Bug #52797 [Com]: crash because of double free
Edit report at https://bugs.php.net/bug.php?id=52797&edit=1 ID: 52797 Comment by: slangley at google dot com Reported by:hossy421 at yahoo dot co dot jp Summary:crash because of double free Status: Feedback Type: Bug Package:Reproducible crash Operating System: FreeBSD 7.3-RELEASE-p2 PHP Version:5.3.3 Block user comment: N Private report: N New Comment: Happens with 5.3.13 and a custom SAPI. --- Zend/zend_language_scanner.l(709) : Block 0x101e8318 status: Invalid pointer: ((prev=0x0079) != (prev.size=0x101e827c)) --- --- Zend/zend_language_scanner.l(709) : Block 0x101e8368 status: Beginning: Freed Start: OK End: Overflown (magic=0x002D instead of 0xF40CA3AE) At least 4 bytes overflown --- Previous Comments: [2011-07-25 21:33:37] osharoiko at gmail dot com I can confirm that this reproducable problem stil exists in 5.3.6 and the patch provided in this ticket solves the problem. I have a strong feeling that this problem also exists in trunk (thought I didn't check that directly, but I can see on svn.php.net that patch was not committed). Please consider fixing this problem. [2011-01-29 16:07:23] hossy421 at yahoo dot co dot jp The patch is not applied to the latest snapshot. I believe the problem is still there. [2011-01-29 11:31:48] fel...@php.net Please try using this snapshot: http://snaps.php.net/php5.3-latest.tar.gz For Windows: http://windows.php.net/snapshots/ [2010-09-08 15:18:45] hossy421 at yahoo dot co dot jp Description: httpd ( Apache 2.2 ) crashes below messages. > pid X(httpd), uid 80: exited on signal 11 X is process id of a httpd child process. Test script: --- independent of script. httpd is crashed by any script. for example PukiWiki. Expected result: all script will run without any error. Actual result: -- I've compiled PHP with --enable-debug option. PHP crash with below message. > --- > Zend/zend_language_scanner.l(704) : Block 0x28f9871c status: > Beginning: Freed > Start: OK > End: Overflown (magic=0x003C instead of 0xC5F842B3) > At least 4 bytes overflown > --- Zend/zend_language_scanner.l(704) is below code. > efree(SCNG(script_org)); `SCNG(script_org)' is saved by `zend_save_lexical_state()' function, and restored by `zend_restore_lexical_state()' function. `SCNG(script_org)' is `unsigned char*', but only the pointers are stored and saved, not the string pointed to. -- Edit this bug report at https://bugs.php.net/bug.php?id=52797&edit=1
Bug #52797 [Com]: crash because of double free
Edit report at https://bugs.php.net/bug.php?id=52797&edit=1 ID: 52797 Comment by: osharoiko at gmail dot com Reported by:hossy421 at yahoo dot co dot jp Summary:crash because of double free Status: Feedback Type: Bug Package:Reproducible crash Operating System: FreeBSD 7.3-RELEASE-p2 PHP Version:5.3.3 Block user comment: N Private report: N New Comment: I can confirm that this reproducable problem stil exists in 5.3.6 and the patch provided in this ticket solves the problem. I have a strong feeling that this problem also exists in trunk (thought I didn't check that directly, but I can see on svn.php.net that patch was not committed). Please consider fixing this problem. Previous Comments: [2011-01-29 16:07:23] hossy421 at yahoo dot co dot jp The patch is not applied to the latest snapshot. I believe the problem is still there. [2011-01-29 11:31:48] fel...@php.net Please try using this snapshot: http://snaps.php.net/php5.3-latest.tar.gz For Windows: http://windows.php.net/snapshots/ [2010-09-08 15:18:45] hossy421 at yahoo dot co dot jp Description: httpd ( Apache 2.2 ) crashes below messages. > pid X(httpd), uid 80: exited on signal 11 X is process id of a httpd child process. Test script: --- independent of script. httpd is crashed by any script. for example PukiWiki. Expected result: all script will run without any error. Actual result: -- I've compiled PHP with --enable-debug option. PHP crash with below message. > --- > Zend/zend_language_scanner.l(704) : Block 0x28f9871c status: > Beginning: Freed > Start: OK > End: Overflown (magic=0x003C instead of 0xC5F842B3) > At least 4 bytes overflown > --- Zend/zend_language_scanner.l(704) is below code. > efree(SCNG(script_org)); `SCNG(script_org)' is saved by `zend_save_lexical_state()' function, and restored by `zend_restore_lexical_state()' function. `SCNG(script_org)' is `unsigned char*', but only the pointers are stored and saved, not the string pointed to. -- Edit this bug report at https://bugs.php.net/bug.php?id=52797&edit=1
Bug #52797 [Com]: crash because of double free
Edit report at http://bugs.php.net/bug.php?id=52797&edit=1 ID: 52797 Comment by: hossy421 at yahoo dot co dot jp Reported by:hossy421 at yahoo dot co dot jp Summary:crash because of double free Status: Feedback Type: Bug Package:Reproducible crash Operating System: FreeBSD 7.3-RELEASE-p2 PHP Version:5.3.3 Block user comment: N Private report: N New Comment: The patch is not applied to the latest snapshot. I believe the problem is still there. Previous Comments: [2011-01-29 11:31:48] fel...@php.net Please try using this snapshot: http://snaps.php.net/php5.3-latest.tar.gz For Windows: http://windows.php.net/snapshots/ [2010-09-08 15:18:45] hossy421 at yahoo dot co dot jp Description: httpd ( Apache 2.2 ) crashes below messages. > pid X(httpd), uid 80: exited on signal 11 X is process id of a httpd child process. Test script: --- independent of script. httpd is crashed by any script. for example PukiWiki. Expected result: all script will run without any error. Actual result: -- I've compiled PHP with --enable-debug option. PHP crash with below message. > --- > Zend/zend_language_scanner.l(704) : Block 0x28f9871c status: > Beginning: Freed > Start: OK > End: Overflown (magic=0x003C instead of 0xC5F842B3) > At least 4 bytes overflown > --- Zend/zend_language_scanner.l(704) is below code. > efree(SCNG(script_org)); `SCNG(script_org)' is saved by `zend_save_lexical_state()' function, and restored by `zend_restore_lexical_state()' function. `SCNG(script_org)' is `unsigned char*', but only the pointers are stored and saved, not the string pointed to. -- Edit this bug report at http://bugs.php.net/bug.php?id=52797&edit=1