From: prometheus__0 at hotmail dot com
Operating system: Linux Sles10
PHP version: 5.1.6
PHP Bug Type: Reproducible crash
Bug description: php segfaults in zend_get_extension
Description:
------------
a pointer isn't checked within zend_extension.c which can cause segfaults
i had the problem using current version of DBG extension no as
zend_extension installed
but the cause of this is a not validated pointer
i checked actual php5.2 CSV and the bug can also be found there on line
221 of file Zend/zend_extension.c
---------------------------
zend_extension *extension = (zend_extension *) element->data;
if (!strcmp(extension->name, extension_name)) {
return extension;
}
---------------------------
extension isn't checked if it is NULL and strcmp doesn't care
extension_name was correct as seen in the backtrace
Reproduce code:
---------------
host:/home/testuser # php5 -r 'print "BUGG";'
BUGGSegmentation fault
host:/home/testuser #
Expected result:
----------------
host:/home/testuser # php5 -r 'print "BUGG";'
BUGG
host:/home/testuser #
Actual result:
--------------
(gdb) run -r 'print "BUGG";'
Starting program: /usr/bin/php5 -r 'print "BUGG";'
[Thread debugging using libthread_db enabled]
[New Thread 182910915616 (LWP 20652)]
BUGG
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 182910915616 (LWP 20652)]
0x0000002a963b73c3 in strcmp () from /lib64/tls/libc.so.6
(gdb) bt
#0 0x0000002a963b73c3 in strcmp () from /lib64/tls/libc.so.6
#1 0x000000000054cb96 in zend_get_extension (extension_name=0x2a9727629d
"DBG") at /usr/src/debug/php-5.1.6/Zend/zend_extensions.c:221
#2 0x0000002a9726e50c in zm_shutdown_dbg (type=<value optimized out>,
module_number=18) at /home/mcls/dbg-2.15.1/dbg.c:926
#3 0x0000000000548613 in module_destructor (module=0x7fe030) at
/usr/src/debug/php-5.1.6/Zend/zend_API.c:1811
#4 0x000000000054dc86 in zend_hash_apply_deleter (ht=0x79ed20,
p=0x7fdfd0) at /usr/src/debug/php-5.1.6/Zend/zend_hash.c:576
#5 0x000000000054de68 in zend_hash_graceful_reverse_destroy (ht=0x79ed20)
at /usr/src/debug/php-5.1.6/Zend/zend_hash.c:642
#6 0x00000000005443d7 in zend_shutdown () at
/usr/src/debug/php-5.1.6/Zend/zend.c:728
#7 0x000000000050699a in php_module_shutdown () at
/usr/src/debug/php-5.1.6/main/main.c:1618
#8 0x00000000005b70d0 in main (argc=3, argv=0x7fbffff498) at
/usr/src/debug/php-5.1.6/sapi/cli/php_cli.c:1252
(gdb)
--
Edit bug report at http://bugs.php.net/?id=39176&edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=39176&r=trysnapshot44
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=39176&r=trysnapshot52
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=39176&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=39176&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=39176&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=39176&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=39176&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=39176&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=39176&r=support
Expected behavior: http://bugs.php.net/fix.php?id=39176&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=39176&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=39176&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=39176&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=39176&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=39176&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=39176&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=39176&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=39176&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=39176&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=39176&r=mysqlcfg
