[PHP-BUG] Bug #65936 [NEW]: dangling context pointer causes crash
From: tony2...@php.net
Operating system: *
PHP version: 5.5Git-2013-10-21 (Git)
Package: Reproducible crash
Bug Type: Bug
Bug description:dangling context pointer causes crash
Description:
Pointer to stream context is not cleared in persistent stream struct,
which results in a crash when re-using that stream.
Test script:
---
options), (char*)wrappername,
strlen(wrappername)+1, (void**)&wrapperhash)) {
(gdb) bt
#0 0x00764140 in php_stream_context_get_option
(context=0x7fd70dd833f8, wrappername=0xbe6fae "socket",
optionname=0xbe6fa7 "bindto",
optionvalue=0x7fff2c7b1680) at
/local/git/php-src/main/streams/streams.c:2219
#1 0x00773725 in php_tcp_sockop_connect (stream=0x10e2840,
sock=0x10e08b0, xparam=0x7fff2c7b1780)
at /local/git/php-src/main/streams/xp_socket.c:656
#2 0x00773bc4 in php_tcp_sockop_set_option (stream=0x10e2840,
option=7, value=0, ptrparam=0x7fff2c7b1780)
at /local/git/php-src/main/streams/xp_socket.c:757
#3 0x00761a76 in _php_stream_set_option (stream=0x10e2840,
option=7, value=0, ptrparam=0x7fff2c7b1780)
at /local/git/php-src/main/streams/streams.c:1353
#4 0x0077196e in php_stream_xport_connect (stream=0x10e2840,
name=0x7fd70dd7fc9e "google.com:80", namelen=13, asynchronous=1,
timeout=0x7fff2c7b19e0, error_text=0x7fff2c7b18e0,
error_code=0x7fff2c7b19d4) at
/local/git/php-src/main/streams/transports.c:243
#5 0x007713fb in _php_stream_xport_create (name=0x7fd70dd7fc9e
"google.com:80", namelen=13, options=8, flags=18,
persistent_id=0x7fd70dd82da8
"stream_socket_client__tcp://google.com:80", timeout=0x7fff2c7b19e0,
context=0x7fd70dd833f8, error_string=0x7fff2c7b19c0,
error_code=0x7fff2c7b19d4, __php_stream_call_depth=0,
__zend_filename=0xbdf140
"/local/git/php-src/ext/standard/streamsfuncs.c", __zend_lineno=134,
__zend_orig_filename=0x0, __zend_orig_lineno=0) at
/local/git/php-src/main/streams/transports.c:143
#6 0x00726d3b in zif_stream_socket_client (ht=5,
return_value=0x7fd70dd81690, return_value_ptr=0x0, this_ptr=0x0,
return_value_used=1)
at /local/git/php-src/ext/standard/streamsfuncs.c:131
#7 0x00816f6e in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fd70dd4f078) at
/local/git/php-src/Zend/zend_vm_execute.h:550
#8 0x0081b868 in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0x7fd70dd4f078) at
/local/git/php-src/Zend/zend_vm_execute.h:2329
#9 0x0081665f in execute_ex (execute_data=0x7fd70dd4f078) at
/local/git/php-src/Zend/zend_vm_execute.h:363
#10 0x008166e7 in zend_execute (op_array=0x7fd70dd7fd78) at
/local/git/php-src/Zend/zend_vm_execute.h:388
#11 0x007d8554 in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /local/git/php-src/Zend/zend.c:1320
#12 0x007452fe in php_execute_script
(primary_file=0x7fff2c7b61a0) at /local/git/php-src/main/main.c:2489
#13 0x00892bcf in main (argc=1, argv=0x7fff2c7b63c8) at
/local/git/php-src/sapi/fpm/fpm/fpm_main.c:1933
--
Edit bug report at https://bugs.php.net/bug.php?id=65936&edit=1
--
Try a snapshot (PHP 5.4):
https://bugs.php.net/fix.php?id=65936&r=trysnapshot54
Try a snapshot (PHP 5.5):
https://bugs.php.net/fix.php?id=65936&r=trysnapshot55
Try a snapshot (trunk):
https://bugs.php.net/fix.php?id=65936&r=trysnapshottrunk
Fixed in SVN: https://bugs.php.net/fix.php?id=65936&r=fixed
Fixed in release: https://bugs.php.net/fix.php?id=65936&r=alreadyfixed
Need backtrace: https://bugs.php.net/fix.php?id=65936&r=needtrace
Need Reproduce Script: https://bugs.php.net/fix.php?id=65936&r=needscript
Try newer version: https://bugs.php.net/fix.php?id=65936&r=oldversion
Not developer issue:https://bugs.php.net/fix.php?id=65936&r=support
Expected behavior: https://bugs.php.net/fix.php?id=65936&r=notwrong
Not enough info:
https://bugs.php.net/fix.php?id=65936&r=notenoughinfo
Submitted twice:
https://bugs.php.net/fix.php?id=65936&r=submittedtwice
register_globals: https://bugs.php.net/fix.php?id=65936&r=globals
PHP 4 support discontinued: https://bugs.php.net/fix.php?id=65936&r=php4
Daylight Savings: https://bugs.php.net/fix.php?id=65936&r=dst
IIS Stability: https://bugs.php.net/fix.php?id=65936&r=isapi
Install GNU Sed:https://bugs.php.net/fix.php?id=65936&r=gnused
Floating point limitations: https://bugs.php.net/fix.php?id=65936&r=float
No Zend Extensions: https://bugs.php.net/fix.php?id=65936&r=nozend
MySQL Configuration Error: https://bugs.php.net/fix.php?id=65936&r=mysqlcfg
[PHP-BUG] Bug #61285 [NEW]: SSL connections do not timeout
