcd483=????????
        1008d040 8b5604           mov     edx,[esi+0x4]          ds:0123136e=????????
        1008d043 42               inc     edx

*----> Stack Back Trace <----*

FramePtr ReturnAd Param#1  Param#2  Param#3  Param#4  Function Name
0012FF4C 004020BB 00000001 00793AD8 007929E8 00404000 !virtual_fopen 
0012FFC0 77E992A6 00000000 00000000 7FFDF000 C0000005 !<nosymbols> 
0012FFF0 00000000 00401FD8 00000000 000000C8 00000100 kernel32!GetCommandLineW 

*----> Raw Stack Dump <----*
0012feac  e8 3c 79 00 01 00 00 00 - 88 4b 03 78 ff ff ff ff  .<y......K.x....
0012febc  32 1a 40 00 00 00 00 00 - e8 40 40 00 00 00 00 00  2.@......@@.....
0012fecc  00 00 00 00 00 f0 fd 7f - 00 00 00 00 00 00 00 00  ................
0012fedc  04 00 00 00 00 00 00 00 - 00 00 00 00 58 37 13 00  ............X7..
0012feec  40 ce 03 78 00 f0 fd 7f - c2 33 f8 77 00 00 13 00  @..x.....3.w....
0012fefc  00 00 00 00 02 1f 13 00 - 00 00 00 00 00 00 00 00  ................
0012ff0c  00 00 00 00 ff ff ff ff - 00 00 00 00 01 00 00 00  ................
0012ff1c  00 00 00 00 01 00 00 00 - d8 3a 79 00 00 f0 fd 7f  .........:y.....
0012ff2c  00 00 00 00 e8 3c 79 00 - 20 75 79 00 78 92 79 00  .....<y. uy.x.y.
0012ff3c  01 00 00 00 00 00 00 00 - 00 00 00 00 50 70 79 00  ............Ppy.
0012ff4c  c0 ff 12 00 bb 20 40 00 - 01 00 00 00 d8 3a 79 00  ..... @......:y.
0012ff5c  e8 29 79 00 00 40 40 00 - 04 40 40 00 a4 ff 12 00  .)y..@@..@@.....
0012ff6c  94 ff 12 00 a0 ff 12 00 - 00 00 00 00 98 ff 12 00  ................
0012ff7c  08 40 40 00 0c 40 40 00 - 00 00 00 00 00 00 00 00  .@@..@@.........
0012ff8c  00 f0 fd 7f 05 00 00 c0 - d8 3a 79 00 00 00 00 00  .........:y.....
0012ff9c  ff ff ff ff e8 29 79 00 - 01 00 00 00 84 ff 12 00  .....)y.........
0012ffac  f8 fa 12 00 e0 ff 12 00 - 10 21 40 00 50 31 40 00  .........!@.P1@.
0012ffbc  00 00 00 00 f0 ff 12 00 - a6 92 e9 77 00 00 00 00  ...........w....
0012ffcc  00 00 00 00 00 f0 fd 7f - 05 00 00 c0 c8 ff 12 00  ................
0012ffdc  f8 fa 12 00 ff ff ff ff - be dc e9 77 b0 92 e9 77  ...........w...w

Statusdump voor subproces-ID 0x770

eax=00470650 ebx=00000000 ecx=002f3d68 edx=00000000 esi=00ebff68 edi=77e1844a
eip=77e148fc esp=00ebff24 ebp=00ebff44 iopl=0         nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246


functie: PtInRect
        77e148d6 ff750c           push    dword ptr [ebp+0xc]    ss:0195d51a=????????
        77e148d9 ff5508           call    dword ptr [ebp+0x8]    ss:0195d51a=????????
        77e148dc 817c2404cdabbadc                                ss:0195d4fb=????????
                                  cmp     dword ptr [esp+0x4],0xdcbaabcd
        77e148e4 0f85c8690300     jne     SetClassLongW+0x556 (77e4b2b2)
        77e148ea 83c408           add     esp,0x8
        77e148ed 5d               pop     ebp
        77e148ee c21400           ret     0x14
        77e148f1 b89a110000       mov     eax,0x119a
        77e148f6 8d542404         lea     edx,[esp+0x4]          ss:0195d4fb=????????
        77e148fa cd2e             int     2e
        77e148fc c21000           ret     0x10
        77e148ff b8cb110000       mov     eax,0x11cb
        77e14904 8d542404         lea     edx,[esp+0x4]          ss:0195d4fb=????????
        77e14908 cd2e             int     2e
        77e1490a c21000           ret     0x10

*----> Stack Back Trace <----*

FramePtr ReturnAd Param#1  Param#2  Param#3  Param#4  Function Name
00EBFF44 1008F035 00EBFF68 00000000 00000000 00000000 user32!PtInRect 
00EBFFB4 77E837CD 00CDEA10 00790178 00CDCE00 00CDEA10 !zend_timeout 
00EBFFEC 00000000 00000000 00000000 00000000 00000000 kernel32!TlsSetValue 
 [2001-01-17 16:10 UTC] korenhof at planet dot nl
Problem solved:
I used a varible SCRIPT_NAME in a global form. Then i printed 
SCRIPT_NAME?blabla

The program terminated because it calles:
\php4\php.exe?blabla


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 12:01:52 2014 UTC