From: jaroslav dot pulchart at centrum dot cz Operating system: All PHP version: 5.2.10 PHP Bug Type: *Directory Services problems Bug description: ldap_search segfault Apache procees
Description: ------------ Fix 48441 in PHP 5.2.10 (http://bugs.php.net/bug.php?id=48441) restore previous LDAP options, but it doesn't test if LDAP link pointer is NULL. This issue segfault Apache/PHP process. Reproduce code: --------------- ext/ldap/ldap.c ... ld = (ldap_linkdata *) zend_fetch_resource(link TSRMLS_CC, -1, "ldap link", NULL, 1, le_link); if (ld == NULL) { ret = 0; goto cleanup; /* "ld" is NULL !!!!!! */ } ... cleanup: // Restoring previous options php_set_opts(ld->link, old_ldap_sizelimit, old_ldap_timelimit, old_ldap_deref, &ldap_sizelimit, &ldap_timelimit, &ldap_deref); /* set options on ld == NULL !!!!!!! */ ... Expected result: ---------------- No segfault ;) cleanup: if (ld!=NULL){ // Restoring previous options php_set_opts(ld->link, old_ldap_sizelimit, old_ldap_timelimit, old_ldap_deref, &ldap_sizelimit, &ldap_timelimit, &ldap_deref); } Actual result: -------------- #0 0x0000002a9a546437 in php_ldap_do_search (ht=7, return_value=0x2a9d41bda0, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, scope=2) at ./php-5.2.10/ext/ldap/ldap.c:909 909 php_set_opts(ld->link, old_ldap_sizelimit, old_ldap_timelimit, old_ldap_deref, &ldap_sizelimit, &ldap_timelimit, &ldap_deref); (gdb) bt full #0 0x0000002a9a546437 in php_ldap_do_search (ht=7, return_value=0x2a9d41bda0, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, scope=2) at ./php-5.2.10/ext/ldap/ldap.c:907 link = (zval **) 0x2a997fd500 base_dn = (zval **) 0x2a997fd508 filter = (zval **) 0x2a997fd510 attrs = (zval **) 0x2a997fd518 attr = (zval **) 0x34 attrsonly = (zval **) 0x2a997fd520 sizelimit = (zval **) 0x2a997fd528 timelimit = (zval **) 0x2a997fd530 deref = (zval **) 0x2a98fb475d ldap_base_dn = 0x0 ldap_filter = 0x2a9d41be10 "Array" ldap_attrs = (char **) 0x2a9d41bb88 ld = (ldap_linkdata *) 0x0 ldap_res = (LDAPMessage *) 0x8 ldap_attrsonly = 0 ldap_sizelimit = 0 ldap_timelimit = 0 ldap_deref = -1 old_ldap_sizelimit = -1 old_ldap_timelimit = -1 old_ldap_deref = -1 num_attribs = 0 i = 0 myargcount = 7 ret = 0 #1 0x0000002a9a54655c in zif_ldap_search (ht=7, return_value=0x2a9d41bda0, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at ./php-5.2.10/ext/ldap/ldap.c:936 No locals. #2 0x0000002a98fd4b6e in execute () from ./apache/modules/libphp5.so No symbol table info available. #3 0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so No symbol table info available. #4 0x0000002a98fd4483 in execute () from ./apache/modules/libphp5.so No symbol table info available. #5 0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so No symbol table info available. #6 0x0000002a98fd4483 in execute () from ./apache/modules/libphp5.so No symbol table info available. #7 0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so No symbol table info available. #8 0x0000002a98fd4483 in execute () from ./apache/modules/libphp5.so No symbol table info available. #9 0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so No symbol table info available. #10 0x0000002a98fd4483 in execute () from ./apache/modules/libphp5.so No symbol table info available. #11 0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so No symbol table info available. #12 0x0000002a98fd4483 in execute () from ./apache/modules/libphp5.so No symbol table info available. #13 0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so No symbol table info available. #14 0x0000002a98fe317c in execute () from ./apache/modules/libphp5.so No symbol table info available. #15 0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so No symbol table info available. #16 0x0000002a98fd4483 in execute () from ./apache/modules/libphp5.so No symbol table info available. #17 0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so No symbol table info available. #18 0x0000002a98fd4483 in execute () from ./apache/modules/libphp5.so No symbol table info available. #19 0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so No symbol table info available. #20 0x0000002a98fb5214 in zend_execute_scripts () from ./apache/modules/libphp5.so No symbol table info available. #21 0x0000002a98f723ad in php_execute_script () from ./apache/modules/libphp5.so No symbol table info available. #22 0x0000002a990443e6 in zend_get_zval_ptr_ptr () from ./apache/modules/libphp5.so No symbol table info available. #23 0x0000000000435c63 in ap_run_handler () No symbol table info available. #24 0x0000000000436101 in ap_invoke_handler () No symbol table info available. #25 0x0000000000442860 in ap_process_request () No symbol table info available. #26 0x000000000043ffad in ap_filter_protocol () No symbol table info available. #27 0x000000000043c653 in ap_run_process_connection () No symbol table info available. #28 0x0000000000446970 in ap_graceful_stop_signalled () No symbol table info available. #29 0x0000000000446b94 in ap_graceful_stop_signalled () No symbol table info available. #30 0x0000000000446c2e in ap_graceful_stop_signalled () No symbol table info available. #31 0x000000000044743d in ap_mpm_run () No symbol table info available. #32 0x00000000004237e5 in main () No symbol table info available. -- Edit bug report at http://bugs.php.net/?id=49424&edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=49424&r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=49424&r=trysnapshot53 Try a snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=49424&r=trysnapshot60 Fixed in SVN: http://bugs.php.net/fix.php?id=49424&r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=49424&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=49424&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=49424&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=49424&r=needscript Try newer version: http://bugs.php.net/fix.php?id=49424&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=49424&r=support Expected behavior: http://bugs.php.net/fix.php?id=49424&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=49424&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=49424&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=49424&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=49424&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=49424&r=dst IIS Stability: http://bugs.php.net/fix.php?id=49424&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=49424&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=49424&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=49424&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=49424&r=mysqlcfg