From: tony2001 Operating system: PHP version: 5.4SVN-2012-03-05 (SVN) Package: OpenSSL related Bug Type: Bug Bug description:SSL connections do not timeout Description: SSL connections never timeout because poll() isn't even used in ext/openssl. Test script: --- server.php: client.php: https://localhost/server.php";)); ?> Expected result: # time php client.php Warning: file_get_contents(https://localhost/server.php): failed to open stream: HTTP request failed! in /tmp/client.php on line 1 bool(false) real0m2.024s user0m0.012s sys 0m0.003s Actual result: -- # time php client.php string(0) "" real0m20.063s user0m0.012s sys 0m0.005s -- Edit bug report at https://bugs.php.net/bug.php?id=61285&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=61285&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=61285&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=61285&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=61285&r=fixed Fixed in SVN and need be documented: https://bugs.php.net/fix.php?id=61285&r=needdocs Fixed in release: https://bugs.php.net/fix.php?id=61285&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=61285&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=61285&r=needscript Try newer version: https://bugs.php.net/fix.php?id=61285&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=61285&r=support Expected behavior: https://bugs.php.net/fix.php?id=61285&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=61285&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=61285&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=61285&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=61285&r=php4 Daylight Savings:https://bugs.php.net/fix.php?id=61285&r=dst IIS Stability: https://bugs.php.net/fix.php?id=61285&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=61285&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=61285&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=61285&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=61285&r=mysqlcfg
Bug #61285 [PATCH]: SSL connections do not timeout
Edit report at https://bugs.php.net/bug.php?id=61285&edit=1 ID: 61285 Patch added by: tony2...@php.net Reported by:tony2...@php.net Summary:SSL connections do not timeout Status: Open Type: Bug Package:OpenSSL related PHP Version:5.4SVN-2012-03-05 (SVN) Block user comment: N Private report: N New Comment: The following patch has been added/updated: Patch Name: ssl_timeout.diff Revision: 1330949320 URL: https://bugs.php.net/patch-display.php?bug=61285&patch=ssl_timeout.diff&revision=1330949320 Previous Comments: [2012-03-05 12:08:11] tony2...@php.net Description: SSL connections never timeout because poll() isn't even used in ext/openssl. Test script: --- server.php: client.php: https://localhost/server.php";)); ?> Expected result: # time php client.php Warning: file_get_contents(https://localhost/server.php): failed to open stream: HTTP request failed! in /tmp/client.php on line 1 bool(false) real0m2.024s user0m0.012s sys 0m0.003s Actual result: -- # time php client.php string(0) "" real0m20.063s user0m0.012s sys 0m0.005s -- Edit this bug report at https://bugs.php.net/bug.php?id=61285&edit=1
Bug #48724 [PATCH]: getColumnMeta() doesn't return native_type for BIT, TINYINT and YEAR
Edit report at https://bugs.php.net/bug.php?id=48724&edit=1
ID: 48724
Patch added by: tony2...@php.net
Reported by:an0nym at narod dot ru
Summary:getColumnMeta() doesn't return native_type for BIT,
TINYINT and YEAR
Status: Open
Type: Bug
Package:PDO related
Operating System: *
PHP Version:5.3.0
Block user comment: N
Private report: N
New Comment:
The following patch has been added/updated:
Patch Name: fix-bug-48724.patch
Revision: 1334318775
URL:
https://bugs.php.net/patch-display.php?bug=48724&patch=fix-bug-48724.patch&revision=1334318775
Previous Comments:
[2009-07-03 16:57:28] u...@php.net
You are free to patch it.
Bye.
[2009-07-03 16:30:12] an0nym at narod dot ru
Poor MySQLi developers... they've managed to solve this problem without
specification.
Poor you... you've spent sooo many time for nothing developing this
function, which works in 35 of 38 cases - this stuff has no
specification! Wait for a specification - you have a good excuse!
Bye.
[2009-07-03 16:17:20] u...@php.net
You are free to write a patch.
I refuse to work on stuff that has no specification and which may go into any
direction. That typically ends up in a backwards compatibility nightmare, which
in particular for an abstraction like PDO makes no sense to me.
The patch may be rather simple. But watch out for different values returned by
different MySQL versions.
[2009-07-03 15:39:20] an0nym at narod dot ru
> libmysql and mysqlnd behave the same way. If this is decided to be
considered as a bug it is not a mysqlnd bug.
I agree. This is not a libmysql or mysqlnd bug. This is a PDO (or
PDO_MySQL) bug.
