From: a dot boykov at timeweb dot ru Operating system: Gentoo Linux 2008.0 PHP version: 5.2.8 PHP Bug Type: Unknown/Other Function Bug description: Memory corruption bug in extract()
Description: ------------ In function extract() not the length of a line key always is correctly defined. Sometimes it is calculated incorrectly and any following operation with this string leads to memory corruption. Here an example which has been received at debugging. name: bDescPageNumbering, len: 6276448 [Fri Jan 30 21:18:08 2009] [notice] child pid 19801 exit signal Segmentation fault (11) We are used this patch to fix problem: --- php-5.2.8/ext/standard/array.c 2009-01-30 21:23:25.000000000 +0300 +++ php-5.2.8/ext/standard/array.c 2009-01-30 21:24:35.000000000 +0300 @@ -1397,6 +1397,9 @@ key_type = zend_hash_get_current_key_ex(Z_ARRVAL_PP(var_array), &var_name, &var_name_len, &num_key, 0, &pos); var_exists = 0; + if (key_type == HASH_KEY_IS_STRING) + var_name_len = strlen(var_name); + if (key_type == HASH_KEY_IS_STRING) { var_name_len--; var_exists = zend_hash_exists(EG(active_symbol_table), var_name, var_name_len + 1); With this patch all works well, but I think it does not exclude a problem source. name: bDescPageNumbering, len: 18 -- Edit bug report at http://bugs.php.net/?id=47252&edit=1 -- Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=47252&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=47252&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=47252&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=47252&r=fixedcvs Fixed in CVS and need be documented: http://bugs.php.net/fix.php?id=47252&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=47252&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=47252&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=47252&r=needscript Try newer version: http://bugs.php.net/fix.php?id=47252&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=47252&r=support Expected behavior: http://bugs.php.net/fix.php?id=47252&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=47252&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=47252&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=47252&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=47252&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=47252&r=dst IIS Stability: http://bugs.php.net/fix.php?id=47252&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=47252&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=47252&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=47252&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=47252&r=mysqlcfg