From: schotte at mayflower dot de
Operating system: RedHat Linux 3.4.4-2 64-bit
PHP version: 5.2.0
PHP Bug Type: Reproducible crash
Bug description: Apache segfaults when using openssl_pkcs7_encrypt()
Description:
------------
Apache 1.3 with PHP 5.2.0 segfaults when using openssl_pkcs7_encrypt()
(used in an application that encrypts a mail body with a X.509
certificate).
A gdb backtrace is attached.
Actual result:
--------------
(gdb) bt full
#0 0x0000000000534ec9 in BN_BLINDING_free ()
No symbol table info available.
#1 0x00000000004ef35b in RSA_free ()
No symbol table info available.
#2 0x00000000004fefe6 in EVP_PKEY_free ()
No symbol table info available.
#3 0x000000000054b91f in pubkey_cb ()
No symbol table info available.
#4 0x00000000005066d7 in asn1_item_combine_free ()
No symbol table info available.
#5 0x0000000000506955 in asn1_item_combine_free ()
No symbol table info available.
#6 0x0000000000506955 in asn1_item_combine_free ()
No symbol table info available.
#7 0x0000000000506a72 in ASN1_item_free ()
No symbol table info available.
#8 0x00000000004f7acb in sk_pop_free ()
No symbol table info available.
#9 0x0000002a957c4a0e in zif_openssl_pkcs7_encrypt (ht=5,
return_value=0x2a9cc6b8d8, return_value_ptr=0x0, this_ptr=0x0,
return_value_used=1) at
/usr/local/src/lamp-test/php-5.2.0_9090/ext/openssl/openssl.c:2654
zrecipcerts = (zval **) 0x2a9cc7a2a0
zheaders = (zval *) 0x2a9cc785f0
recipcerts = (STACK *) 0x922630
infile = (BIO *) 0x77a410
outfile = (BIO *) 0x921cc0
flags = 0
p7 = (PKCS7 *) 0x928960
hpos = 0x0
zcertval = (zval **) 0x60
cert = (X509 *) 0x9238a0
cipher = (const EVP_CIPHER *) 0x595de0
cipherid = 0
strindexlen = 42
intindex = 96
strindex = 0x7165bbf00000008 <Address 0x7165bbf00000008 out of
bounds>
infilename = 0x2a9cc69620
"/home/web/htdocs/temp/eby_17971241774001_encode_infile_0016.txt"
infilename_len = 63
outfilename = 0x2a9cc6e248
"/home/web/htdocs/temp/eby_17971241774001_encode_outfile_0016.txt"
outfilename_len = 64
#10 0x0000002a95aa9f7a in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fbffd85a0)
at /usr/local/src/lamp-test/php-5.2.0_9090/Zend/zend_vm_execute.h:200
return_reference = 0 '\0'
opline = (zend_op *) 0x2a99b355f8
---Type <return> to continue, or q <return> to quit---
original_return_value = (zval **) 0xd08dc427f1498234
current_scope = (zend_class_entry *) 0x0
current_this = (zval *) 0x0
return_value_used = 1
should_change_scope = 0 '\0'
ctor_opline = (zend_op *) 0x2a95a91840
#11 0x0000002a95aafbbf in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0x7fbffd85a0)
at
/usr/local/src/lamp-test/php-5.2.0_9090/Zend/zend_vm_execute.h:1681
opline = (zend_op *) 0x2a99b355f8
fname = (zval *) 0x2a99b35628
#12 0x0000002a95aa9a12 in execute (op_array=0x77f4a0) at
/usr/local/src/lamp-test/php-5.2.0_9090/Zend/zend_vm_execute.h:92
execute_data = {opline = 0x2a99b355f8, function_state =
{function_symbol_table = 0x2a9cd10848,
function = 0x7fea90, reserved = {0x0, 0x7fbffd86d0, 0x2a95a7ee49,
0x7fbffd8600}}, fbc = 0x0, op_array = 0x77f4a0,
object = 0x0, Ts = 0x7fbffd7730, CVs = 0x7fbffd76d0,
original_in_execution = 1 '\001', symbol_table = 0x2a99e2db00,
prev_execute_data = 0x7fbffd8fd0, old_error_reporting = 0x0}
#13 0x0000002a95aaa11f in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fbffd8fd0)
at /usr/local/src/lamp-test/php-5.2.0_9090/Zend/zend_vm_execute.h:234
opline = (zend_op *) 0x2a99b67920
original_return_value = (zval **) 0x7fbffdc0f0
current_scope = (zend_class_entry *) 0x0
current_this = (zval *) 0x0
return_value_used = 1
should_change_scope = 1 '\001'
ctor_opline = (zend_op *) 0x2a95a91840
#14 0x0000002a95aafbbf in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0x7fbffd8fd0)
at
/usr/local/src/lamp-test/php-5.2.0_9090/Zend/zend_vm_execute.h:1681
opline = (zend_op *) 0x2a99b67920
fname = (zval *) 0x2a99b67950
#15 0x0000002a95aa9a12 in execute (op_array=0x77f9e0) at
/usr/local/src/lamp-test/php-5.2.0_9090/Zend/zend_vm_execute.h:92
execute_data = {opline = 0x2a99b67920, function_state =
{function_symbol_table = 0x2a99e2db00,
function = 0x77f4a0, reserved = {0x739738, 0x2a9cbedd80, 0x739540,
0x7fbffd90d0}}, fbc = 0x0, op_array = 0x77f9e0,
object = 0x0, Ts = 0x7fbffd87c0, CVs = 0x7fbffd8760,
original_in_execution = 1 '\001', symbol_table = 0x2a99db28e8,
prev_execute_data = 0x7fbffdd320, old_error_reporting = 0x0}
#16 0x0000002a95aaa11f in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fbffdd320)
at /usr/local/src/lamp-test/php-5.2.0_9090/Zend/zend_vm_execute.h:234
opline = (zend_op *) 0x2a992c1370
original_return_value = (zval **) 0x7fbffe98e0
current_scope = (zend_class_entry *) 0x0
current_this = (zval *) 0x0
return_value_used = 1
should_change_scope = 1 '\001'
ctor_opline = (zend_op *) 0x2a95f2ae80
#17 0x0000002a95aaacd4 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(execute_data=0x7fbffdd320)
at /usr/local/src/lamp-test/php-5.2.0_9090/Zend/zend_vm_execute.h:322
No locals.
