Edit report at https://bugs.php.net/bug.php?id=52797&edit=1
ID: 52797 Comment by: osharoiko at gmail dot com Reported by: hossy421 at yahoo dot co dot jp Summary: crash because of double free Status: Feedback Type: Bug Package: Reproducible crash Operating System: FreeBSD 7.3-RELEASE-p2 PHP Version: 5.3.3 Block user comment: N Private report: N New Comment: I can confirm that this reproducable problem stil exists in 5.3.6 and the patch provided in this ticket solves the problem. I have a strong feeling that this problem also exists in trunk (thought I didn't check that directly, but I can see on svn.php.net that patch was not committed). Please consider fixing this problem. Previous Comments: ------------------------------------------------------------------------ [2011-01-29 16:07:23] hossy421 at yahoo dot co dot jp The patch is not applied to the latest snapshot. I believe the problem is still there. ------------------------------------------------------------------------ [2011-01-29 11:31:48] fel...@php.net Please try using this snapshot: http://snaps.php.net/php5.3-latest.tar.gz For Windows: http://windows.php.net/snapshots/ ------------------------------------------------------------------------ [2010-09-08 15:18:45] hossy421 at yahoo dot co dot jp Description: ------------ httpd ( Apache 2.2 ) crashes below messages. > pid XXXXX(httpd), uid 80: exited on signal 11 XXXXX is process id of a httpd child process. Test script: --------------- independent of script. httpd is crashed by any script. for example PukiWiki. Expected result: ---------------- all script will run without any error. Actual result: -------------- I've compiled PHP with --enable-debug option. PHP crash with below message. > --------------------------------------- > Zend/zend_language_scanner.l(704) : Block 0x28f9871c status: > Beginning: Freed > Start: OK > End: Overflown (magic=0x0000003C instead of 0xC5F842B3) > At least 4 bytes overflown > --------------------------------------- Zend/zend_language_scanner.l(704) is below code. > efree(SCNG(script_org)); `SCNG(script_org)' is saved by `zend_save_lexical_state()' function, and restored by `zend_restore_lexical_state()' function. `SCNG(script_org)' is `unsigned char*', but only the pointers are stored and saved, not the string pointed to. ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=52797&edit=1
