#44872 [Com]: canary mismatch on efree() - heap overflow detected

[jimmy at pixelant dot se]

 ID:               44872
 Comment by:       jimmy at pixelant dot se
 Reported By:      mattr at shoplet dot com
 Status:           No Feedback
 Bug Type:         MySQLi related
 Operating System: FreeBSD 6.2
 PHP Version:      5.2.5
 New Comment:

Feb  9 13:51:36 xxxxxxxxxxxxxx suhosin[4498]: ALERT - canary mismatch
on efree() - heap overflow detected (attacker 'x.x.x.x', file
'class.t3lib_htmlmail.php', line 718)


Upgrade to php 5.2.12 resolved this issue.


Previous Comments:
------------------------------------------------------------------------

[2009-09-09 20:51:05] squarious at gmail dot com

I have the same error on 5.2.10 with suhosin patch.
Linux 2.6.31-10-generic #30-Ubuntu SMP Tue Sep 8 12:32:38 UTC 2009
x86_64 GNU/Linux

The tested site was working perfectly on Ubuntu 8.04 LTS with untouched
PHP 5.2.4 (with suhosin patch). The behaviour however is not standard
and it depends if the page is first time visite

------------------------------------------------------------------------

[2009-09-09 12:03:27] neofutur dot php at ww7 dot be

update/workaround . . . but scary . . .

 someone on ##php tols me to restart apache, that when you get one of 
those canary mismatch on efree() you get many until you restart apache.
 I didnt pay attention at the beginning but finally tried it.

 Its simply true, when you get those messages , restart apache and you
will see no more of them ( until the next apache overflow ? )

------------------------------------------------------------------------

[2009-09-09 10:21:49] neofutur dot php at ww7 dot be

I also tried the code suggested :

<?php
$demo_user[]=(object)array("first" => 1);
$demo_user[]=(object)array("second" => 2);
$demo_user[]=(object)array("third" => 3);

echo "<pre>"; var_dump($demo_user); echo "</pre>";

?>

 This doesnt trigger any error message here

------------------------------------------------------------------------

[2009-09-09 10:07:50] neofutur dot php at ww7 dot be

your bugtool dont accept my comment after 40 attempts, so I just post
the pastebin url containing all my comments and logs :

http://dpaste.com/91360/

------------------------------------------------------------------------

[2009-09-09 09:56:15] joeysmith at gmail dot com

Sorry for the noise - testing the assertion that CAPTCHAs are broken.

------------------------------------------------------------------------

The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
    http://bugs.php.net/44872

-- 
Edit this bug report at http://bugs.php.net/?id=44872&edit=1