#18 0x0000002a95aa9a12 in execute (op_array=0x7819a0) at
/usr/local/src/lamp-test/php-5.2.0_9090/Zend/zend_vm_execute.h:92
execute_data = {opline = 0x2a992c1370, function_state =
{function_symbol_table = 0x2a99db28e8,
function = 0x77f9e0, reserved = {0x2a95aab1d1, 0x2a9cbbc731,
0x100000058, 0x0}}, fbc = 0x77f9e0, op_array = 0x7819a0,
object = 0x0, Ts = 0x7fbffd9320, CVs = 0x7fbffd9180,
original_in_execution = 1 '\001', symbol_table = 0x2a99848bd0,
prev_execute_data = 0x7fbffe9f50, old_error_reporting = 0x0}
#19 0x0000002a95aaa11f in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fbffe9f50)
at /usr/local/src/lamp-test/php-5.2.0_9090/Zend/zend_vm_execute.h:234
opline = (zend_op *) 0x2a9927b380
original_return_value = (zval **) 0x7fbffeb318
current_scope = (zend_class_entry *) 0x0
current_this = (zval *) 0x0
return_value_used = 1
should_change_scope = 1 '\001'
ctor_opline = (zend_op *) 0x2a95f2ae80
#20 0x0000002a95aaacd4 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(execute_data=0x7fbffe9f50)
at /usr/local/src/lamp-test/php-5.2.0_9090/Zend/zend_vm_execute.h:322
No locals.
#21 0x0000002a95aa9a12 in execute (op_array=0x781850) at
/usr/local/src/lamp-test/php-5.2.0_9090/Zend/zend_vm_execute.h:92
execute_data = {opline = 0x2a9927b380, function_state =
{function_symbol_table = 0x2a99848bd0,
function = 0x7819a0, reserved = {0x19f95a72a80, 0x2a95c30688,
0x9500739540, 0x2a99db5130}}, fbc = 0x7819a0,
op_array = 0x781850, object = 0x0, Ts = 0x7fbffdd6a0, CVs =
0x7fbffdd4d0, original_in_execution = 1 '\001',
symbol_table = 0x2a99b70e40, prev_execute_data = 0x7fbffeb760,
old_error_reporting = 0x0}
#22 0x0000002a95aaa11f in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fbffeb760)
at /usr/local/src/lamp-test/php-5.2.0_9090/Zend/zend_vm_execute.h:234
opline = (zend_op *) 0x2a996fb5e8
original_return_value = (zval **) 0x7fbffec250
current_scope = (zend_class_entry *) 0x0
current_this = (zval *) 0x0
return_value_used = 0
should_change_scope = 1 '\001'
ctor_opline = (zend_op *) 0x2a95a91840
#23 0x0000002a95aafbbf in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0x7fbffeb760)
at
/usr/local/src/lamp-test/php-5.2.0_9090/Zend/zend_vm_execute.h:1681
opline = (zend_op *) 0x2a996fb5e8
fname = (zval *) 0x2a996fb618
#24 0x0000002a95aa9a12 in execute (op_array=0x78a220) at
/usr/local/src/lamp-test/php-5.2.0_9090/Zend/zend_vm_execute.h:92
execute_data = {opline = 0x2a996fb5e8, function_state =
{function_symbol_table = 0x2a99b70e40,
function = 0x781850, reserved = {0x2a95c31770, 0x2dbffeb890,
0x2a95c34b08, 0x8}}, fbc = 0x0, op_array = 0x78a220,
object = 0x0, Ts = 0x7fbffea1e0, CVs = 0x7fbffea110,
original_in_execution = 1 '\001', symbol_table = 0x2a99626050,
prev_execute_data = 0x7fbfff6b20, old_error_reporting = 0x0}
#25 0x0000002a95aaa11f in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fbfff6b20)
--
Edit bug report at http://bugs.php.net/?id=40232&edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=40232&r=trysnapshot44
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=40232&r=trysnapshot52
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=40232&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=40232&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=40232&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=40232&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=40232&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=40232&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=40232&r=support
Expected behavior: http://bugs.php.net/fix.php?id=40232&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=40232&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=40232&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=40232&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=40232&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=40232&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=40232&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=40232&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=40232&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=40232&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=40232&r=mysqlcfg
