From: basant dot kukreja at sun dot com Operating system: Solaris 10 PHP version: 5.2.6 PHP Bug Type: Reproducible crash Bug description: Php crashes when using auto_prepend_file (out of scope stack address use).
Description: ------------ Stack pointer &execute_data.opline (&EG(opline)) is used beyond the scope and hence crashes php with auto_preprend_file. I wrote a small test plugin : test.c and then loaded the plugin into php using php.ini extension=test.so $ ./sapi/cli/php -d "auto_prepend_file=inc.inc" -d "include_path=/opt2/coolstackbld/svn/CoolStackDev/src/php5/php-5.2.6/tests/lang" -f /tmp/test.php Included! Segmentation Fault (core dumped) Reproduce code: --------------- Test plugin location : (skydrive) : http://yqaghq.blu.livefilestore.com/y1phzvjT69U9PiUNjW9NjakZZ5It3VOAEhADJusnkoorLiwGfeVlK6zTz-8AprvloPplXlNkaHUYD9sS9idFWZhcg/test.c?download Expected result: ---------------- Normal behaviour Actual result: -------------- php crashes $ pstack core core 'core' of 23827: ./sapi/cli/php -d auto_prepend_file=inc.inc -d include_path=/opt2/cool 003b8e4c zend_get_executed_lineno (5be8a0, 5897c, ffe39448, 55570c, ff1531c0, 57400) + 3c 003d9f78 zend_execute_scripts (8, 0, 3, 1, 2, 5763c) + 11c 0032d9bc php_execute_script (ffffffff, ffbff2cd, 5be3e0, ffbfefe0, 0, 5ae3a0) + 2b0 0048e5e4 main (10000, 5addc8, 2d, 2f, 48cac0, 1ac0) + 1ae4 000a8f28 _start (0, 0, 0, 0, 0, 0) + 108 Debugger showed that it was crashing in line 394 of zend_execute_API.c : 391 ZEND_API uint zend_get_executed_lineno(TSRMLS_D) 392 { 393 if (EG(opline_ptr)) { 394 return active_opline->lineno; EG(online_ptr) points to arbitrary value ( a pointer value in stack) and it crashes in active_opline->lineno. active_opline->lineno is *EG(opline_ptr) We found this issue when php was crashing while dtrace plugin was loaded : $ ./sapi/cli/php -d "auto_prepend_file=inc.inc" -d "include_path=/opt2/coolstackbld/svn/CoolStackDev/src/php5/php-5.2.6/tests/lang" -f /tmp/test.php To simpilfy thing, I wrote my test plugin and reproduced the crash. -- Edit bug report at http://bugs.php.net/?id=45751&edit=1 -- Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=45751&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=45751&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=45751&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=45751&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=45751&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=45751&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=45751&r=needscript Try newer version: http://bugs.php.net/fix.php?id=45751&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=45751&r=support Expected behavior: http://bugs.php.net/fix.php?id=45751&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=45751&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=45751&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=45751&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=45751&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=45751&r=dst IIS Stability: http://bugs.php.net/fix.php?id=45751&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=45751&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=45751&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=45751&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=45751&r=mysqlcfg
