PHP :: Bug #27135 :: segfault in zend_execute.c
- ️Tue Feb 03 2004
| Bug #27135 | segfault in zend_execute.c | |||
|---|---|---|---|---|
| Submitted: | 2004-02-03 11:32 UTC | Modified: | 2004-02-05 21:23 UTC | |
| From: | jan at horde dot org | Assigned: | moriyoshi (profile) | |
| Status: | Closed | Package: | mbstring related | |
| PHP Version: | 4CVS-2004-02-03 (stable) | OS: | Linux | |
| Private report: | No | CVE-ID: | None |
[2004-02-03 11:32 UTC] jan at horde dot org
Description:
------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 28753)]
0x4067a064 in execute (op_array=0x878137c)
at /home/jan/cvs/php43/Zend/zend_execute.c:1258
1258 if (ARG_SHOULD_BE_SENT_BY_REF(EX(opline)
backtrace:
#0 0x4067a064 in execute (op_array=0x878137c)
at /home/jan/cvs/php43/Zend/zend_execute.c:1258
#1 0x4067c063 in execute (op_array=0x8785b0c)
at /home/jan/cvs/php43/Zend/zend_execute.c:1660
#2 0x4067c063 in execute (op_array=0x85c52e4)
at /home/jan/cvs/php43/Zend/zend_execute.c:1660
#3 0x4067c063 in execute (op_array=0x816b2bc)
at /home/jan/cvs/php43/Zend/zend_execute.c:1660
#4 0x4067c063 in execute (op_array=0x8647dfc)
at /home/jan/cvs/php43/Zend/zend_execute.c:1660
#5 0x4067c063 in execute (op_array=0x8647c24)
at /home/jan/cvs/php43/Zend/zend_execute.c:1660
#6 0x4067c063 in execute (op_array=0x8647b34)
at /home/jan/cvs/php43/Zend/zend_execute.c:1660
#7 0x4067c063 in execute (op_array=0x816814c)
at /home/jan/cvs/php43/Zend/zend_execute.c:1660
#8 0x4066a7fa in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at /home/jan/cvs/php43/Zend/zend.c:884
#9 0x40633178 in php_execute_script (primary_file=0xbfffee60)
at /home/jan/cvs/php43/main/main.c:1727
#10 0x40680f04 in apache_php_module_main (r=0x815cfd8, display_source_mode=0)
at /home/jan/cvs/php43/sapi/apache/sapi_apache.c:54
#11 0x40681eb9 in send_php (r=0x815cfd8, display_source_mode=0,
---Type <return> to continue, or q <return> to quit---
filename=0x815edb8 "/home/jan/headhorde//imp/message.php")
at /home/jan/cvs/php43/sapi/apache/mod_php4.c:620
#12 0x40681f3f in send_parsed_php (r=0x815cfd8)
at /home/jan/cvs/php43/sapi/apache/mod_php4.c:635
#13 0x080557a7 in ap_invoke_handler ()
#14 0x0806aaf0 in process_request_internal ()
#15 0x0806ad81 in ap_process_request ()
#16 0x08062762 in child_main ()
#17 0x0806290a in make_child ()
#18 0x08062a46 in startup_children ()
#19 0x080634eb in standalone_main ()
#20 0x08063ca6 in main ()
Matching Apache log entry:
[Tue Feb 3 17:37:39 2004] Script: '/home/jan/headhorde//imp/message.php'
---------------------------------------
/home/jan/cvs/php43/ext/mbstring/mbstring.c(329) : Block 0x0877ADF8 status:
Beginning: OK (allocated on /home/jan/cvs/php43/ext/mbstring/mbstring.c:314
, 17 bytes)
End: Overflown (magic=0xC3592234 instead of 0x2A8FCC84)
At least 4 bytes overflown
---------------------------------------
No reproduce code at the moment.
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commitsRelated reports
[2004-02-03 12:11 UTC] jan at horde dot org
Get this text file: http://www.horde.org/~jan/message.txt and pass its contents as $text to: mb_strlen($text, 'us-ascii') Given, this is no us-ascii string, but it still shouldn't segfault. ;-)
[2004-02-03 12:16 UTC] sniper@php.net
Dunno if this should go to Rui or what..? :)
[2004-02-04 21:30 UTC] iliaa@php.net
I've tried to replicate the crash using the latest CVS of
PHP 4.2.3 but it does not crash and valgrind does not show
any possible overflows or corruptions that could cause it.
That said Moriyoshi, who is currently away sent me the
following patch that may solve the problem. Try it, maybe
it'll address the problem for you.
Index: ext/mbstring/libmbfl/filters/mbfilter_htmlent.c
===================================================================
RCS
file: /repository/php-src/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c,v
retrieving revision 1.3.2.2
diff -u -r1.3.2.2 mbfilter_htmlent.c
--- ext/mbstring/libmbfl/filters/mbfilter_htmlent.c 10
Dec 2003 17:10:05 -0000 1.3.2.2
+++ ext/mbstring/libmbfl/filters/mbfilter_htmlent.c 4
Feb 2004 06:27:23 -0000
@@ -67,7 +67,7 @@
const mbfl_encoding mbfl_encoding_html_ent = {
mbfl_no_encoding_html_ent,
"HTML-ENTITIES",
- "US-ASCII",
+ "HTML-ENTITIES",
(const char *(*)[])&mbfl_encoding_html_ent_aliases,
NULL, /* mblen_table_html, Do not use table instead
calulate length based on entities actually used */
MBFL_ENCTYPE_HTML_ENT
[2004-02-05 21:23 UTC] iliaa@php.net
This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better.