#43150 [NEW]: stack overflow in php5ts.dll

jeff dot orrok at reedbusiness dot com Tue, 30 Oct 2007 11:56:16 -0800

From:             jeff dot orrok at reedbusiness dot com
Operating system: windows xp sp2
PHP version:      5.2.4
PHP Bug Type:     Reproducible crash
Bug description:  stack overflow in php5ts.dll


Description:
------------
Invoking a non-existent method on a SOAP service crashes apache.  Although
PEAR's SOAP module is involved in the problem, I thought y'all should know
about it in case there was something you could do to make your code more
robust.

C:\wamp\logs\apache_error.log:
[Tue Oct 30 11:58:42 2007] [notice] Parent: child process exited with
status 3221225477 -- Restarting.

Analysys Summary from Debug Diagnostic Tool:
In
httpd__PID__5256__Date__10_29_2007__Time_07_05_58PM__48__Second_Chance_Exception_C00000FD.dmp
the assembly instruction at php5ts!xbuf_format_converter+5b in
C:\wamp\Apache2\bin\php5ts.dll from The PHP Group has caused a stack
overflow exception (0xC00000FD) when trying to write to memory location
0x01b82ffc on thread 15



Reproduce code:
---------------
This is merely to demonstrate what I'm doing.  I was hoping it might be
reproducible with any kind of "hello world" service.  I am behind on my
deadline and need to get caught up before I can spend a lot of time on
this.  I will try to pare down the amount of code to the smallest necessary
to reproduce, if it turns out to be a very specific circumstance.

require_once ('SOAP/Client.php'); // pear soap-0.11.0
define('RBI_COMMON_AUTH_WS_URL',
'http://localhost/WebServices/AuthenticationWS/service.php?wsdl');
define('RBICA_APP', 'BLOG');
define('RBICA_APP_TOKEN_ID', 'PERM_BLOG');
$wsdl_ca = new SOAP_WSDL (RBI_COMMON_AUTH_WS_URL,array('timeout' => 30));
$client_ca = $wsdl_ca->getProxy();
$wpUserId = $login->ID;
$result = $client_ca->GetMasterID(RBICA_APP_TOKEN_ID, RBICA_APP,
(integer)$wpUserId);  // GetMasterID happens to not exist in the current
version of the service.


Expected result:
----------------
(be automatically logged in to WordPress via our in-house common
authentication service)

Actual result:
--------------
Report for
httpd__PID__5256__Date__10_29_2007__Time_07_05_58PM__48__Second_Chance_Exception_C00000FD.dmp
Type of Analysis Performed   Crash Analysis 
Machine Name   HRAORROCKJ1D 
Operating System   Windows XP Service Pack 2 
Number Of Processors   2 
Process ID   5256 
Process Image   C:\wamp\Apache2\bin\httpd.exe 
System Up-Time   10 day(s) 08:39:57 
Process Up-Time   00:03:23 

Thread 15 - System ID 784
Entry point   msvcrt!_endthreadex+3a 
Create time   10/29/2007 7:02:35 PM 
Time spent in user mode   0 Days 0:0:0.500 
Time spent in kernel mode   0 Days 0:0:0.62 

Function     Arg 1     Arg 2     Arg 3   Source 
php5ts!xbuf_format_converter+5b     01b83280     00a359ac     01b8332c   

php5ts!vspprintf+29     01b832b8     00000400     00a359ac    
php5ts!php_error_cb+3a     00000800     07da1180     0000015f    
php5ts!zend_error+43e     00000800     00a359ac     0079ca49    
php5ts!zif_is_a+f     00000002     08f9a0f0     00000000    
php5ts!zend_do_fcall_common_helper_SPEC+7d9     01b833b8     05cab000    
07dd7fd8    
php5ts!ZEND_DO_FCALL_SPEC_CONST_HANDLER+e5     00000000     05cab000    
08f96944    
php5ts!execute+1c5     07d95490     05cab000     05cab000    
php5ts!zend_do_fcall_common_helper_SPEC+8f8     01b83460     05cab000    
0079c1e5    
php5ts!ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER+15     01b83460     05cab000    
08f94b84    
php5ts!execute+1c5     07dcf3e8     05cab000     05cab000 

... followed by hundreds of lines similar to the following:

php5ts!zend_do_fcall_common_helper_SPEC+8f8     01b835b0     05cab000    
0079c1e5    
php5ts!ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER+15     01b835b0     05cab000    
08f8ea8c    
php5ts!execute+1c5     07dcf3e8     05cab000     05cab000    

