ID: 49424 Updated by: [email protected] Reported By: jaroslav dot pulchart at centrum dot cz -Status: Assigned +Status: Closed Bug Type: LDAP related Operating System: * PHP Version: 5.2.10 Assigned To: patrickallaert New Comment:
This bug has been fixed in SVN. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. This is same as #48696, however, it has been fixed for PHP 5.3/6, not for 5.2. This is fixed right now. Previous Comments: ------------------------------------------------------------------------ [2009-09-01 08:42:11] [email protected] Automatic comment from SVN on behalf of patrickallaert Revision: http://svn.php.net/viewvc/?view=revision&revision=287936 Log: Fixing #49424 (#48696): segfault while using ldap_search(), ldap_read(),... ------------------------------------------------------------------------ [2009-08-31 18:51:38] [email protected] Who breaks should fix. :) ------------------------------------------------------------------------ [2009-08-31 15:53:01] jaroslav dot pulchart at centrum dot cz Description: ------------ Fix 48441 in PHP 5.2.10 (http://bugs.php.net/bug.php?id=48441) restore previous LDAP options, but it doesn't test if LDAP link pointer is NULL. This issue segfault Apache/PHP process. Reproduce code: --------------- ext/ldap/ldap.c ... ld = (ldap_linkdata *) zend_fetch_resource(link TSRMLS_CC, -1, "ldap link", NULL, 1, le_link); if (ld == NULL) { ret = 0; goto cleanup; /* "ld" is NULL !!!!!! */ } ... cleanup: // Restoring previous options php_set_opts(ld->link, old_ldap_sizelimit, old_ldap_timelimit, old_ldap_deref, &ldap_sizelimit, &ldap_timelimit, &ldap_deref); /* set options on ld == NULL !!!!!!! */ ... Expected result: ---------------- No segfault ;) cleanup: if (ld!=NULL){ // Restoring previous options php_set_opts(ld->link, old_ldap_sizelimit, old_ldap_timelimit, old_ldap_deref, &ldap_sizelimit, &ldap_timelimit, &ldap_deref); } Actual result: -------------- #0 0x0000002a9a546437 in php_ldap_do_search (ht=7, return_value=0x2a9d41bda0, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, scope=2) at ./php-5.2.10/ext/ldap/ldap.c:909 909 php_set_opts(ld->link, old_ldap_sizelimit, old_ldap_timelimit, old_ldap_deref, &ldap_sizelimit, &ldap_timelimit, &ldap_deref); (gdb) bt full #0 0x0000002a9a546437 in php_ldap_do_search (ht=7, return_value=0x2a9d41bda0, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, scope=2) at ./php-5.2.10/ext/ldap/ldap.c:907 link = (zval **) 0x2a997fd500 base_dn = (zval **) 0x2a997fd508 filter = (zval **) 0x2a997fd510 attrs = (zval **) 0x2a997fd518 attr = (zval **) 0x34 attrsonly = (zval **) 0x2a997fd520 sizelimit = (zval **) 0x2a997fd528 timelimit = (zval **) 0x2a997fd530 deref = (zval **) 0x2a98fb475d ldap_base_dn = 0x0 ldap_filter = 0x2a9d41be10 "Array" ldap_attrs = (char **) 0x2a9d41bb88 ld = (ldap_linkdata *) 0x0 ldap_res = (LDAPMessage *) 0x8 ldap_attrsonly = 0 ldap_sizelimit = 0 ldap_timelimit = 0 ldap_deref = -1 old_ldap_sizelimit = -1 old_ldap_timelimit = -1 old_ldap_deref = -1 num_attribs = 0 i = 0 myargcount = 7 ret = 0 #1 0x0000002a9a54655c in zif_ldap_search (ht=7, return_value=0x2a9d41bda0, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at ./php-5.2.10/ext/ldap/ldap.c:936 No locals. #2 0x0000002a98fd4b6e in execute () from ./apache/modules/libphp5.so No symbol table info available. #3 0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so No symbol table info available. #4 0x0000002a98fd4483 in execute () from ./apache/modules/libphp5.so No symbol table info available. #5 0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so No symbol table info available. #6 0x0000002a98fd4483 in execute () from ./apache/modules/libphp5.so No symbol table info available. #7 0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so No symbol table info available. #8 0x0000002a98fd4483 in execute () from ./apache/modules/libphp5.so No symbol table info available. #9 0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so No symbol table info available. #10 0x0000002a98fd4483 in execute () from ./apache/modules/libphp5.so No symbol table info available. #11 0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so No symbol table info available. #12 0x0000002a98fd4483 in execute () from ./apache/modules/libphp5.so No symbol table info available. #13 0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so No symbol table info available. #14 0x0000002a98fe317c in execute () from ./apache/modules/libphp5.so No symbol table info available. #15 0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so No symbol table info available. #16 0x0000002a98fd4483 in execute () from ./apache/modules/libphp5.so No symbol table info available. #17 0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so No symbol table info available. #18 0x0000002a98fd4483 in execute () from ./apache/modules/libphp5.so No symbol table info available. #19 0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so No symbol table info available. #20 0x0000002a98fb5214 in zend_execute_scripts () from ./apache/modules/libphp5.so No symbol table info available. #21 0x0000002a98f723ad in php_execute_script () from ./apache/modules/libphp5.so No symbol table info available. #22 0x0000002a990443e6 in zend_get_zval_ptr_ptr () from ./apache/modules/libphp5.so No symbol table info available. #23 0x0000000000435c63 in ap_run_handler () No symbol table info available. #24 0x0000000000436101 in ap_invoke_handler () No symbol table info available. #25 0x0000000000442860 in ap_process_request () No symbol table info available. #26 0x000000000043ffad in ap_filter_protocol () No symbol table info available. #27 0x000000000043c653 in ap_run_process_connection () No symbol table info available. #28 0x0000000000446970 in ap_graceful_stop_signalled () No symbol table info available. #29 0x0000000000446b94 in ap_graceful_stop_signalled () No symbol table info available. #30 0x0000000000446c2e in ap_graceful_stop_signalled () No symbol table info available. #31 0x000000000044743d in ap_mpm_run () No symbol table info available. #32 0x00000000004237e5 in main () No symbol table info available. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=49424&edit=1
