From: fat
Operating system: any
PHP version: 5.3.2
Package: Reproducible crash
Bug Type: Bug
Bug description:calling zend_parse_ini_string/file recursively core dump
Description:
------------
when zend_parse_ini_string or zend_parse_ini_file is called recursively, it
crashes. The lexical state variable is global, calling those function
recursively
overwrites previous version and crashes at liberation/destruction.
to prevent this behaviour, the following patch makes zend_parse_ini_string
or
zend_parse_ini_file returning an error when called recursively.
Test script:
---------------
void fpm_conf_ini_load_file(filename);
static void fpm_conf_ini_parser(zval *arg1, zval *arg2, zval *arg3,
int callback_type, void *arg TSRMLS_DC) {
if (!arg1) return;
if (callback_type != ZEND_INI_PARSER_ENTRY) return;
if (!strcmp(Z_STRVAL_P(arg1), "include")) {
fpm_conf_load_ini_file(Z_STRVAL_P(arg1));
}
}
void fpm_conf_ini_load_file(filename) {
zend_file_handle fh;
fh.handle.fp = VCWD_FOPEN(filename, "r");
fh.opened_path = NULL;
fh.free_filename = 0;
fh.filename = filename;
Z_TYPE(fh) = ZEND_HANDLE_FP;
zend_parse_ini_file(&fh, 1, ZEND_INI_SCANNER_RAW,
(zend_ini_parser_cb_t)fpm_conf_ini_parser, NULL TSRMLS_CC);
}
Expected result:
----------------
it doesn't crash, it works or returns an error
Actual result:
--------------
core dump
#0 _zend_mm_free_int (heap=0x8271c000, p=0x8271c000) at /LIBRE/dev/php-
5.3.2/Zend/zend_alloc.c:2018
#1 0x1c23154a in _efree (ptr=0x7d3fe1f8) at /LIBRE/dev/php-
5.3.2/Zend/zend_alloc.c:2351
#2 0x1c245b5b in zend_stack_destroy (stack=0x3c2c2804) at /LIBRE/dev/php-
5.3.2/Zend/zend_stack.c:104
#3 0x1c22bd1c in shutdown_ini_scanner () at zend_ini_scanner.l:201
#4 0x1c22b035 in zend_parse_ini_file (fh=0xcfbd3c70, unbuffered_errors=1
'\001', scanner_mode=0, ini_parser_cb=0x8271c000, arg=0x8271c000) at
/LIBRE/dev/php-5.3.2/Zend/zend_ini_parser.c:322
#5 0x1c2aefa8 in fpm_conf_load_ini_file (filename=0xcfbd602e
"/usr/local/php-
5.3.2/etc/fpm.ini") at /LIBRE/dev/php-5.3.2/sapi/fpm/fpm/fpm_conf.c:739
#6 0x1c2af002 in fpm_conf_load_ini_file (filename=0xcfbd602e
"/usr/local/php-
5.3.2/etc/fpm.ini") at /LIBRE/dev/php-5.3.2/sapi/fpm/fpm/fpm_conf.c:751
#7 0x1c2ad489 in fpm_init (argc=-2106474496, argv=0x8271c000,
config=0x8271c000
"\001", base=0x3c2bf81c) at /LIBRE/dev/php-5.3.2/sapi/fpm/fpm/fpm.c:32
#8 0x1c2b14ff in main (argc=3, argv=0xcfbd5eac) at /LIBRE/dev/php-
5.3.2/sapi/fpm/fpm/fpm_main.c:1695
--
Edit bug report at http://bugs.php.net/bug.php?id=51588&edit=1
--
Try a snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=51588&r=trysnapshot52
Try a snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=51588&r=trysnapshot53
Try a snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=51588&r=trysnapshot60
Fixed in SVN:
http://bugs.php.net/fix.php?id=51588&r=fixed
Fixed in SVN and need be documented:
http://bugs.php.net/fix.php?id=51588&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=51588&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=51588&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=51588&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=51588&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=51588&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=51588&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=51588&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=51588&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=51588&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=51588&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=51588&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=51588&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=51588&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=51588&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=51588&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=51588&r=mysqlcfg