... followed by:

php5ts!zend_do_fcall_common_helper_SPEC+8f8     01bbfbb0     05cab000    
0079c1e5    
php5ts!ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER+15     01bbfbb0     05cab000    
05cab000    
php5ts!execute+1c5     07d7e2e0     05cab000     00000000    
php5ts!zend_execute_scripts+107     00000008     05cab000     00000000   

php5ts!php_execute_script+20d     01bbfea0     05cab000     00000005    
php5apache2_2!php_handler+5cd     05d40e70     0074c4c0     05d40e70    
libhttpd!ap_run_handler+21     05d40e70     05d40e70     05d40e70    
libhttpd!ap_invoke_handler+ae     00000000     05d3e128     01bbff38    
libhttpd!ap_die+24e     05d40e70     00000000     0068e510    
libhttpd!ap_get_request_note+1c6c     05d3e128     05d3e128     05d3e128  
 
libhttpd!ap_run_process_connection+21     05d3e128     00716300    
01bbff80    
libhttpd!ap_process_connection+33     05d3e128     05cb9050     00000000  
 
libhttpd!ap_regkey_value_remove+c0c     05d3e120     00000000     00e10050
   
msvcrt!_endthreadex+a9     01018b08     00000000     00e10050    
kernel32!BaseThreadStart+37     77c3a341     01018b08     00000000    

PHP5TS!XBUF_FORMAT_CONVERTER+5BIn
httpd__PID__5256__Date__10_29_2007__Time_07_05_58PM__48__Second_Chance_Exception_C00000FD.dmp
the assembly instruction at php5ts!xbuf_format_converter+5b in
C:\wamp\Apache2\bin\php5ts.dll from The PHP Group has caused a stack
overflow exception (0xC00000FD) when trying to write to memory location
0x01b82ffc on thread 15

Module Information 
Image Name: C:\wamp\Apache2\bin\php5ts.dll   Symbol Type:  PDB 
Base address: 0x00780000   Time Stamp:  Thu Aug 30 05:06:12 2007  
Checksum: 0x00000000   Comments:   
COM DLL: False   Company Name:  The PHP Group 
ISAPIExtension: False   File Description:  PHP Script Interpreter 
ISAPIFilter: False   File Version:  5.2.4.4 
Managed DLL: False   Internal Name:  php5ts.dll 
VB DLL: False   Legal Copyright:  Copyright © 1997-2007 The PHP Group 
Loaded Image Name:  php5ts.dll   Legal Trademarks:  PHP 
Mapped Image Name:  C:\wamp\Apache2\bin\php5ts.dll   Original filename: 
php5ts.dll 
Module name:  php5ts   Private Build:   
Single Threaded:  False   Product Name:  PHP Script Interpreter 
Module Size:  4.86 MBytes   Product Version:  5.2.4 
Symbol File Name:  C:\xampp\php\debug\php5ts.pdb   Special Build:  & 


-- 
Edit bug report at http://bugs.php.net/?id=43150&edit=1
-- 
Try a CVS snapshot (PHP 4.4): 
http://bugs.php.net/fix.php?id=43150&r=trysnapshot44
Try a CVS snapshot (PHP 5.2): 
http://bugs.php.net/fix.php?id=43150&r=trysnapshot52
Try a CVS snapshot (PHP 5.3): 
http://bugs.php.net/fix.php?id=43150&r=trysnapshot53
Try a CVS snapshot (PHP 6.0): 
http://bugs.php.net/fix.php?id=43150&r=trysnapshot60
Fixed in CVS:                 http://bugs.php.net/fix.php?id=43150&r=fixedcvs
Fixed in release:             
http://bugs.php.net/fix.php?id=43150&r=alreadyfixed
Need backtrace:               http://bugs.php.net/fix.php?id=43150&r=needtrace
Need Reproduce Script:        http://bugs.php.net/fix.php?id=43150&r=needscript
Try newer version:            http://bugs.php.net/fix.php?id=43150&r=oldversion
Not developer issue:          http://bugs.php.net/fix.php?id=43150&r=support
Expected behavior:            http://bugs.php.net/fix.php?id=43150&r=notwrong
Not enough info:              
http://bugs.php.net/fix.php?id=43150&r=notenoughinfo
Submitted twice:              
http://bugs.php.net/fix.php?id=43150&r=submittedtwice
register_globals:             http://bugs.php.net/fix.php?id=43150&r=globals
PHP 3 support discontinued:   http://bugs.php.net/fix.php?id=43150&r=php3
Daylight Savings:             http://bugs.php.net/fix.php?id=43150&r=dst
IIS Stability:                http://bugs.php.net/fix.php?id=43150&r=isapi
Install GNU Sed:              http://bugs.php.net/fix.php?id=43150&r=gnused
Floating point limitations:   http://bugs.php.net/fix.php?id=43150&r=float
No Zend Extensions:           http://bugs.php.net/fix.php?id=43150&r=nozend
MySQL Configuration Error:    http://bugs.php.net/fix.php?id=43150&r=mysqlcfg

#43150 [NEW]: stack overflow in php5ts.dll

Reply via email to