Edit report at https://bugs.php.net/bug.php?id=51588&edit=1
ID: 51588
Updated by: php-bugs@lists.php.net
Reported by: f...@php.net
Summary: calling zend_parse_ini_string/file recursively core
dump
-Status: Feedback
+Status: No Feedback
Type: Bug
Package: Reproducible crash
Operating System: any
PHP Version: 5.3.2
New Comment:
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.
Previous Comments:
------------------------------------------------------------------------
[2011-08-30 13:50:56] bj...@php.net
Any particular reason you haven't committed this yet?
------------------------------------------------------------------------
[2010-04-18 12:29:13] f...@php.net
The following patch has been added/updated:
Patch Name: zend_ini_parser.y.patch
Revision: 1271586553
URL:
http://bugs.php.net/patch-display.php?bug=51588&patch=zend_ini_parser.y.patch&revision=1271586553
------------------------------------------------------------------------
[2010-04-18 12:28:33] f...@php.net
Description:
------------
when zend_parse_ini_string or zend_parse_ini_file is called recursively, it
crashes. The lexical state variable is global, calling those function
recursively
overwrites previous version and crashes at liberation/destruction.
to prevent this behaviour, the following patch makes zend_parse_ini_string or
zend_parse_ini_file returning an error when called recursively.
Test script:
---------------
void fpm_conf_ini_load_file(filename);
static void fpm_conf_ini_parser(zval *arg1, zval *arg2, zval *arg3,
int callback_type, void *arg TSRMLS_DC) {
if (!arg1) return;
if (callback_type != ZEND_INI_PARSER_ENTRY) return;
if (!strcmp(Z_STRVAL_P(arg1), "include")) {
fpm_conf_load_ini_file(Z_STRVAL_P(arg1));
}
}
void fpm_conf_ini_load_file(filename) {
zend_file_handle fh;
fh.handle.fp = VCWD_FOPEN(filename, "r");
fh.opened_path = NULL;
fh.free_filename = 0;
fh.filename = filename;
Z_TYPE(fh) = ZEND_HANDLE_FP;
zend_parse_ini_file(&fh, 1, ZEND_INI_SCANNER_RAW,
(zend_ini_parser_cb_t)fpm_conf_ini_parser, NULL TSRMLS_CC);
}
Expected result:
----------------
it doesn't crash, it works or returns an error
Actual result:
--------------
core dump
#0 _zend_mm_free_int (heap=0x8271c000, p=0x8271c000) at /LIBRE/dev/php-
5.3.2/Zend/zend_alloc.c:2018
#1 0x1c23154a in _efree (ptr=0x7d3fe1f8) at /LIBRE/dev/php-
5.3.2/Zend/zend_alloc.c:2351
#2 0x1c245b5b in zend_stack_destroy (stack=0x3c2c2804) at /LIBRE/dev/php-
5.3.2/Zend/zend_stack.c:104
#3 0x1c22bd1c in shutdown_ini_scanner () at zend_ini_scanner.l:201
#4 0x1c22b035 in zend_parse_ini_file (fh=0xcfbd3c70, unbuffered_errors=1
'\001', scanner_mode=0, ini_parser_cb=0x8271c000, arg=0x8271c000) at
/LIBRE/dev/php-5.3.2/Zend/zend_ini_parser.c:322
#5 0x1c2aefa8 in fpm_conf_load_ini_file (filename=0xcfbd602e "/usr/local/php-
5.3.2/etc/fpm.ini") at /LIBRE/dev/php-5.3.2/sapi/fpm/fpm/fpm_conf.c:739
#6 0x1c2af002 in fpm_conf_load_ini_file (filename=0xcfbd602e "/usr/local/php-
5.3.2/etc/fpm.ini") at /LIBRE/dev/php-5.3.2/sapi/fpm/fpm/fpm_conf.c:751
#7 0x1c2ad489 in fpm_init (argc=-2106474496, argv=0x8271c000,
config=0x8271c000
"\001", base=0x3c2bf81c) at /LIBRE/dev/php-5.3.2/sapi/fpm/fpm/fpm.c:32
#8 0x1c2b14ff in main (argc=3, argv=0xcfbd5eac) at /LIBRE/dev/php-
5.3.2/sapi/fpm/fpm/fpm_main.c:1695
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=51588&edit=1