[2009-07-03 15:31:27] an0nym at narod dot ru
Tell me then, why MySQLi is OK with all the types while PDO is not?
Nevertheless, it is not just OK, but it is EQUAL in behaviour for all
the types except TINYINT, BIT and YEAR.
Don't tell me, please, MySQLi type and PDO native type refer to
different things. I'm almost sure they don't. At least they shouldn't.
exec("CREATE TABLE `test`(
`tinyint` TINYINT NOT NULL
,`smallint` SMALLINT NOT NULL
,`mediumint` MEDIUMINT NOT NULL
,`int` INT NOT NULL
,`bigint` BIGINT NOT NULL
,`decimal` DECIMAL NOT NULL
,`float` FLOAT NOT NULL
,`double` DOUBLE NOT NULL
,`bit` BIT(1) NOT NULL
,`date` DATE NOT NULL
,`datetime` DATETIME NOT NULL
,`timestamp` TIMESTAMP NOT NULL
,`time` TIME NOT NULL
,`year` YEAR NOT NULL
,`char` CHAR(1) NOT NULL
,`varchar` VARCHAR(1) NOT NULL
,`tinytext` TINYTEXT NOT NULL
,`text` TEXT NOT NULL
,`mediumtext` MEDIUMTEXT NOT NULL
,`longtext` LONGTEXT NOT NULL
,`binary` BINARY(1) NOT NULL
,`varbinary` VARBINARY(1) NOT NULL
,`tinyblob` TINYBLOB NOT NULL
,`mediumblob` MEDIUMBLOB NOT NULL
,`blob` BLOB NOT NULL
,`longblob` LONGBLOB NOT NULL
,`enum` ENUM('') NOT NULL
,`set` SET('') NOT NULL)");
$PDO->exec('INSERT INTO `test`(`tinyint`) VALUES(0)');
$PDO_statement=$PDO->query('SELECT * FROM `test`');
$PDO_fields=array();
for($i=0,$n=$PDO_statement->columnCount();$i<$n;++$i){
$PDO_fields[]=$PDO_statement->getColumnMeta($i);
}
$MySQLi=new mysqli('localhost','anyone','anyone','test');
$MySQLi_result=$MySQLi->query('SELECT * FROM `test`');
$MySQLi_fields=$MySQLi_result->fetch_fields();
$bug_fields=array();
for($i=0,$n=count($PDO_fields);$i<$n;++$i){
if(!isset($PDO_fields[$i]['native_type'])
or
constant('MYSQLI_TYPE_'.$PDO_fields[$i]['native_type'])!=$MySQLi_field
s[$i]->type){
$bug_fields[]=$PDO_fields[$i]['name'];
}
}
var_dump($bug_fields);
$PDO->exec('DROP TABLE `test`'); ?>
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=48724
--
Edit this bug report at https://bugs.php.net/bug.php?id=48724&edit=1
[PHP-BUG] Bug #62838 [NEW]: enchant_dict_quick_check() destroys zval, but fails to initialized it
From: tony2001 Operating system: PHP version: 5.4Git-2012-08-16 (Git) Package: Enchant related Bug Type: Bug Bug description:enchant_dict_quick_check() destroys zval, but fails to initialized it Description: enchant_dict_quick_check() destroys zval, but doesn't initialize it when passing invalid enchant resource. Initially reported by Mateusz Goik. Test script: --- Actual result: -- /local/qa/5_4_ZTS/Zend/zend_hash.c(1055) : ht=0x7f6745191038 is inconsistent -- Edit bug report at https://bugs.php.net/bug.php?id=62838&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=62838&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=62838&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=62838&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=62838&r=fixed Fixed in SVN and need be documented: https://bugs.php.net/fix.php?id=62838&r=needdocs Fixed in release: https://bugs.php.net/fix.php?id=62838&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=62838&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=62838&r=needscript Try newer version: https://bugs.php.net/fix.php?id=62838&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=62838&r=support Expected behavior: https://bugs.php.net/fix.php?id=62838&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=62838&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=62838&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=62838&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=62838&r=php4 Daylight Savings:https://bugs.php.net/fix.php?id=62838&r=dst IIS Stability: https://bugs.php.net/fix.php?id=62838&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=62838&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=62838&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=62838&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=62838&r=mysqlcfg
#48518 [NEW]: curl crashes when writing into invalid file handle
From: tony2...@php.net
Operating system: Linux
PHP version: 5.3CVS-2009-06-10 (CVS)
PHP Bug Type: Reproducible crash
Bug description: curl crashes when writing into invalid file handle
Description:
curl_setopt() doesn't increase reference count of file pointers passed
along with CURLOPT_FILE and CURLOPT_WRITEHEADER options, which leads to
invalid read/writes and as a result - random crashes because FILE* pointer
is destroyed before write().
Simple patch fixes this problem, but there is another one to consider:
should the refcount be decreased when closing the cURL handle?
