Bug #17154: Recode memory corruption

k . joe Sat, 11 May 2002 07:16:41 -0700

From:             [EMAIL PROTECTED]
Operating system: Linux2.2.19/Debian
PHP version:      4.1.2
PHP Bug Type:     Recode related
Bug description:  Recode memory corruption


Recode function somehow fails to calculate length of the result string,
this cause (mostly) random segfaults. In this example, the FOR will stop
at different cyclcount, which count depends on running mode: apache
module, cgi from shell, cgi from gdb, and the operations on the string
before calling recode.

The result of recoding in the file is so weird, at several places the two
string's length doesn't equal (like some buffer owerflow problem.) PHP
versions 4.0.6-4.1.2 (with recode 3.6) are all affected (commandline
recode is works well).

<?
  $fp = fopen("ideni","w");

  for ($i = 0; $i < 10240; $i++)
  {
    echo "$i\n";
    $str = str_repeat("a",$i);

    if (strlen($str) !=
        strlen(recode("utf8..latin2",$str)))
    {
      $fstr = "\n$i: $str";
      $rstr = "\n$i: " . recode("utf8..latin2",$str);

      fwrite($fp,$fstr);
      fwrite($fp,$rstr);
    }
  }

  fclose($fp);
?>

This backtrace made from cgi/gdb:

#0  0x4024ed28 in free () from /lib/libc.so.6
#1  0x4024ea0a in malloc () from /lib/libc.so.6
#2  0x4024e1e4 in malloc () from /lib/libc.so.6
#3  0x080f5a8f in _emalloc (size=6828, __zend_filename=0x81309c2
"recode.c", __zend_lineno=142, __zend_orig_filename=0x0,
    __zend_orig_lineno=0) at zend_alloc.c:165
#4  0x080f61ed in _estrndup (s=0x81d64a8 'a' <repeats 200 times>...,
length=6827, __zend_filename=0x81309c2 "recode.c", __zend_lineno=142,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at zend_alloc.c:356
#5  0x0807d88a in zif_recode_string (ht=2, return_value=0x81d2384,
this_ptr=0x0, return_value_used=1) at recode.c:142
#6  0x0812594a in execute (op_array=0x81cddbc) at ./zend_execute.c:1590
#7  0x08107309 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at zend.c:814
#8  0x0805f411 in php_execute_script (primary_file=0xbffffd04) at
main.c:1307
#9  0x0805cc8c in main (argc=3, argv=0xbffffd94) at cgi_main.c:738
#10 0x401f96cf in __libc_start_main () from /lib/libc.so.6
(gdb) frame 6
#6  0x0812594a in execute (op_array=0x81cddbc) at ./zend_execute.c:1590
1590                                                   
((zend_internal_function *)
function_state.function)->handler(opline->extended_value,
Ts[opline->result.u.var].var.ptr, object.ptr, return_value_used
TSRMLS_CC);

Good luck!

-- 
Edit bug report at http://bugs.php.net/?id=17154&edit=1
-- 
Fixed in CVS:        http://bugs.php.net/fix.php?id=17154&r=fixedcvs
Fixed in release:    http://bugs.php.net/fix.php?id=17154&r=alreadyfixed
Need backtrace:      http://bugs.php.net/fix.php?id=17154&r=needtrace
Try newer version:   http://bugs.php.net/fix.php?id=17154&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=17154&r=support
Expected behavior:   http://bugs.php.net/fix.php?id=17154&r=notwrong
Not enough info:     http://bugs.php.net/fix.php?id=17154&r=notenoughinfo
Submitted twice:     http://bugs.php.net/fix.php?id=17154&r=submittedtwice
register_globals:    http://bugs.php.net/fix.php?id=17154&r=globals

Bug #17154: Recode memory corruption

Reply via email to