ID: 47252
Comment by: a dot boykov at timeweb dot ru
Reported By: a dot boykov at timeweb dot ru
Status: Feedback
Bug Type: Arrays related
Operating System: Gentoo Linux 2008.0
PHP Version: 5.2.8
New Comment:
To create a simple example, unfortunately, it will not turn out.
On a simple example all works correctly.
And in a ready product already there is such error.
It was possible to spend debugging with the help gdb:
...
0x00007f8b8c8c9073 in select () from /lib/libc.so.6
(gdb) continue
Continuing.
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f8b8d8bd6f0 (LWP 9423)]
zend_hash_exists (ht=0xb37b98, arKey=0x213f000 <Address 0x213f000 out
of bounds>, nKeyLength=4620568) at
/usr/src/php-5.2.8/Zend/zend_hash.h:260
260 hash = ((hash << 5) + hash) + *arKey++;
(gdb) info program
Using the running image of attached Thread 0x7f8b8d8bd6f0 (LWP 9423).
Program stopped at 0x7f8b8b856590.
It stopped with signal SIGSEGV, Segmentation fault.
(gdb) info registers
rax 0xef6512c00c2f6985 -1196529509949544059
rbx 0x1faabb8 33205176
rcx 0xeca2580185ed30a0 -1395456170966306656
rdx 0x0 0
rsi 0x213f000 34861056
rdi 0xb37b98 11762584
rbp 0x7f8b8bed55c0 0x7f8b8bed55c0
rsp 0x7fff959d94a0 0x7fff959d94a0
r8 0x468118 4620568
r9 0xdc076ac1921c9a25 -2591985680915850715
r10 0xa 10
r11 0x5fc560 6276448
r12 0x0 0
r13 0x7f8b8beb72a8 140237324645032
r14 0xac47a0 11290528
r15 0x1faabe8 33205224
rip 0x7f8b8b856590 0x7f8b8b856590 <zend_hash_exists+32>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
fctrl Couldn't get floating point status: No such process.
(gdb) info line
Line 260 of "/usr/src/php-5.2.8/Zend/zend_hash.h" starts at address
0x7f8b8b8557c0 <zend_hash_func+16> and ends at 0x7f8b8b8557c4
<zend_hash_func+20>.
If you tell me how to make core dump of process (PHP working as the
module) - I also will give it.
Previous Comments:
------------------------------------------------------------------------
[2009-01-30 20:59:56] [email protected]
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves.
A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external
resources such as databases, etc. If the script requires a
database to demonstrate the issue, please make sure it creates
all necessary tables, stored procedures etc.
Please avoid embedding huge scripts into the report.
------------------------------------------------------------------------
[2009-01-30 18:31:19] a dot boykov at timeweb dot ru
Description:
------------
In function extract() not the length of a line key always is correctly
defined.
Sometimes it is calculated incorrectly and any following operation with
this string leads to memory corruption.
Here an example which has been received at debugging.
name: bDescPageNumbering, len: 6276448
[Fri Jan 30 21:18:08 2009] [notice] child pid 19801 exit signal
Segmentation fault (11)
We are used this patch to fix problem:
--- php-5.2.8/ext/standard/array.c 2009-01-30 21:23:25.000000000
+0300
+++ php-5.2.8/ext/standard/array.c 2009-01-30 21:24:35.000000000
+0300
@@ -1397,6 +1397,9 @@
key_type = zend_hash_get_current_key_ex(Z_ARRVAL_PP(var_array),
&var_name, &var_name_len, &num_key, 0, &pos);
var_exists = 0;
+ if (key_type == HASH_KEY_IS_STRING)
+ var_name_len = strlen(var_name);
+
if (key_type == HASH_KEY_IS_STRING) {
var_name_len--;
var_exists = zend_hash_exists(EG(active_symbol_table), var_name,
var_name_len + 1);
With this patch all works well, but I think it does not exclude a
problem source.
name: bDescPageNumbering, len: 18
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=47252&edit=1