Patch proposed: http://dev.daylessday.org/diff/curl_write_handle.diff
Reproduce code:
---
http://ru.php.net/manual/en/function.curl-errno.php',
'http://ru.php.net/manual/en/function.curl-multi-close.php',
'http://ru.php.net/manual/en/function.curl-multi-getcontent.php',
'http://ru.php.net/manual/en/function.curl-multi-remove-handle.php',
);
$mh = curl_multi_init();
foreach ($urls as $url) {
$ch = curl_init();
$tmp_url = parse_url($url);
$tmp_file = $tmp_dir."/".basename($tmp_url['path']);
$fp = fopen($tmp_file, "w");
curl_setopt($ch, CURLOPT_RETURNTRANSFER,0);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_FILE, $fp);
curl_multi_add_handle($mh, $ch);
}
$running = 0;
do {
curl_multi_exec($mh, $running);
} while ($running > 0);
?>
Actual result:
--
==29222== Invalid read of size 2
==29222==at 0x60411F9: fwrite (in /lib64/libc-2.8.so)
==29222==by 0x45078F: curl_write (interface.c:882)
==29222==by 0x5738691: (within /usr/lib64/libcurl.so.4.0.1)
==29222==by 0x5750CC2: (within /usr/lib64/libcurl.so.4.0.1)
==29222==by 0x574D8F3: (within /usr/lib64/libcurl.so.4.0.1)
==29222==by 0x5752F7B: (within /usr/lib64/libcurl.so.4.0.1)
==29222==by 0x575380A: curl_multi_perform (in
/usr/lib64/libcurl.so.4.0.1)
==29222==by 0x45736A: zif_curl_multi_exec (multi.c:216)
==29222==by 0x6340F6: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:313)
==29222==by 0x639955: ZEND_DO_FCALL_SPEC_CONST_HANDLER
(zend_vm_execute.h:1601)
==29222==by 0x633386: execute (zend_vm_execute.h:104)
==29222==by 0x6045FA: zend_execute_scripts (zend.c:1188)
==29222==by 0x58FFDE: php_execute_script (main.c:2171)
==29222==by 0x6E904A: main (php_cli.c:1188)
==29222== Invalid write of size 8
==29222==at 0x6041245: fwrite (in /lib64/libc-2.8.so)
==29222==by 0x45078F: curl_write (interface.c:882)
==29222==by 0x5738691: (within /usr/lib64/libcurl.so.4.0.1)
==29222==by 0x5750CC2: (within /usr/lib64/libcurl.so.4.0.1)
==29222==by 0x574D8F3: (within /usr/lib64/libcurl.so.4.0.1)
==29222==by 0x5752F7B: (within /usr/lib64/libcurl.so.4.0.1)
==29222==by 0x575380A: curl_multi_perform (in
/usr/lib64/libcurl.so.4.0.1)
==29222==by 0x45736A: zif_curl_multi_exec (multi.c:216)
==29222==by 0x6340F6: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:313)
==29222==by 0x639955: ZEND_DO_FCALL_SPEC_CONST_HANDLER
(zend_vm_execute.h:1601)
==29222==by 0x633386: execute (zend_vm_execute.h:104)
==29222==by 0x6045FA: zend_execute_scripts (zend.c:1188)
==29222==by 0x58FFDE: php_execute_script (main.c:2171)
==29222==by 0x6E904A: main (php_cli.c:1188)
--
Edit bug report at http://bugs.php.net/?id=48518&edit=1
--
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=48518&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=48518&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=48518&r=trysnapshot60
Fixed in CVS:
http://bugs.php.net/fix.php?id=48518&r=fixedcvs
Fixed in CVS and need be documented:
http://bugs.php.net/fix.php?id=48518&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=48518&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=48518&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=48518&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=48518&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=48518&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=48518&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=48518&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=48518&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=48518&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=48518&r=php4
Daylight Savings:http://bugs.php.net/fix.php?id=48518&r=dst
IIS Stability:
http://bugs
Bug #51772 [PATCH]: php-fpm do not support PowerPC processors
Edit report at http://bugs.php.net/bug.php?id=51772&edit=1 ID: 51772 Patch added by: tony2...@php.net Reported by: vaskes at mail dot ru Summary: php-fpm do not support PowerPC processors Status: Analyzed Type: Bug Package: FPM related Operating System: RedHat Ent. server 5.4-ppc64 PHP Version: 5.3.2 Assigned To: fat New Comment: The following patch has been added/updated: Patch Name: ppc-support Revision: 1275990348 URL: http://bugs.php.net/patch-display.php?bug=51772&patch=ppc-support&revision=1275990348 Previous Comments: [2010-06-08 01:13:06] f...@php.net I don't have a powerpc to test. I'll get some code from nginx. Do you have time to test it ? [2010-06-07 11:44:26] vaskes at mail dot ru changed package to FPM related [2010-05-08 15:44:04] vaskes at mail dot ru Description: PHP-FPM sapi do not support PowerPC processor. Build server IBM JS20 bladeserver [r...