[php-maint] Bug#322507: php5: Crash in catch block when many arguments are used

Alexey Feldgendler feldgendler at feldgendler.plesk.ru
Thu Aug 11 03:53:56 UTC 2005


Package: php5
Version: 5.0.4-3
Severity: important

Note: I have already reported the bug upstream, and it has been fixed.
http://bugs.php.net/bug.php?id=34062
At the end of this bug report is the patch to fix the bug.

PHP crashes in a catch block. It happened in a real program, and I've
gradually reduced its complexity until I came to the simple testcase I'm
posting below. Both mod_php5 for Apache 2 and php5-cli crash on this
testcase.

Here is what I found during research:

In the beginning, I had multiple functions calling each other, like
this:

catch (Exception $e) {
    function f2() { f3(0, 0); }
}
function f3() { f4(0, 0, 0); }
function f4() { f5(0, 0); }

...up to a quite deep nesting. I found that I can keep PHP crashing if I
carry the zeros from one function call to another, as long as their
total number does not decrese. I could even carry the zeros between the
catch block and the try block. Also I could exchange one level of
nesting for two additional zeros. So I collapsed them all in the
argument list of max(). The max() function was chosen arbitararily, any
function that takes unlimited number of arguments will do. The zeros can
also be replaced with values of any type. The crash can also be
reproduced using set_exception_handler() instead of a catch block.

Reproduce code:
---------------
<?

function f1() { throw new Exception; }
function f2() { echo "here\n"; }

try {
      // Currently it's the minimum required number of zeros
      // If you remove one, it won't crash
max(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, f1());
} catch (Exception $e) {
echo "(((\n";
f2(0, 0, 0); // Won't crash if less than 3 zeros here
echo ")))\n";
}

?>

Expected result:
----------------
(((
here
)))

Actual result:
--------------
(((
here
Segmentation fault

Here is the stack dump (obtained from php-cli):

#0  0x081fb0b6 in _zval_ptr_dtor ()
#1  0x0822b47c in zend_do_fcall_common_helper ()
#2  0x0823bb73 in zend_do_fcall_handler ()
#3  0x08228c39 in execute ()
#4  0x08208414 in zend_execute_scripts ()
#5  0x081ce03d in php_execute_script ()
#6  0x0824c284 in main ()

Patch to fix the bug:
---------------------

--- Zend/zend_execute.c	10 Aug 2005 10:37:23 -0000	1.652.2.47
+++ Zend/zend_execute.c	10 Aug 2005 13:11:29 -0000	1.652.2.48
@@ -4381,6 +4381,7 @@
 	while (*stack_zval_pp != NULL) {
 		zval_ptr_dtor(stack_zval_pp);
 		EG(argument_stack).top_element--;
+		EG(argument_stack).top--;
 		stack_zval_pp--;
 	}
 



-- System Information:
Debian Release: testing/unstable
  APT prefers testing-proposed-updates
  APT policy: (900, 'testing-proposed-updates'), (900, 'testing'), (900, 'stable'), (800, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.11-1-686
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)

Versions of packages php5 depends on:
ii  libapache2-mod-php5           5.0.4-3    server-side, HTML-embedded scripti
ii  php5-cgi                      5.0.4-3    server-side, HTML-embedded scripti
ii  php5-common                   5.0.4-3    Common files for packages built fr

php5 recommends no packages.

-- debconf information:
  php5/update_apache_php_ini: true




More information about the pkg-php-maint mailing list