From: ailene dot nichol at tandberg dot com
Operating system: Windows Server 2003 SP2
PHP version: 5.2.3
PHP Bug Type: Reproducible crash
Bug description: php5ts.dll causes the IIS application pool to crash
Description:
------------
I have a script that does digest authentication. The script works as
expected and the page will load correctly, but as soon as I run this
script, the IIS default application pool will crash when requesting any
other page. Occasionally I see in the Event Logs that the application pool
crashes with other scripts, but with the digest authentication it is always
reproducible.
I have also tried the latest php found in php5.2-win32-200707241230.zip
and can still produce the crash.
Reproduce code:
---------------
// This is the guts of the digest authentication code. It is all taken
from samples on php.net.
if (isset($headers['AUTHORIZATION']))
{
if($data = http_digest_parse($headers['AUTHORIZATION']))
{
$A1 = md5($user . ':' . $realm . ':' . $pwd);
$A2 = md5($_SERVER['REQUEST_METHOD'].':'.$data['uri']);
$valid_response =
md5($A1.':'.$data['nonce'].':'.$data['nc'].':'.$data['cnonce'].':'.$data['qop'].':'.$A2);
if ($data['response'] == $valid_response)
{
$_SERVER['AUTH_USER'] = $data['username'];
return 0;
}
}
}
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="' . $realm .
'",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');
Actual result:
--------------
FAULTING_IP:
php5ts!_zend_mm_free_int+66 [Zend\zend_alloc.c @ 1921]
020ea9d6 8a0437 mov al,byte ptr [edi+esi]
EXCEPTION_RECORD: ffffffff -- (.exr ffffffffffffffff)
ExceptionAddress: 020ea9d6 (php5ts!_zend_mm_free_int+0x00000066)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 06b8d148
Attempt to read from address 06b8d148
DEFAULT_BUCKET_ID: APPLICATION_FAULT
PROCESS_NAME: w3wp.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx"
referenced memory at "0x%08lx". The memory could not be "%s".
READ_ADDRESS: 06b8d148
BUGCHECK_STR: ACCESS_VIOLATION
LAST_CONTROL_TRANSFER: from 020ebad9 to 020ea9d6
STACK_TEXT:
00f7e68c 020ebad9 02edb0b0 02edb168 02196397 php5ts!_zend_mm_free_int+0x66
[Zend\zend_alloc.c @ 1921]
00f7e71c 77f76bfa 77f76c2f 00f7e860 80000000 php5ts!_efree+0x39
[Zend\zend_alloc.c @ 2254]
00f7f90c 10002128 00000000 0105f8b8 5a3211a0
advapi32!LocalBaseRegOpenKey+0xe9
00f7fe04 5a322991 0105f8b8 0105e5f8 0105f248
php5isapi!HttpExtensionProc+0x348 [sapi\isapi\php5isapi.c @ 917]
00f7fe24 5a3968ff 0105f828 10001de0 00f7fe50
w3isapi!ProcessIsapiRequest+0x214
00f7fe58 5a3967e0 00000000 00000000 0105e5f8
w3core!W3_ISAPI_HANDLER::IsapiDoWork+0x3fd
00f7fe78 5a396764 00f7fee8 0105e5f8 00000000
w3core!W3_ISAPI_HANDLER::DoWork+0xb0
00f7fe98 5a3966f4 0105e5f8 00000000 00f7fec4
w3core!W3_HANDLER::MainDoWork+0x16e
00f7fea8 5a3966ae 0105e600 0105e5f8 00000001
w3core!W3_CONTEXT::ExecuteCurrentHandler+0x53
00f7fec4 5a396648 00000001 00f7fee8 0026b480
w3core!W3_CONTEXT::ExecuteHandler+0x51
00f7feec 5a392264 00000000 00000000 00000000
w3core!W3_STATE_HANDLE_REQUEST::DoWork+0x9a
00f7ff10 5a3965ea 00000000 00000000 00000000
w3core!W3_MAIN_CONTEXT::DoWork+0xa6
00f7ff2c 5a36169f 0105db30 0105db30 5a361650
w3core!W3_MAIN_CONTEXT::OnNewRequest+0x55
00f7ff38 5a361650 00268838 00268844 00f7ff5c
w3dt!UL_NATIVE_REQUEST::DoStateProcess+0x48
00f7ff48 5a3616ca 000002d4 00000000 0105db34
w3dt!UL_NATIVE_REQUEST::DoWork+0x7f
00f7ff5c 5a3024ce 00000000 000002d4 0105db34
w3dt!OverlappedCompletionRoutine+0x1a
00f7ff8c 5a3026ac 00000000 002688b0 5a300000
w3tp!THREAD_POOL_DATA::ThreadPoolThread+0x73
00f7ffa0 5a301da9 00268838 00000000 00000000
w3tp!THREAD_POOL_DATA::ThreadPoolThread+0x24
00f7ffb8 77e64829 002688b0 00000000 00000000
w3tp!THREAD_MANAGER::ThreadManagerThread+0x39
00f7ffec 00000000 5a301d70 002688b0 00000000
kernel32!BaseThreadStart+0x34
STACK_COMMAND: ~3s; .ecxr ; kb
FAULTING_THREAD: 00000498
FOLLOWUP_IP:
php5ts!_zend_mm_free_int+66 [Zend\zend_alloc.c @ 1921]
020ea9d6 8a0437 mov al,byte ptr [edi+esi]
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: php5ts!_zend_mm_free_int+66
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: php5ts
IMAGE_NAME: php5ts.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 465ecf7f
FAILURE_BUCKET_ID: ACCESS_VIOLATION_php5ts!_zend_mm_free_int+66
BUCKET_ID: ACCESS_VIOLATION_php5ts!_zend_mm_free_int+66
--
Edit bug report at http://bugs.php.net/?id=42093&edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=42093&r=trysnapshot44
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=42093&r=trysnapshot52
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=42093&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=42093&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=42093&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=42093&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=42093&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=42093&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=42093&r=support
Expected behavior: http://bugs.php.net/fix.php?id=42093&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=42093&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=42093&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=42093&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=42093&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=42093&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=42093&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=42093&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=42093&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=42093&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=42093&r=mysqlcfg
