ID: 34731 User updated by: novicky at aarongroup dot cz Reported By: novicky at aarongroup dot cz -Status: Feedback +Status: Open Bug Type: OCI8 related Operating System: All PHP Version: 5CVS-2005-10-04 (CVS) Assigned To: tony2001 New Comment:
It is hard to reproduce but working on deallocated memory blocks is extremely dangerous. We had problems with segmentation faults on Sparc/Solaris 9. Have a look on following code coming from oci8.c - first a session pointer is inserted into the list zend_list_insert(), while few lines bellow the session structure is copied into a new location zend_llist_add_element() and the original memory block is deallocated by efree(). Thus destructor applied on list would work on deallocated memory!!! session->num = zend_list_insert(session, le_session); session->is_open = 1; mutex_lock(mx_lock); num_links++; if (!exclusive) { zend_llist_add_element(session_list, session); efree(session); session = (oci_session*) session_list->tail->data; num_persistent++; } mutex_unlock(mx_lock); oci_debug("_oci_open_session new sess=%d user=%s",session->num,username); return session; Previous Comments: ------------------------------------------------------------------------ [2005-10-04 18:48:20] [EMAIL PROTECTED] Thank you for this bug report. To properly diagnose the problem, we need a short but complete example script to be able to reproduce this bug ourselves. A proper reproducing script starts with <?php and ends with ?>, is max. 10-20 lines long and does not require any external resources such as databases, etc. If possible, make the script source available online and provide an URL to it here. Try to avoid embedding huge scripts into the report. ------------------------------------------------------------------------ [2005-10-04 18:29:23] [EMAIL PROTECTED] Assigned to the maintainer. ------------------------------------------------------------------------ [2005-10-04 15:59:20] novicky at aarongroup dot cz Description: ------------ There is an incorrect session destructor registration. The pointer registered by zend_list_insert points to a memory block which is then released by efree. This can lead to segmentation fault when destructor is called. A proposed patch follows (the same problem is id development branch) --- php5-STABLE-200510041238/ext/oci8/oci8.c.ORIG 2005-10-04 15:39:42.301952856 +0200 +++ php5-STABLE-200510041238/ext/oci8/oci8.c 2005-10-04 15:40:58.979935427 +0200 @@ -2879,7 +2879,6 @@ ) ); - session->num = zend_list_insert(session, le_session); session->is_open = 1; mutex_lock(mx_lock); @@ -2892,6 +2891,7 @@ } mutex_unlock(mx_lock); + session->num = zend_list_insert(session, le_session); oci_debug("_oci_open_session new sess=%d user=%s",session->num,username); return session; ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=34731&edit=1