@headnode ~]# uname -a Linux headnode.tst.local 2.6.18-194.el5 #1 SMP Tue Mar 16 22:03:12 EDT 2010 ppc64 ppc64 ppc64 GNU/Linux Test script: --- svn co http://svn.php.net/repository/php/php-src/trunk/sapi/fpm sapi/fpm ./buildconf --force ./configure --prefix=/opt/php --enable-fpm --build=powerpc-redhat-linux-gnu --host=powerpc-redhat-linux-gnu --target=ppc-redhat-linux-gnu make make install Expected result: Successfull compilation and php-fpm working Actual result: -- /bin/sh /home/php-5.3.2/libtool --silent --preserve-dup-deps --mode=compile cc -I/home/php-5.3.2/sapi/fpm -Isapi/fpm/ -I/home/php-5.3.2/sapi/fpm/ -DPHP_ATOM_INC -I/home/php-5.3.2/include -I/home/php-5.3.2/main -I/home/php-5.3.2 -I/home/php-5.3.2/ext/date/lib -I/home/php-5.3.2/ext/ereg/regex -I/usr/include/libxml2 -I/home/php-5.3.2/ext/sqlite3/libsqlite -I/home/php-5.3.2/TSRM -I/home/php-5.3.2/Zend-I/usr/include -g -O2 -fvisibility=hidden -c /home/php-5.3.2/sapi/fpm/fpm/fastcgi.c -o sapi/fpm/fpm/fastcgi.lo /bin/sh /home/php-5.3.2/libtool --silent --preserve-dup-deps --mode=compile cc -I/home/php-5.3.2/sapi/fpm -Isapi/fpm/ -I/home/php-5.3.2/sapi/fpm/ -DPHP_ATOM_INC -I/home/php-5.3.2/include -I/home/php-5.3.2/main -I/home/php-5.3.2 -I/home/php-5.3.2/ext/date/lib -I/home/php-5.3.2/ext/ereg/regex -I/usr/include/libxml2 -I/home/php-5.3.2/ext/sqlite3/libsqlite -I/home/php-5.3.2/TSRM -I/home/php-5.3.2/Zend-I/usr/include -g -O2 -fvisibility=hidden -c /home/php-5.3.2/sapi/fpm/fpm/fpm.c -o sapi/fpm/fpm/fpm.lo /bin/sh /home/php-5.3.2/libtool --silent --preserve-dup-deps --mode=compile cc -I/home/php-5.3.2/sapi/fpm -Isapi/fpm/ -I/home/php-5.3.2/sapi/fpm/ -DPHP_ATOM_INC -I/home/php-5.3.2/include -I/home/php-5.3.2/main -I/home/php-5.3.2 -I/home/php-5.3.2/ext/date/lib -I/home/php-5.3.2/ext/ereg/regex -I/usr/include/libxml2 -I/home/php-5.3.2/ext/sqlite3/libsqlite -I/home/php-5.3.2/TSRM -I/home/php-5.3.2/Zend-I/usr/include -g -O2 -fvisibility=hidden -c /home/php-5.3.2/sapi/fpm/fpm/fpm_children.c -o sapi/fpm/fpm/fpm_children.lo In file included from /home/php-5.3.2/sapi/fpm/fpm/fpm_shm_slots.h:8, from /home/php-5.3.2/sapi/fpm/fpm/fpm_children.c:28: /home/php-5.3.2/sapi/fpm/fpm/fpm_atomic.h:124:2: error: #error unsupported processor. please write a patch and send it to me In file included from /home/php-5.3.2/sapi/fpm/fpm/fpm_shm_slots.h:8, from /home/php-5.3.2/sapi/fpm/fpm/fpm_children.c:28: /home/php-5.3.2/sapi/fpm/fpm/fpm_atomic.h:128: error: expected Ðââ¤)Ðâ⥠before Ðââ¤*Ðâ⥠token In file included from /home/php-5.3.2/sapi/fpm/fpm/fpm_children.c:28: /home/php-5.3.2/sapi/fpm/fpm/fpm_shm_slots.h:16: error: expected specifier-qualifier-list before Ðââ¤atomic_tÐâ⥠make: *** [sapi/fpm/fpm/fpm_children.lo] Error 1 /bin/sh /home/php-5.3.2/libtool --silent --preserve-dup-deps --mode=compile cc -I/home/php-5.3.2/sapi/fpm -Isapi/fpm/ -I/home/php-5.3.2/sapi/fpm/ -DPHP_ATOM_INC -I/home/php-5.3.2/include -I/home/php-5.3.2/main -I/home/php-5.3.2 -I/home/php-5.3.2/ext/date/lib -I/home/php-5.3.2/ext/ereg/regex -I/usr/include/libxml2 -I/home/php-5.3.2/ext/sqlite3/libsqlite -I/home/php-5.3.2/TSRM -I/home/php-5.3.2/Zend-I/usr/include -g -O2 -fvisibility=hidden -c /home/php-5.3.2/sapi/fpm/fpm/fpm_children.c -o sapi/fpm/fpm/fpm_children.lo In file included from /home/php-5.3.2/sapi/fpm/fpm/fpm_shm_slots.h:8, from /home/php-5.3.2/sapi/fpm/fpm/fpm_children.c:28: /home/php-5.3.2/sapi/fpm/fpm/fpm_atomic.h:124:2: error: #error unsupported processor. please write a patch and send it to me In file included from /home/php-5.3.2/sapi/fpm/fpm/fpm_shm_slots.h:8, from /home/
[PHP-BUG] Bug #54423 [NEW]: classes from dl()'ed extensions are not destroyed
From: Operating system: PHP version: 5.3SVN-2011-03-30 (SVN) Package: Scripting Engine problem Bug Type: Bug Bug description:classes from dl()'ed extensions are not destroyed Description: If an extension loaded with dl() declares any clasess, these classes are not destroyed along with the module and it's other resources. That causes crashes when using delayed early binding, though that's not a requirement, see reproduce case below. Test script: --- Reproduce case is quite intricate: start ONE child process of any PHP SAPI (except CLI/CGI/embed, of course) execute this code: ) $o = new ; ?> then comment out the dl() and execute it again. The class is still present, but it's handler pointers are invalid, therefore PHP will crash with a similar backtrace: Program received signal SIGSEGV, Segmentation fault. 