#33989 [Opn->Ver]: extract()/eval()/require() crashes php

Wed, 03 Aug 2005 15:12:16 -0700 

 ID:               33989
 Updated by:       [EMAIL PROTECTED]
 Reported By:      mdpm2 at rohms dot com
-Status:           Open
+Status:           Verified
 Bug Type:         Reproducible crash
 Operating System: FreeBSD 4.5
 PHP Version:      4.4.0
 New Comment:

<?php
$a="a";
extract($GLOBALS, EXTR_REFS);
?>
is enough to see errors when Zend MM is disabled (with 5.1-dev too).


Previous Comments:
------------------------------------------------------------------------

[2005-08-03 23:09:08] mdpm2 at rohms dot com

Description:
------------
The use of extract($GLOBALS,EXTR_REFS) appears to corrupt memory when
it is followed by an eval()'d series of code which includes another PHP
file.

This produces the following error:

httpd process:
  [notice] child pid 46966 exit signal Bus error (10)
or
  Bus error (core dumped)  (from php standalone)


NOTE: This is a clarification of bug #33985

Reproduce code:
---------------
art.php (base script to run to reproduce error):
<?
 echo "<PRE>";
  $fcategory=20;
//  $stx="require_once(\"l-catlist.php\"); echo \"inside eval\";
catlist(1,0,9,3,$fcategory,0,1,1,99);";

  $stx="require_once(\"l-catlist.php\"); echo \"inside eval\";";

echo 'EVAL string6='.$stx.'<P>';
  extract($GLOBALS,EXTR_REFS);
  eval($stx);
echo "\n\ndone run</PRE>";
?>

l-catlist.php (included from eval'd code):
<?
##
function
catlist($ct1,$parentid,$depth=NULL,$distype=1,$selected=NULL,$linktype=2,$zero=1,$action=0,$tt=0)
{
  echo "inside catlist<P>";
  return(0);
}
?>


Expected result:
----------------
For server to not crash at least..

Actual result:
--------------
There are two versions of the $stx assignment - I was debugging a
condition where I was having problems with the passing of parameters
between functions and I discovered when trimming down the code, I could
make the server completely crash with a simplified version so I believe
this is related to the problems I'm experiencing.  If you can't
reproduce the error, try enabling the alternate assignment of $stx and
making sure the variables passed are accurate.  However, I can
consistently crash the server using the above code and merely calling
art.php.

If you comment out "extract($GLOBALS,EXTR_REFS);" there are no
problems.

It's possible the above code could be even more simplified but I've
verified the error condition works with it as listed, under Apache
1_3.26/PHP 4.4.0

The problem can also be reproduced outside of apache:

#php -f art.php
<PRE>EVAL string6=require_once("l-catlist.php"); echo "inside
eval";<P>inside eval

done run</PRE>
Bus error (core dumped)

NOTE: zend 20050606 was enabled - I'm not sure how to disable it.


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=33989&edit=1

Reply via email to