#25922 [Fbk->Ver]: In error handler, modifying 5th arg (errcontext) may result in seg fault

sniper Tue, 21 Oct 2003 03:15:26 -0700

 ID:               25922
 Updated by:       [EMAIL PROTECTED]
 Reported By:      jeroen at derks dot it
-Status:           Feedback
+Status:           Verified
-Bug Type:         Reproducible crash
+Bug Type:         Scripting Engine problem
 Operating System: Linux 2.4.20 Debian 3.0
-PHP Version:      4.3.3
+PHP Version:      4CVS-20031021
 New Comment:


With PHP 4.3.4RC3-dev:

[Tue Oct 21 13:11:19 2003]  Script:  't.php'
---------------------------------------
zend_opcode.c(152) : Block 0x08508470 status:
Beginning:      Overrun (magic=0x084E8D58, expected=0x7312F8DC)
      End:      Unknown
---------------------------------------
[Tue Oct 21 13:11:19 2003]  Script:  't.php'
---------------------------------------
zend_opcode.c(159) : Block 0x08509568 status:
zend_variables.c(44) : Actual location (location was relayed)
Beginning:      Overrun (magic=0x084E8D58, expected=0x7312F8DC)
      End:      Unknown
---------------------------------------
[Tue Oct 21 13:11:19 2003]  Script:  't.php'
---------------------------------------
zend_opcode.c(159) : Block 0x085095A0 status:
zend_variables.c(44) : Actual location (location was relayed)
Beginning:      Overrun (magic=0x085095D0, expected=0x7312F8DC)
      End:      Unknown
---------------------------------------
[Tue Oct 21 13:11:19 2003]  Script:  't.php'
---------------------------------------
zend_opcode.c(165) : Block 0x085095D8 status:
zend_variables.c(44) : Actual location (location was relayed)
Beginning:      Overrun (magic=0x08509608, expected=0x7312F8DC)
      End:      Unknown
---------------------------------------
[Tue Oct 21 13:11:19 2003]  Script:  't.php'
---------------------------------------
zend_opcode.c(159) : Block 0x08509610 status:
zend_variables.c(44) : Actual location (location was relayed)
Beginning:      Overrun (magic=0x08509640, expected=0x7312F8DC)
      End:      Unknown
---------------------------------------
[Tue Oct 21 13:11:19 2003]  Script:  't.php'
---------------------------------------
zend_opcode.c(165) : Block 0x08509648 status:
zend_variables.c(44) : Actual location (location was relayed)
Beginning:      Overrun (magic=0x08509678, expected=0x7312F8DC)
      End:      Unknown

...and so on. GDB backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 14715)]
0x08259de8 in _efree (ptr=0x85096b4, __zend_filename=0x8361d00
"zend_opcode.c", 
    __zend_lineno=169, __zend_orig_filename=0x0, __zend_orig_lineno=0)
at zend_alloc.c:259
259             REMOVE_POINTER_FROM_LIST(p);
(gdb) bt
#0  0x08259de8 in _efree (ptr=0x85096b4, __zend_filename=0x8361d00
"zend_opcode.c", 
    __zend_lineno=169, __zend_orig_filename=0x0, __zend_orig_lineno=0)
at zend_alloc.c:259
#1  0x08265895 in destroy_op_array (op_array=0x8508af8) at
zend_opcode.c:169
#2  0x0826566b in destroy_zend_function (function=0x8508af8) at
zend_opcode.c:100
#3  0x08272fa7 in zend_hash_destroy (ht=0x8415848) at zend_hash.c:553
#4  0x0826cb30 in zend_shutdown () at zend.c:559
#5  0x082358bf in php_module_shutdown () at main.c:1284
#6  0x08290fb0 in main (argc=2, argv=0xbffffc84) at php_cli.c:876

Note: Works fine with PHP 5.



Previous Comments:
------------------------------------------------------------------------

[2003-10-20 14:11:56] [EMAIL PROTECTED]

Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip

------------------------------------------------------------------------

[2003-10-20 07:54:21] jeroen at derks dot it

Description:
------------
Modifying 5th parameter of error handler will make PHP crash when
leaving the error handler.

NB: This seems to happen only when the error was generated in a
function (possibly also in a member function). Please see the code.
NB2: When changing function test()'s parameter name into $args, PHP
exitted normally.

Reproduce code:
---------------
    function my_error_handler( $error, $errmsg = '', $errfile = '',
$errline = 0, $errcontext = '' )
    {
        $errcontext = '';
    }
                                                                       
                           
    set_error_handler( 'my_error_handler' );
                                                                       
                           
    function test( $headers = '' )
    {
        echo "Undefined index here: '{$data['HTTP_HEADER']}'\n";
    }
                                                                       
                               test();

Expected result:
----------------
Undefined index here: ''

Actual result:
--------------
Undefined index here: ''
Segmentation fault


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=25922&edit=1

#25922 [Fbk->Ver]: In error handler, modifying 5th arg (errcontext) may result in seg fault

Reply via email to