0xb6e17da0 in ?? () (gdb) bt #0 0xb6e17da0 in ?? () #1 0x081cc629 in _object_and_properties_init (arg=0x83deae8, class_type=0x8455380, properties=0x0) at /local/dev/php/PHP_5_3/Zend/zend_API.c:1088 #2 0x081cc730 in _object_init_ex (arg=0x83deae8, class_type=0x8455380) at /local/dev/php/PHP_5_3/Zend/zend_API.c:1096 #3 0x081ee86d in ZEND_NEW_SPEC_HANDLER (execute_data=0x8411d80) at /local/dev/php/PHP_5_3/Zend/zend_vm_execute.h:476 #4 0x081eb4f9 in execute (op_array=0x83dd3f4) at /local/dev/php/PHP_5_3/Zend/zend_vm_execute.h:107 #5 0x081cab82 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /local/dev/php/PHP_5_3/Zend/zend.c:1194 #6 0x08179b90 in php_execute_script (primary_file=0xbfda0cb0) at /local/dev/php/PHP_5_3/main/main.c:2268 #7 0x0825a53d in main (argc=1, argv=0xbfda0e04) at /local/dev/php/PHP_5_3/sapi/fpm/fpm/fpm_main.c:1882 (gdb) f 1 #1 0x081cc629 in _object_and_properties_init (arg=0x83deae8, class_type=0x8455380, properties=0x0) at /local/dev/php/PHP_5_3/Zend/zend_API.c:1088 1088Z_OBJVAL_P(arg) = class_type->create_object(class_type TSRMLS_CC); (gdb) p class_type->create_object $1 = (zend_object_value (*)(zend_class_entry *)) 0xb6e17da0 (gdb) p *class_type->create_object Cannot access memory at address 0xb6e17da0 -- Edit bug report at http://bugs.php.net/bug.php?id=54423&edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=54423&r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=54423&r=trysnapshot53 Try a snapshot (trunk): http://bugs.php.net/fix.php?id=54423&r=trysnapshottrunk Fixed in SVN: http://bugs.php.net/fix.php?id=54423&r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=54423&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=54423&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=54423&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=54423&r=needscript Try newer version: http://bugs.php.net/fix.php?id=54423&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=54423&r=support Expected behavior: http://bugs.php.net/fix.php?id=54423&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=54423&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=54423&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=54423&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=54423&r=php4 Daylight Savings:http://bugs.php.net/fix.php?id=54423&r=dst IIS Stability: http://bugs.php.net/fix.php?id=54423&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=54423&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=54423&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=54423&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=54423&r=mysqlcfg
php-bugs@lists.php.net
Edit report at https://bugs.php.net/bug.php?id=60082&edit=1 ID: 60082 Patch added by: tony2...@php.net Reported by:tklingenberg at lastflood dot net Summary:100% CPU / when using references with ArrayObject(&$ref). Status: Assigned Type: Bug Package:SPL related Operating System: GNU/Linux PHP Version:5.3.8 Assigned To:helly Block user comment: N Private report: N New Comment: The following patch has been added/updated: Patch Name: recursion-detection Revision: 1319089482 URL: https://bugs.php.net/patch-display.php?bug=60082&patch=recursion-detection&revision=1319089482 Previous Comments: [2011-10-19 02:28:53] larue...@php.net Automatic comment from SVN on behalf of laruence Revision: http://svn.php.net/viewvc/?view=revision&revision=318204 Log: Test for #60082 [2011-10-19 02:09:08] larue...@php.net helly, plz look at this. thanks :) [2011-10-18 12:51:03] larue...@php.net The following patch has been added/updated: Patch Name: bug60082.phpt Revision: 1318942263 URL: https://bugs.php.net/patch-display.php?bug=60082&patch=bug60082.phpt&revision=1318942263 [2011-10-18 12:46:20] larue...@php.net The following patch has been added/updated: Patch Name: bug60082.patch Revision: 1318941980 URL: https://bugs.php.net/patch-display.php?bug=60082&patch=bug60082.patch&revision=1318941980 [2011-10-18 09:38:44] larue...@php.net $test = new ArrayObject(&$test) will make the intern->array a object; thus, there will be a infinite loop between spl_array_get_properties and spl_array_get_hash_table(call to HASH_OF which will call to spl_array_get_properties). then PHP will segfault due to stack overflow... I have tried to use SEPARATE_ARG_IF_REF to fix this segfault, but there is a test faild (ext/spl/tests/array_004.phpt) thanks The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=60082 -- Edit this bug report at https://bugs.php.net/bug.php?id=60082&edit=1
[PHP-BUG] Bug #60240 [NEW]: invalid read/writes when unserializing specially crafted strings
