Bug #51588 [PATCH]: calling zend_parse_ini_string/file recursively core dump

Sun, 18 Apr 2010 03:29:24 -0700 

Edit report at http://bugs.php.net/bug.php?id=51588&edit=1

 ID:               51588
 Patch added by:   f...@php.net
 Reported by:      f...@php.net
 Summary:          calling zend_parse_ini_string/file recursively core
                   dump
 Status:           Open
 Type:             Bug
 Package:          Reproducible crash
 Operating System: any
 PHP Version:      5.3.2

 New Comment:

The following patch has been added/updated:

Patch Name: zend_ini_parser.y.patch
Revision:   1271586553
URL:       
http://bugs.php.net/patch-display.php?bug=51588&patch=zend_ini_parser.y.patch&revision=1271586553


Previous Comments:
------------------------------------------------------------------------
[2010-04-18 12:28:33] f...@php.net

Description:
------------
when zend_parse_ini_string or zend_parse_ini_file is called recursively,
it 

crashes. The lexical state variable is global, calling those function
recursively 

overwrites previous version and crashes at liberation/destruction.



to prevent this behaviour, the following patch makes
zend_parse_ini_string or 

zend_parse_ini_file returning an error when called recursively.

Test script:
---------------
void fpm_conf_ini_load_file(filename);



static void fpm_conf_ini_parser(zval *arg1, zval *arg2, zval *arg3,

int callback_type, void *arg TSRMLS_DC) {

 if (!arg1) return;

 if (callback_type != ZEND_INI_PARSER_ENTRY) return;

 if (!strcmp(Z_STRVAL_P(arg1), "include")) {

   fpm_conf_load_ini_file(Z_STRVAL_P(arg1));

 }

}



void fpm_conf_ini_load_file(filename)  {

 zend_file_handle fh;



 fh.handle.fp = VCWD_FOPEN(filename, "r");

 fh.opened_path = NULL;

 fh.free_filename = 0;

 fh.filename = filename;

 Z_TYPE(fh) = ZEND_HANDLE_FP;



 zend_parse_ini_file(&fh, 1, ZEND_INI_SCANNER_RAW,

(zend_ini_parser_cb_t)fpm_conf_ini_parser, NULL TSRMLS_CC);

}

Expected result:
----------------
it doesn't crash, it works or returns an error

Actual result:
--------------
core dump





#0  _zend_mm_free_int (heap=0x8271c000, p=0x8271c000) at
/LIBRE/dev/php-

5.3.2/Zend/zend_alloc.c:2018

#1  0x1c23154a in _efree (ptr=0x7d3fe1f8) at /LIBRE/dev/php-

5.3.2/Zend/zend_alloc.c:2351

#2  0x1c245b5b in zend_stack_destroy (stack=0x3c2c2804) at
/LIBRE/dev/php-

5.3.2/Zend/zend_stack.c:104

#3  0x1c22bd1c in shutdown_ini_scanner () at zend_ini_scanner.l:201

#4  0x1c22b035 in zend_parse_ini_file (fh=0xcfbd3c70,
unbuffered_errors=1 

'\001', scanner_mode=0, ini_parser_cb=0x8271c000, arg=0x8271c000) at 

/LIBRE/dev/php-5.3.2/Zend/zend_ini_parser.c:322

#5  0x1c2aefa8 in fpm_conf_load_ini_file (filename=0xcfbd602e
"/usr/local/php-

5.3.2/etc/fpm.ini") at /LIBRE/dev/php-5.3.2/sapi/fpm/fpm/fpm_conf.c:739

#6  0x1c2af002 in fpm_conf_load_ini_file (filename=0xcfbd602e
"/usr/local/php-

5.3.2/etc/fpm.ini") at /LIBRE/dev/php-5.3.2/sapi/fpm/fpm/fpm_conf.c:751

#7  0x1c2ad489 in fpm_init (argc=-2106474496, argv=0x8271c000,
config=0x8271c000 

"\001", base=0x3c2bf81c) at /LIBRE/dev/php-5.3.2/sapi/fpm/fpm/fpm.c:32

#8  0x1c2b14ff in main (argc=3, argv=0xcfbd5eac) at /LIBRE/dev/php-

5.3.2/sapi/fpm/fpm/fpm_main.c:1695




------------------------------------------------------------------------



-- 
Edit this bug report at http://bugs.php.net/bug.php?id=51588&edit=1

Reply via email to