#34306 [Opn]: Crash Apache2 on wddx_serialize_value()

dmitrysp at yandex dot ru Tue, 30 Aug 2005 10:57:46 -0700

 ID:               34306
 User updated by:  dmitrysp at yandex dot ru
 Reported By:      dmitrysp at yandex dot ru
 Status:           Open
 Bug Type:         WDDX related
 Operating System: Windows XP sp2
 PHP Version:      5.1.0RC1
 New Comment:


101E0944              |. 8B4C24 10      MOV ECX,DWORD PTR SS:[ESP+10]
101E0948              |. 896B 04        MOV DWORD PTR DS:[EBX+4],EBP
101E094B              |. 51             PUSH ECX

CX=9BE060 ($str)

101E094C              |. E8 5F77E2FF    CALL php5ts._efree
101E0951              |. 83C4 04        ADD ESP,4
101E0954              |> 8BB424 2001000>MOV ESI,DWORD PTR SS:[ESP+120]
101E095B              |. 33C0           XOR EAX,EAX
101E095D              |. 8A46 0C        MOV AL,BYTE PTR DS:[ESI+C]   
<-- crash here - unknown address

ESI+C=EDECEBF6 (from stack)


Stack:

$+14     > 00000113
$+18     > 7261763C
$+1C     > 6D616E20
$+20     > 01273D65   <-- begin $str
$+24     > 05040302
$+28     > 09080706
$+2C     > 0D0C0B0A
$+30     > 11100F0E
$+34     > 15141312
$+38     > 19181716
$+3C     > 1D1C1B1A
$+40     > 21201F1E
$+44     > 6F757126
$+48     > 24233B74
$+4C     > 6D612625
$+50     > 23263B70
$+54     > 3B393330
$+58     > 2B2A2928
$+5C     > 2F2E2D2C
$+60     > 33323130
$+64     > 37363534
$+68     > 3B3A3938
$+6C     > 3B746C26
$+70     > 7467263D
$+74     > 41403F3B
$+78     > 45444342
$+7C     > 49484746
$+80     > 4D4C4B4A
$+84     > 51504F4E
$+88     > 55545352
$+8C     > 59585756
$+90     > 5D5C5B5A
$+94     > 61605F5E
$+98     > 65646362
$+9C     > 69686766
$+A0     > 6D6C6B6A
$+A4     > 71706F6E
$+A8     > 75747372
$+AC     > 79787776
$+B0     > 7D7C7B7A
$+B4     > 81807F7E
$+B8     > 85848382
$+BC     > 89888786
$+C0     > 8D8C8B8A
$+C4     > 91908F8E
$+C8     > 95949392
$+CC     > 99989796
$+D0     > 9D9C9B9A
$+D4     > A1A09F9E
$+D8     > A5A4A3A2
$+DC     > A9A8A7A6
$+E0     > ADACABAA
$+E4     > B1B0AFAE
$+E8     > B5B4B3B2
$+EC     > B9B8B7B6
$+F0     > BDBCBBBA
$+F4     > C1C0BFBE
$+F8     > C5C4C3C2
$+FC     > C9C8C7C6
$+100    > CDCCCBCA
$+104    > D1D0CFCE
$+108    > D5D4D3D2
$+10C    > D9D8D7D6
$+110    > DDDCDBDA
$+114    > E1E0DFDE
$+118    > E5E4E3E2
$+11C    > E9E8E7E6
$+120    > EDECEBEA    <-- SS:[ESP+120]
$+124    > F1F0EFEE
$+128    > F5F4F3F2
$+12C    > F9F8F7F6
$+130    > FDFCFBFA    <-- end $str .-)


Previous Comments:
------------------------------------------------------------------------

[2005-08-30 14:10:10] dmitrysp at yandex dot ru

Description:
------------
Apache2 crash. 

Try Apache2 + PHP 5.1.0RC1, 
Apache2 + PHP 5.1.0-dev (built: Aug 30 2005 08:42:21), 
php.exe 4.3.0 console.

szAppName : Apache.exe     szAppVer : 2.0.54.0     szModName :
php5ts.dll     
szModVer : 5.1.0.0     offset : 001e144d     

Reproduce code:
---------------
    $str='';
    for ($i=1; $i<255; $i++) $str.=chr($i);
    $mix=array($str=>1);
    $buf=wddx_serialize_value($mix, 'name'); // apache crash here
    echo "ok";




------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=34306&edit=1

#34306 [Opn]: Crash Apache2 on wddx_serialize_value()

Reply via email to