From: tony2001 Operating system: Linux 64bit PHP version: 5.4.0beta2 Package: Session related Bug Type: Bug Bug description:invalid read/writes when unserializing specially crafted strings Description: The following tests in 5_4 branch: ext/spl/tests/SplObjectStorage_unserialize_bad.phpt ext/session/tests/session_decode_error2.phpt under Valgrind show several issues that might be quite dangerous. This issue exists in 5_4 only and is not reproducible in 5_3 branch. Valgrind log: ==18527== Invalid read of size 1 ==18527==at 0x85E087: php_var_unserialize (var_unserializer.c:532) ==18527==by 0x725681: ps_srlzr_decode_php (session.c:920) ==18527==by 0x7232A8: php_session_decode (session.c:216) ==18527==by 0x7293D7: zif_session_decode (session.c:1854) ==18527==by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642) ==18527==by 0x9DF505: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2215) ==18527==by 0x9D6BFD: execute (zend_vm_execute.h:410) ==18527==by 0x998D28: zend_execute_scripts (zend.c:1272) ==18527==by 0x90F847: php_execute_script (main.c:2414) ==18527==by 0xAE214C: do_cli (php_cli.c:983) ==18527==by 0xAE3064: main (php_cli.c:1356) ==18527== Address 0xa1b0595 is 0 bytes after a block of size 5 alloc'd ==18527==at 0x4C2683D: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==18527==by 0x963158: _emalloc (zend_alloc.c:2423) ==18527==by 0x96371F: _estrndup (zend_alloc.c:2596) ==18527==by 0x82D95B: zif_substr (string.c:2269) ==18527==by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642) ==18527==by 0x9DF505: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2215) ==18527==by 0x9D6BFD: execute (zend_vm_execute.h:410) ==18527==by 0x998D28: zend_execute_scripts (zend.c:1272) ==18527==by 0x90F847: php_execute_script (main.c:2414) ==18527==by 0xAE214C: do_cli (php_cli.c:983) ==18527==by 0xAE3064: main (php_cli.c:1356) ==18527== ==18527== Invalid read of size 1 ==18527==at 0x85E087: php_var_unserialize (var_unserializer.c:532) ==18527==by 0x85D455: process_nested_data (var_unserializer.re:278) ==18527==by 0x85EC75: php_var_unserialize (var_unserializer.re:604) ==18527==by 0x725681: ps_srlzr_decode_php (session.c:920) ==18527==by 0x7232A8: php_session_decode (session.c:216) ==18527==by 0x7293D7: zif_session_decode (session.c:1854) ==18527==by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642) ==18527==by 0x9DF505: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2215) ==18527==by 0x9D6BFD: execute (zend_vm_execute.h:410) ==18527==by 0x998D28: zend_execute_scripts (zend.c:1272) ==18527==by 0x90F847: php_execute_script (main.c:2414) ==18527==by 0xAE214C: do_cli (php_cli.c:983) ==18527== Address 0xa1be08a is 0 bytes after a block of size 10 alloc'd ==18527==at 0x4C2683D: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==18527==by 0x963158: _emalloc (zend_alloc.c:2423) ==18527==by 0x96371F: _estrndup (zend_alloc.c:2596) ==18527==by 0x82D95B: zif_substr (string.c:2269) ==18527==by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642) ==18527==by 0x9DF505: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2215) ==18527==by 0x9D6BFD: execute (zend_vm_execute.h:410) ==18527==by 0x998D28: zend_execute_scripts (zend.c:1272) ==18527==by 0x90F847: php_execute_script (main.c:2414) ==18527==by 0xAE214C: do_cli (php_cli.c:983) ==18527==by 0xAE3064: main (php_cli.c:1356) ==18527== ==18527== Invalid read of size 1 ==18527==at 0x85E087: php_var_unserialize (var_unserializer.c:532) ==18527==by 0x85D5E4: process_nested_data (var_unserializer.re:292) ==18527==by 0x85EC75: php_var_unserialize (var_unserializer.re:604) ==18527==by 0x725681: ps_srlzr_decode_php (session.c:920) ==18527==by 0x7232A8: php_session_decode (session.c:216) ==18527==by 0x7293D7: zif_session_decode (session.c:1854) ==18527==by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642) ==18527==by 0x9DF505: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2215) ==18527==by 0x9D6BFD: execute (zend_vm_execute.h:410) ==18527==by 0x998D28: zend_execute_scripts (zend.c:1272) ==18527==by 0x90F847: php_execute_script (main.c:2414) ==18527==by 0xAE214C: do_cli (php_cli.c:983) ==18527== Address 0xa1c928e is 0 bytes after a block of size 14 alloc'd ==18527==at 0x4C2683D: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==18527==by 0x963158: _emalloc (zend_alloc.c:2423) ==18527==by 0x96371F: _estrndup (zend_alloc.c:2596) ==18527==by 0x82D95B: zif_substr (string.c:2269) ==18527==by 0x9D8280: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:642) ==18527==by 0x9DF505: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2215) ==18527==by 0x9
[PHP-BUG] Bug #63369 [NEW]: (un)serialize() leaves dangling pointers, causes crashes
From: tony2001
Operating system: *
PHP version: 5.4Git-2012-10-26 (Git)
Package: Reproducible crash
Bug Type: Bug
Bug description:(un)serialize() leaves dangling pointers, causes crashes
Description:
When a fatal error happens in a __sleep/__wakeup function, BG(serialize)
and
BG(unserialize) contents is left intact and the next request will get those
pointers
again, even though at that moment they are already freed by Zend memory
manager
during request shutdown.
