From: justinlong at strategicnetwork dot org
Operating system: KRUD/RedHat
PHP version: 4.3.2
PHP Bug Type: Reproducible crash
Bug description: String overflow? Segmentation faults
Description:
------------
Have a 50,000 record Postgres database of articles that this code is
attempting to process. CGI PHP program takes the HTML file and massages it
into a non-HTML subset. Occasional segmentation faults after long runs,
and sometimes the following error in the middle of a run:
ll [Fri Jun 13 09:34:23 2003] Script: './article-preprocess.php'
---------------------------------------
/usr/local/src/php-4.3.2/ext/standard/string.c(3521) : Block 0x084C9780
status:
Beginning: OK (allocated on
/usr/local/src/php-4.3.2/ext/standard/string.c:3330, 1024 bytes)
End: Overflown (magic=0x2A8FCC33 instead of 0x2A8FCC84)
1 byte(s) overflown
---------------------------------------
51613 Friday, June 6: Back in Court
/usr/local/src/php-4.3.2/ext/standard/string.c(3330) : Freeing 0x084C97A4
(1024 bytes), script=./article-preprocess.php
Configure line:
./configure --with-pgsql=/usr2/local/pgsql
--with-curl=/usr/bin,/usr/shared --with-config-file=/etc --enable-stem
--enable-debug
Reproduce code:
---------------
$article = trim(stripslashes($rec->article));
if (strlen($article)>512) {
$article = str_replace("<TD"," <td",$article);
$article = str_replace("</TD"," </td",$article);
$article = eregi_replace("[[:cntrl:]]"," ",$article);
// get rid of
control characters
$article = eregi_replace("<P[^>]+>","\n\n\n",$article);
$article = eregi_replace("<BR[^>]+>","\n\n",$article);
$article = html_entity_decode($article);
// get rid of HTML
entities
$article = eregi_replace("&[^;]+;"," ",$article);
// get rid of
control characters
if (!empty($article)) {
$article = strtr($article,
"ŠŒŽšœžŸ¥µÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖØÙÚÛÜÝßàáâãäåæçèéêëìíîïðñòóôõöøùúûüýÿ",
"SOZsozYYuAAAAAAACEEEEIIIIDNOOOOOOUUUUYsaaaaaaaceeeeiiiionoooooouuuuyy");
}
if (!empty($article)) {
$article = strip_tags($article,'<td>');
$article = " <td>".$article;
$textlines = split("<td",$article);
foreach ($textlines as $nextstory) {
if (strpos($nextstory,">")>0) { $nextstory =
substr($nextstory,strpos($nextstory,">")+1); }
$checklines = split("\n",$nextstory);
if (count($checklines)>0) {
$totallength=1;
$totallines=1;
$totalsingletones=1;
for ($y=0;$y<count($checklines);$y++) {
if (strlen($checklines[$y])>0)
{
$totallines++;
$totallength =
$totallength + strlen($checklines[$y]);
if ($checklines[$y] ==
"") { $totalsingletones++; }
}
}
if ($totallength/$totallines>15 &&
$totalsingletons/$totallines<.5
&& strlen($nextstory)>512) { $nextstory = $story .=
trim(strip_tags($nextstory))." \n\n"; }
}
}
}
}
Expected result:
----------------
Should come out on the other end with a large chunk of text from an HTML
page representing the article in question. Usually has a run of 90+
entries before the error cited above occurs, and if it runs for 200+
entries before a segmentation fault occurs.
Actual result:
--------------
Backtrace:
NU gdb Red Hat Linux (5.1-1)
Copyright 2001 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i386-redhat-linux"...
warning: core file may not match specified executable file.
Core was generated by `/usr/local/bin/php -q ./article-preprocess.php'.
Program terminated with signal 11, Segmentation fault.
#0 0x40259490 in ?? ()
(gdb) bt
#0 0x40259490 in ?? ()
#1 0x402593f4 in ?? ()
#2 0x08106d00 in php_XML_SetStartNamespaceDeclHandler (parser=0x9ae572c,
start=0x81be214 <alloc_globals+820>) at
/usr/local/src/php-4.3.2/ext/xml/expat/xmlparse.c:1012
#3 0x08116e1d in little2_scanLt (enc=0x9ad13cc, ptr=0x81c5534 "m",
end=0x9ad2f1c "è\003", nextTokPtr=0x81ba27c) at
/usr/local/src/php-4.3.2/ext/xml/expat/xmltok_impl.c:693
#4 0x0811257e in normal_scanLt (enc=0x9ad401c, ptr=0xbfffa610 "x+\e\b",
end=0x1 <Address 0x1 out of bounds>, nextTokPtr=0x81ba27c) at
/usr/local/src/php-4.3.2/ext/xml/expat/xmltok_impl.c:743
#5 0x08120daa in p_bracket (p=0x81b2494) at
/usr/local/src/php-4.3.2/regex/regcomp.c:620
#6 0x081136c6 in normal_prologTok (enc=0x8, ptr=0x0, end=0x3 <Address 0x3
out of bounds>, nextTokPtr=0x0) at
/usr/local/src/php-4.3.2/ext/xml/expat/xmltok_impl.c:1107
#7 0x080f2152 in zif_rawurldecode (ht=-1073745616,
return_value=0x812a940, this_ptr=0xbffff168, return_value_used=135442423)
at /usr/local/src/php-4.3.2/ext/standard/url.c:528
#8 0x0812b180 in ap_php_cvt (arg=-1.9965403080193083,
ndigits=-1073745436, decpt=0x8062346, sign=0x812b6d0, eflag=0,
buf=0xbffff1a8 "") at /usr/local/src/php-4.3.2/main/snprintf.c:301
#9 0x401f4657 in ?? ()
(gdb) frame 9
#9 0x401f4657 in ?? ()
(gdb) frame 8
#8 0x0812b180 in ap_php_cvt (arg=-1.9965403080193083,
ndigits=-1073745436, decpt=0x8062346, sign=0x812b6d0, eflag=0,
buf=0xbffff1a8 "") at /usr/local/src/php-4.3.2/main/snprintf.c:301
301 while ((fj = arg * 10) < 1) {
(gdb)
--
Edit bug report at http://bugs.php.net/?id=24175&edit=1
--
Try a CVS snapshot: http://bugs.php.net/fix.php?id=24175&r=trysnapshot
Fixed in CVS: http://bugs.php.net/fix.php?id=24175&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=24175&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=24175&r=needtrace
Try newer version: http://bugs.php.net/fix.php?id=24175&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=24175&r=support
Expected behavior: http://bugs.php.net/fix.php?id=24175&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=24175&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=24175&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=24175&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=24175&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=24175&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=24175&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=24175&r=gnused
