#51159 [NEW]: session_set_save_handler Memory Corruption

[achristianson at yakabod dot com]

From:             achristianson at yakabod dot com
Operating system: CentOS 5.4
PHP version:      5.3.1
PHP Bug Type:     Reproducible crash
Bug description:  session_set_save_handler Memory Corruption

Description:
------------
Use of session_set_save_handler seems to cause memory corruption under 
certain conditions.

Inside of _write, there is code that causes a fatal error. The 
corruption seems to not happen if this is removed.

I get the problem in both 5.3.1 and 5.3.2RC3

Reproduce code:
---------------
<?php
session_set_save_handler('_open', '_close', '_read', '_write', '_destroy',
'_gc');
session_start();
session_write_close();
function _write() {
  self::$x = null;
}
function _destroy() {}
function _gc() {}
function _open() {}
function _close() {}
function _read() {}
for($i = 0; $i < 10000; $i++)
{
  $exampleArray[] = new C();
}
class C { }


Expected result:
----------------
No segmentation fault

Actual result:
--------------
5.2.1 backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x014899c0 in ZEND_ASSIGN_SPEC_CV_CONST_HANDLER 
(execute_data=0x9a6ee80) at /root/php-5.3.1/Zend/zend_execute.c:302
302                zval ***ptr = &CV_OF(node->u.var);
(gdb) bt
#0  0x014899c0 in ZEND_ASSIGN_SPEC_CV_CONST_HANDLER 
(execute_data=0x9a6ee80) at /root/php-5.3.1/Zend/zend_execute.c:302
#1  0x0142d55d in execute (op_array=0x9a0e260) at /root/php-
5.3.1/Zend/zend_vm_execute.h:104
#2  0x0140bd57 in zend_execute_scripts (type=8, retval=0x0, 
file_count=3) at /root/php-5.3.1/Zend/zend.c:1194
#3  0x013bbf4e in php_execute_script (primary_file=0xbfa7c8c0) at 
/root/php-5.3.1/main/main.c:2225
#4  0x0148ad2b in php_handler (r=0x9a56160) at /root/php-
5.3.1/sapi/apache2handler/sapi_apache2.c:648
#5  0x08077bf3 in ap_invoke_handler ()
#6  0x080868df in ap_process_request ()
#7  0x080839e8 in ?? ()
#8  0x09a56160 in ?? ()
#9  0x00000004 in ?? ()
#10 0x09a56160 in ?? ()
#11 0x0987c2f8 in ?? ()
#12 0x00000002 in ?? ()
#13 0x09a43be8 in ?? ()
#14 0xbfa7c9c8 in ?? ()
#15 0x0807ff45 in ap_process_connection ()

5.2.3RC3 backtrace:

Program received signal SIGSEGV, Segmentation fault.
_zval_ptr_dtor (zval_ptr=0xbf900928) at /root/php-
5.3.2RC3/Zend/zend.h:385
385                return --pz->refcount__gc;
(gdb) bt
#0  _zval_ptr_dtor (zval_ptr=0xbf900928) at /root/php-
5.3.2RC3/Zend/zend.h:385
#1  0x014674fc in zend_do_fcall_common_helper_SPEC 
(execute_data=0x8558d30) at /root/php-5.3.2RC3/Zend/zend_execute.h:316
#2  0x01441b3d in execute (op_array=0x84f66d0) at /root/php-
5.3.2RC3/Zend/zend_vm_execute.h:104
#3  0x01420207 in zend_execute_scripts (type=8, retval=0x0, 
file_count=3) at /root/php-5.3.2RC3/Zend/zend.c:1194
#4  0x013cfe7e in php_execute_script (primary_file=0xbf902c10) at 
/root/php-5.3.2RC3/main/main.c:2260
#5  0x0149f22b in php_handler (r=0x853e5b8) at /root/php-
5.3.2RC3/sapi/apache2handler/sapi_apache2.c:655
#6  0x08077bf3 in ap_invoke_handler ()
#7  0x080868df in ap_process_request ()
#8  0x080839e8 in ?? ()
#9  0x0853e5b8 in ?? ()
#10 0x00000004 in ?? ()
#11 0x0853e5b8 in ?? ()
#12 0x08388758 in ?? ()
#13 0x00000002 in ?? ()
#14 0x0852c040 in ?? ()
#15 0xbf902d18 in ?? ()
#16 0x0807ff45 in ap_process_connection ()

-- 
Edit bug report at http://bugs.php.net/?id=51159&edit=1
-- 
Try a snapshot (PHP 5.2):            
http://bugs.php.net/fix.php?id=51159&r=trysnapshot52
Try a snapshot (PHP 5.3):            
http://bugs.php.net/fix.php?id=51159&r=trysnapshot53
Try a snapshot (PHP 6.0):            
http://bugs.php.net/fix.php?id=51159&r=trysnapshot60
Fixed in SVN:                        
http://bugs.php.net/fix.php?id=51159&r=fixed
Fixed in SVN and need be documented: 
http://bugs.php.net/fix.php?id=51159&r=needdocs
Fixed in release:                    
http://bugs.php.net/fix.php?id=51159&r=alreadyfixed
Need backtrace:                      
http://bugs.php.net/fix.php?id=51159&r=needtrace
Need Reproduce Script:               
http://bugs.php.net/fix.php?id=51159&r=needscript
Try newer version:                   
http://bugs.php.net/fix.php?id=51159&r=oldversion
Not developer issue:                 
http://bugs.php.net/fix.php?id=51159&r=support
Expected behavior:                   
http://bugs.php.net/fix.php?id=51159&r=notwrong
Not enough info:                     
http://bugs.php.net/fix.php?id=51159&r=notenoughinfo
Submitted twice:                     
http://bugs.php.net/fix.php?id=51159&r=submittedtwice
register_globals:                    
http://bugs.php.net/fix.php?id=51159&r=globals
PHP 4 support discontinued:          http://bugs.php.net/fix.php?id=51159&r=php4
Daylight Savings:                    http://bugs.php.net/fix.php?id=51159&r=dst
IIS Stability:                       
http://bugs.php.net/fix.php?id=51159&r=isapi
Install GNU Sed:                     
http://bugs.php.net/fix.php?id=51159&r=gnused
Floating point limitations:          
http://bugs.php.net/fix.php?id=51159&r=float
No Zend Extensions:                  
http://bugs.php.net/fix.php?id=51159&r=nozend
MySQL Configuration Error:           
http://bugs.php.net/fix.php?id=51159&r=mysqlcfg