If you're lucky, there is a chance you'll reuse them, which causes
immediate crash.
The attached scripts demonstrates the problem with serialize() and I'm
kinda lazy to
do the same for unserialize(), especially taking into account that the
patch is
extremely simple.
Test script:
---
class bar1 {
function __sleep() {
foo();
}
}
class foo1 {
function __sleep() {
var_dump(serialize(array("test", "1", 234)));
var_dump(serialize(new bar1));
}
}
$o = new foo1;
var_dump(unserialize('O:8:"stdclass":0:{}')); //to clear
BG(serialize_lock)
var_dump(serialize($o));
Expected result:
.
Actual result:
--
.
--
Edit bug report at https://bugs.php.net/bug.php?id=63369&edit=1
--
Try a snapshot (PHP 5.4):
https://bugs.php.net/fix.php?id=63369&r=trysnapshot54
Try a snapshot (PHP 5.3):
https://bugs.php.net/fix.php?id=63369&r=trysnapshot53
Try a snapshot (trunk):
https://bugs.php.net/fix.php?id=63369&r=trysnapshottrunk
Fixed in SVN: https://bugs.php.net/fix.php?id=63369&r=fixed
Fixed in release: https://bugs.php.net/fix.php?id=63369&r=alreadyfixed
Need backtrace: https://bugs.php.net/fix.php?id=63369&r=needtrace
Need Reproduce Script: https://bugs.php.net/fix.php?id=63369&r=needscript
Try newer version: https://bugs.php.net/fix.php?id=63369&r=oldversion
Not developer issue:https://bugs.php.net/fix.php?id=63369&r=support
Expected behavior: https://bugs.php.net/fix.php?id=63369&r=notwrong
Not enough info:
https://bugs.php.net/fix.php?id=63369&r=notenoughinfo
Submitted twice:
https://bugs.php.net/fix.php?id=63369&r=submittedtwice
register_globals: https://bugs.php.net/fix.php?id=63369&r=globals
PHP 4 support discontinued: https://bugs.php.net/fix.php?id=63369&r=php4
Daylight Savings: https://bugs.php.net/fix.php?id=63369&r=dst
IIS Stability: https://bugs.php.net/fix.php?id=63369&r=isapi
Install GNU Sed:https://bugs.php.net/fix.php?id=63369&r=gnused
Floating point limitations: https://bugs.php.net/fix.php?id=63369&r=float
No Zend Extensions: https://bugs.php.net/fix.php?id=63369&r=nozend
MySQL Configuration Error: https://bugs.php.net/fix.php?id=63369&r=mysqlcfg
Bug #63369 [PATCH]: (un)serialize() leaves dangling pointers, causes crashes
Edit report at https://bugs.php.net/bug.php?id=63369&edit=1
ID: 63369
Patch added by: tony2...@php.net
Reported by:tony2...@php.net
Summary:(un)serialize() leaves dangling pointers, causes
crashes
Status: Open
Type: Bug
Package:Reproducible crash
Operating System: *
PHP Version:5.4Git-2012-10-26 (Git)
Block user comment: N
Private report: N
New Comment:
The following patch has been added/updated:
Patch Name: the-patch
Revision: 1351254242
URL:
https://bugs.php.net/patch-display.php?bug=63369&patch=the-patch&revision=1351254242
Previous Comments:
[2012-10-26 12:23:16] tony2...@php.net
Description:
When a fatal error happens in a __sleep/__wakeup function, BG(serialize) and
BG(unserialize) contents is left intact and the next request will get those
pointers
again, even though at that moment they are already freed by Zend memory manager
during request shutdown.
If you're lucky, there is a chance you'll reuse them, which causes immediate
crash.
The attached scripts demonstrates the problem with serialize() and I'm kinda
lazy to
do the same for unserialize(), especially taking into account that the patch is
extremely simple.
Test script:
---
class bar1 {
function __sleep() {
foo();
}
}
class foo1 {
function __sleep() {
var_dump(serialize(array("test", "1", 234)));
var_dump(serialize(new bar1));
}
}
$o = new foo1;
var_dump(unserialize('O:8:"stdclass":0:{}')); //to clear BG(serialize_lock)
var_dump(serialize($o));
Expected result:
.
Actual result:
--
.
--
Edit this bug report at https://bugs.php.net/bug.php?id=63369&edit=1
