ID: 9801
Updated by: derick
Reported By: [EMAIL PROTECTED]
Old-Status: Analyzed
Status: Closed
Bug Type: mcrypt related
Operating system:
PHP Version: 4.0 Latest CVS (16/03/2001)
Assigned To: derick
Comments:
Ok, this was indeed the problem. Thanks for this excellent help!
Derick
Previous Comments:
---------------------------------------------------------------------------
[2001-05-17 16:37:11] [EMAIL PROTECTED]
Hello,
looks all ok. I'll check it out, and apply the patch (if ok) so that it will be fixed
in PHP 4.0.6
Derick
---------------------------------------------------------------------------
[2001-05-17 16:16:59] [EMAIL PROTECTED]
I think I've found the problem (and the solution).
Let's look at some functions found in mcrypt first...
File: mcrypt_modules.c
int mcrypt_module_close(MCRYPT td)
{
lt_dlclose(td->algorithm_handle);
lt_dlclose(td->mode_handle);
lt_dlexit();
td->algorithm_handle = NULL;
td->mode_handle = NULL;
td->m_encrypt = NULL;
td->a_encrypt = NULL;
td->a_decrypt = NULL;
td->m_decrypt = NULL;
free(td);
return 0;
}
File: mcrypt.c
int mcrypt_generic_end(const MCRYPT td)
{
internal_end_mcrypt(td);
mcrypt_module_close(td);
return 0;
}
The crash occurs when the call free(td) is made in mcrypt_module_close(MCRYPT td)
Notice that mcrypt_generic_end(const MCRYPT td) calls mcrypt_module_close(MCRYPT td)
in the end.
Let's look at the mcrypt.c file from PHP (NOT the same one as above). It has a
function called
php_mcrypt_do_crypt(char* cipher, zval **key, zval **data, char *mode, zval **iv, int
argc, int dencrypt, zval* return_value)
At the end of the function, we find the following:
/* freeing vars */
mcrypt_generic_end (td);
if (key_s != NULL)
efree (key_s);
if (iv_s != NULL)
efree (iv_s);
efree (data_s);
mcrypt_module_close (td);
}
The crash occurs when the final mcrypt_module_close is called.
The reason is that the call to mcrypt_generic_end (td) also calls
mcrypt_module_close(td) that again calls free (td). When we later call
mcrypt_module_close (td) we try to free td again, and that sometimes gives us a
segmentation fault.
The solution is simply to delete the last line in the php_mcrypt_do_crypt function
(mcrypt_module_close (td);) found in mcrypt.c. This is ok, since we have already freed
td in the call to mcrypt_generic_end (td) a few lines above.
That solved the problems for me. Finally no more crashes :)
---------------------------------------------------------------------------
[2001-04-10 13:58:16] [EMAIL PROTECTED]
Crashes for me too, possibly a bug in mcrypt it self. Trying more things...
---------------------------------------------------------------------------
[2001-04-10 13:01:24] [EMAIL PROTECTED]
Actually, the script only seems to dump core if I do:
echo bin2hex($output);
after the encryption. Just a simple:
echo $output;
seems to work just fine (i.e. it outputs stuff).
- Colin
---------------------------------------------------------------------------
[2001-04-10 12:59:24] [EMAIL PROTECTED]
This happens for me too with today's CVS and the latest CVS of mcrypt.
Backtrace says:
#0 0x402c89bc in chunk_free (ar_ptr=0x40369680, p=0x81f7f00) at malloc.c:3152
3152 malloc.c: No such file or directory.
(gdb) bt
#0 0x402c89bc in chunk_free (ar_ptr=0x40369680, p=0x81f7f00) at malloc.c:3152
#1 0x402c8828 in __libc_free (mem=0x81f7f08) at malloc.c:3054
#2 0x400a650d in mcrypt_module_close (td=0x81f7f08) at mcrypt_modules.c:48
#3 0x807c1e7 in php_mcrypt_do_crypt (cipher=0x81f7e94 "rijndael-256", key=0x81f2118,
data=0x81f211c,
mode=0x818174c "cbc", iv=0x81f2124, argc=5, dencrypt=0, return_value=0x81f7ef4) at
mcrypt.c:1317
#4 0x807c576 in php_if_mcrypt_encrypt (ht=5, return_value=0x81f7ef4, this_ptr=0x0,
return_value_used=1)
at mcrypt.c:1334
#5 0x81228e6 in execute (op_array=0x81f37dc) at ./zend_execute.c:1494
#6 0x80f3fcd in zend_execute_scripts (type=8, file_count=3) at zend.c:743
#7 0x8069c8f in php_execute_script (primary_file=0xbffffa60) at main.c:1196
#8 0x8067fa4 in main (argc=2, argv=0xbffffb04) at cgi_main.c:731
#9 0x4026ab5c in __libc_start_main (main=0x8067830 <main>, argc=2, ubp_av=0xbffffb04,
init=0x8064b8c <_init>,
fini=0x81362ec <_fini>, rtld_fini=0x4000d634 <_dl_fini>, stack_end=0xbffffafc)
at ../sysdeps/generic/libc-start.c:129
Assigning it to the expert ... :)
---------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view the rest of the
comments, please view the bug report online.
ATTENTION! Do NOT reply to this email!
To reply, use the web interface found at http://bugs.php.net/?id=9801&edit=2
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
