From: jdolecek at NetBSD dot org Operating system: NetBSD 2.0G PHP version: 4.3.7 PHP Bug Type: Scripting Engine problem Bug description: Zend constant warning uses memory after free
Description: ------------ If a constant in a define() call is already defined, Zend engine issues a warning with E_NOTICE set. This warning code might use memory after it's freed. This can cause interpreter crash, especially under threaded Apache 2.x. Following fixes the problem (this patch is in NetBSD pkgsrc ATM): --- Zend/zend_constants.c.orig 2004-07-13 14:01:27.000000000 +0200 +++ Zend/zend_constants.c 2004-07-13 14:01:54.000000000 +0200 @@ -265,11 +265,11 @@ } if (zend_hash_add(EG(zend_constants), name, c->name_len, (void *) c, sizeof(zend_constant), NULL)==FAILURE) { + zend_error(E_NOTICE,"Constant %s already defined", name); free(c->name); if (!(c->flags & CONST_PERSISTENT)) { zval_dtor(&c->value); } - zend_error(E_NOTICE,"Constant %s already defined", name); ret = FAILURE; } if (lowercase_name) { Reproduce code: --------------- Under NetBSD, switch on extended malloc() debugging, by telling malloc to fill free()d values with junk: ln -s J /etc/malloc.conf then, run: php -r 'error_reporting(E_ALL); define("foo", "j"); define("foo", "j");' see something along: PHP Notice: Constant ÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐ in Command line code on line 1 -- Edit bug report at http://bugs.php.net/?id=29116&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=29116&r=trysnapshot4 Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=29116&r=trysnapshot5 Fixed in CVS: http://bugs.php.net/fix.php?id=29116&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=29116&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=29116&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=29116&r=needscript Try newer version: http://bugs.php.net/fix.php?id=29116&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=29116&r=support Expected behavior: http://bugs.php.net/fix.php?id=29116&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=29116&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=29116&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=29116&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=29116&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=29116&r=dst IIS Stability: http://bugs.php.net/fix.php?id=29116&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=29116&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=29116&r=float