This happens for me too with today's CVS and the latest CVS of mcrypt.

Backtrace says:

#0  0x402c89bc in chunk_free (ar_ptr=0x40369680, p=0x81f7f00) at malloc.c:3152
3152    malloc.c: No such file or directory.
(gdb) bt
#0  0x402c89bc in chunk_free (ar_ptr=0x40369680, p=0x81f7f00) at malloc.c:3152
#1  0x402c8828 in __libc_free (mem=0x81f7f08) at malloc.c:3054
#2  0x400a650d in mcrypt_module_close (td=0x81f7f08) at mcrypt_modules.c:48
#3  0x807c1e7 in php_mcrypt_do_crypt (cipher=0x81f7e94 "rijndael-256", key=0x81f2118, data=0x81f211c, 
    mode=0x818174c "cbc", iv=0x81f2124, argc=5, dencrypt=0, return_value=0x81f7ef4) at mcrypt.c:1317
#4  0x807c576 in php_if_mcrypt_encrypt (ht=5, return_value=0x81f7ef4, this_ptr=0x0, return_value_used=1)
    at mcrypt.c:1334
#5  0x81228e6 in execute (op_array=0x81f37dc) at ./zend_execute.c:1494
#6  0x80f3fcd in zend_execute_scripts (type=8, file_count=3) at zend.c:743
#7  0x8069c8f in php_execute_script (primary_file=0xbffffa60) at main.c:1196
#8  0x8067fa4 in main (argc=2, argv=0xbffffb04) at cgi_main.c:731
#9  0x4026ab5c in __libc_start_main (main=0x8067830 <main>, argc=2, ubp_av=0xbffffb04, init=0x8064b8c <_init>, 
    fini=0x81362ec <_fini>, rtld_fini=0x4000d634 <_dl_fini>, stack_end=0xbffffafc)
    at ../sysdeps/generic/libc-start.c:129

Assigning it to the expert ... :)

Actually, the script only seems to dump core if I do:

    echo bin2hex($output);

after the encryption.  Just a simple:

    echo $output;

seems to work just fine (i.e. it outputs stuff).

- Colin

Crashes for me too, possibly a bug in mcrypt it self. Trying more things...

I think I've found the problem (and the solution).

Let's look at some functions found in mcrypt first...

File: mcrypt_modules.c

int mcrypt_module_close(MCRYPT td)
{

	lt_dlclose(td->algorithm_handle);
	lt_dlclose(td->mode_handle);
	lt_dlexit();

	td->algorithm_handle = NULL;
	td->mode_handle = NULL;

	td->m_encrypt = NULL;
	td->a_encrypt = NULL;
	td->a_decrypt = NULL;
	td->m_decrypt = NULL;

	free(td);
	
	return 0;
}

File: mcrypt.c

int mcrypt_generic_end(const MCRYPT td)
{
	internal_end_mcrypt(td);
	mcrypt_module_close(td);
	return 0;
}

The crash occurs when the call free(td) is made in mcrypt_module_close(MCRYPT td)

Notice that mcrypt_generic_end(const MCRYPT td) calls mcrypt_module_close(MCRYPT td) in the end.

Let's look at the mcrypt.c file from PHP (NOT the same one as above). It has a function called

php_mcrypt_do_crypt(char* cipher, zval **key, zval **data, char *mode, zval **iv, int argc, int dencrypt, zval* return_value)

At the end of the function, we find the following:

/* freeing vars */
	mcrypt_generic_end (td);
	if (key_s != NULL)
		efree (key_s);
	if (iv_s != NULL)
		efree (iv_s);
	efree (data_s);
        mcrypt_module_close (td);
}

The crash occurs when the final mcrypt_module_close is called.

The reason is that the call to mcrypt_generic_end (td) also calls mcrypt_module_close(td) that again calls free (td). When we later call mcrypt_module_close (td) we try to free td again, and that sometimes gives us a segmentation fault.

The solution is simply to delete the last line in the php_mcrypt_do_crypt function (mcrypt_module_close (td);) found in mcrypt.c. This is ok, since we have already freed td in the call to mcrypt_generic_end (td) a few lines above.

That solved the problems for me. Finally no more crashes :)

Hello,

looks all ok. I'll check it out, and apply the patch (if ok) so that it will be fixed in PHP 4.0.6

Derick

Ok, this was indeed the problem. Thanks for this excellent help!

Derick