ID: 9801
Updated by: derick
Reported By: [EMAIL PROTECTED]
Status: Analyzed
Bug Type: mcrypt related
Operating system: 
PHP Version: 4.0 Latest CVS (16/03/2001)
Assigned To: derick
Comments:

Hello,

looks all ok. I'll check it out, and apply the patch (if ok) so that it will be fixed 
in PHP 4.0.6

Derick

Previous Comments:
---------------------------------------------------------------------------

[2001-05-17 16:16:59] [EMAIL PROTECTED]
I think I've found the problem (and the solution).

Let's look at some functions found in mcrypt first...

File: mcrypt_modules.c

int mcrypt_module_close(MCRYPT td)
{

        lt_dlclose(td->algorithm_handle);
        lt_dlclose(td->mode_handle);
        lt_dlexit();

        td->algorithm_handle = NULL;
        td->mode_handle = NULL;

        td->m_encrypt = NULL;
        td->a_encrypt = NULL;
        td->a_decrypt = NULL;
        td->m_decrypt = NULL;

        free(td);
        
        return 0;
}

File: mcrypt.c

int mcrypt_generic_end(const MCRYPT td)
{
        internal_end_mcrypt(td);
        mcrypt_module_close(td);
        return 0;
}

The crash occurs when the call free(td) is made in mcrypt_module_close(MCRYPT td)

Notice that mcrypt_generic_end(const MCRYPT td) calls mcrypt_module_close(MCRYPT td) 
in the end.

Let's look at the mcrypt.c file from PHP (NOT the same one as above). It has a 
function called

php_mcrypt_do_crypt(char* cipher, zval **key, zval **data, char *mode, zval **iv, int 
argc, int dencrypt, zval* return_value)

At the end of the function, we find the following:

/* freeing vars */
        mcrypt_generic_end (td);
        if (key_s != NULL)
                efree (key_s);
        if (iv_s != NULL)
                efree (iv_s);
        efree (data_s);
        mcrypt_module_close (td);
}

The crash occurs when the final mcrypt_module_close is called.

The reason is that the call to mcrypt_generic_end (td) also calls 
mcrypt_module_close(td) that again calls free (td). When we later call 
mcrypt_module_close (td) we try to free td again, and that sometimes gives us a 
segmentation fault.

The solution is simply to delete the last line in the php_mcrypt_do_crypt function 
(mcrypt_module_close (td);) found in mcrypt.c. This is ok, since we have already freed 
td in the call to mcrypt_generic_end (td) a few lines above.

That solved the problems for me. Finally no more crashes :)

---------------------------------------------------------------------------

[2001-04-10 13:58:16] [EMAIL PROTECTED]
Crashes for me too, possibly a bug in mcrypt it self. Trying more things...

---------------------------------------------------------------------------

[2001-04-10 13:01:24] [EMAIL PROTECTED]
Actually, the script only seems to dump core if I do:

    echo bin2hex($output);

after the encryption.  Just a simple:

    echo $output;

seems to work just fine (i.e. it outputs stuff).

- Colin

---------------------------------------------------------------------------

[2001-04-10 12:59:24] [EMAIL PROTECTED]
This happens for me too with today's CVS and the latest CVS of mcrypt.

Backtrace says:

#0  0x402c89bc in chunk_free (ar_ptr=0x40369680, p=0x81f7f00) at malloc.c:3152
3152    malloc.c: No such file or directory.
(gdb) bt
#0  0x402c89bc in chunk_free (ar_ptr=0x40369680, p=0x81f7f00) at malloc.c:3152
#1  0x402c8828 in __libc_free (mem=0x81f7f08) at malloc.c:3054
#2  0x400a650d in mcrypt_module_close (td=0x81f7f08) at mcrypt_modules.c:48
#3  0x807c1e7 in php_mcrypt_do_crypt (cipher=0x81f7e94 "rijndael-256", key=0x81f2118, 
data=0x81f211c, 
    mode=0x818174c "cbc", iv=0x81f2124, argc=5, dencrypt=0, return_value=0x81f7ef4) at 
mcrypt.c:1317
#4  0x807c576 in php_if_mcrypt_encrypt (ht=5, return_value=0x81f7ef4, this_ptr=0x0, 
return_value_used=1)
    at mcrypt.c:1334
#5  0x81228e6 in execute (op_array=0x81f37dc) at ./zend_execute.c:1494
#6  0x80f3fcd in zend_execute_scripts (type=8, file_count=3) at zend.c:743
#7  0x8069c8f in php_execute_script (primary_file=0xbffffa60) at main.c:1196
#8  0x8067fa4 in main (argc=2, argv=0xbffffb04) at cgi_main.c:731
#9  0x4026ab5c in __libc_start_main (main=0x8067830 <main>, argc=2, ubp_av=0xbffffb04, 
init=0x8064b8c <_init>, 
    fini=0x81362ec <_fini>, rtld_fini=0x4000d634 <_dl_fini>, stack_end=0xbffffafc)
    at ../sysdeps/generic/libc-start.c:129

Assigning it to the expert ... :)

---------------------------------------------------------------------------

[2001-03-16 20:58:56] [EMAIL PROTECTED]
When I run .php files under Apache (1.3.19) PHP sometimes crash. I can run the same 
file several times, and only sometimes is crashes.

This is what is recorded in the apache log (a lot of them):

[Fri Mar  9 19:24:51 2001] [notice] child pid 22845 exit signal Segmentation fault 
(11)

The following code can reproduce the crash:

$input = "Teststring";
$key = "gQ8V(|!kQlmJ8*~/HajI~lNM.-HzJqy";
$iv = "w81kaMfJq(1lcJaQ+m BsjedLq!230?";
$output = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $input, MCRYPT_MODE_CBC, $iv);

The configure line is: --enable-track-vars --with-mysql=/usr/local/mysql --with-mhash 
--with-mcrypt
--with-apxs=/usr/local/apache/bin/apxs

---------------------------------------------------------------------------

The remainder of the comments for this report are too long.  To view the rest of the 
comments, please view the bug report online.


ATTENTION! Do NOT reply to this email!
To reply, use the web interface found at http://bugs.php.net/?id=9801&edit=2


-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to