ID: 27287
Comment by: bugs dot php dot net at baach dot de
Reported By: clemens at gutweiler dot net
Status: Verified
Bug Type: Reproducible crash
Operating System: *
PHP Version: 5CVS-2004-02-16
New Comment:
Reproducable also in 5.0.0.4b on Linux (cli and apache2)
Previous Comments:
------------------------------------------------------------------------
[2004-02-21 11:26:12] mneugebauer at omaha dot com
I've also encountered this bug in PHP 5 beta 4 under Mac
OS 10.3 (Panther).
------------------------------------------------------------------------
[2004-02-17 03:37:40] clemens at gutweiler dot net
Description:
------------
wddx_deserialize crashs when deserializing an serialized object.
Configure Command => './configure'
'--with-apxs=/usr/local/apache/bin/apxs'
'--with-mysql=/usr/local/mysql' '--with-xsl' '--enable-wddx'
'--enable-soap' '--with-tidy' '--enable-sockets'
Reproduce code:
---------------
<?php
class foo {
}
$foo = new foo( );
$foo->abc = 'def';
$string = wddx_serialize_value( $foo );
var_dump( $string );
// segfault:
var_dump( wddx_deserialize( $string ) );
?>
Expected result:
----------------
var_dump of the $foo object.
Actual result:
--------------
(gdb) run segfault.php
Starting program: /usr/local/bin/php segfault.php
[New Thread 16384 (LWP 3990)]
string(173) "<wddxPacket version='1.0'><header/><data><struct><var
name='php_class_name'><string>foo</string></var><var
name='abc'><string>def</string></var></struct></data></wddxPacket>"
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 3990)]
0x081a6329 in zend_hash_find (ht=0x82ac658, arKey=0x403cc9dc
"__wakeup", nKeyLength=9, pData=0x0) at
/data/php-5.0.0b4/Zend/zend_hash.c:846
846 p = ht->arBuckets[nIndex];
(gdb) bt
#0 0x081a6329 in zend_hash_find (ht=0x82ac658, arKey=0x403cc9dc
"__wakeup", nKeyLength=9, pData=0x0) at
/data/php-5.0.0b4/Zend/zend_hash.c:846
#1 0x081982a6 in zend_call_function (fci=0xbfffd4d0, fci_cache=0x0) at
/data/php-5.0.0b4/Zend/zend_execute_API.c:629
#2 0x08198155 in call_user_function_ex (function_table=0x0,
object_pp=0x0, function_name=0x0, retval_ptr_ptr=0x0, param_count=0,
params=0x0, no_separation=0,
symbol_table=0x0) at /data/php-5.0.0b4/Zend/zend_execute_API.c:518
#3 0x08167eac in php_wddx_pop_element (user_data=0xbfffd6c0,
name=0x82a9690 "struct") at /data/php-5.0.0b4/ext/wddx/wddx.c:919
#4 0x0816bfff in _end_element_handler (user=0x403cca2c, name=0x82a9640
"struct") at /data/php-5.0.0b4/ext/xml/compat.c:198
#5 0x4018489c in xmlParseStartTag () from /usr/lib/libxml2.so.2
#6 0x40184997 in xmlParseEndTag () from /usr/lib/libxml2.so.2
#7 0x401883c2 in xmlParseExtParsedEnt () from /usr/lib/libxml2.so.2
#8 0x401887bf in xmlParseChunk () from /usr/lib/libxml2.so.2
#9 0x0816c525 in php_XML_Parse (parser=0x0,
data=0x403ccb14 "<wddxPacket
version='1.0'><header/><data><struct><var
name='php_class_name'><string>foo</string></var><var
name='abc'><string>def</string></var></struct></data></wddxPacket>",
data_len=173, is_final=1) at /data/php-5.0.0b4/ext/xml/compat.c:501
#10 0x081682a7 in php_wddx_deserialize_ex (
value=0x403ccb14 "<wddxPacket
version='1.0'><header/><data><struct><var
name='php_class_name'><string>foo</string></var><var
name='abc'><string>def</string></var></struct></data></wddxPacket>",
vallen=173, return_value=0x403cc95c) at
/data/php-5.0.0b4/ext/wddx/wddx.c:1104
#11 0x08168b0d in zif_wddx_deserialize (ht=1, return_value=0x403cc95c,
this_ptr=0x0, return_value_used=0) at
/data/php-5.0.0b4/ext/wddx/wddx.c:1325
#12 0x081bd923 in zend_do_fcall_common_helper (execute_data=0xbfffd950,
opline=0x403d7784, op_array=0x403cc334) at
/data/php-5.0.0b4/Zend/zend_execute.c:2642
#13 0x081bda9a in zend_do_fcall_handler (execute_data=0xbfffd950,
opline=0x403d7784, op_array=0x403cc334) at
/data/php-5.0.0b4/Zend/zend_execute.c:2771
#14 0x081ba573 in execute (op_array=0x403cc334) at
/data/php-5.0.0b4/Zend/zend_execute.c:1339
#15 0x081a0a09 in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /data/php-5.0.0b4/Zend/zend.c:1052
#16 0x08171683 in php_execute_script (primary_file=0xbffffd30) at
/data/php-5.0.0b4/main/main.c:1647
#17 0x081c4a5c in main (argc=2, argv=0xbffffdb4) at
/data/php-5.0.0b4/sapi/cli/php_cli.c:941
(gdb) frame 14
#14 0x081ba573 in execute (op_array=0x403cc334) at
/data/php-5.0.0b4/Zend/zend_execute.c:1339
1339 if (EX(opline)->handler(&execute_data,
EX(opline), op_array TSRMLS_CC)) {
(gdb) print (char
*)(executor_globals.function_state_ptr->function)->common.function_name
$1 = 0x81e56e5 "wddx_deserialize"
(gdb) print (char *)executor_globals.active_op_array->function_name
$2 = 0x0
(gdb) print (char *)executor_globals.active_op_array->filename
$3 = 0x403cc404 "/web/segfault.php"
(gdb)
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=27287&edit=1
