[php-maint] Bug#322507: marked as done (php5: Crash in catch block when many arguments are used)

Debian Bug Tracking System owner at bugs.debian.org
Mon Sep 12 08:48:13 UTC 2005 

Your message dated Mon, 12 Sep 2005 01:32:07 -0700
with message-id <E1EEjjT-0007Ut-00 at spohr.debian.org>
and subject line Bug#322507: fixed in php5 5.0.5-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 11 Aug 2005 03:54:16 +0000
>From feldgendler at feldgendler.plesk.ru Wed Aug 10 20:54:16 2005
Return-path: <feldgendler at feldgendler.plesk.ru>
Received: from plesk-gw.nsk.gldn.net (master.plesk.ru) [194.67.59.14] 
	by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
	id 1E3491-0007vH-00; Wed, 10 Aug 2005 20:54:16 -0700
Received: from localhost (feldgendler.plesk.ru [192.168.62.79])
	by master.plesk.ru (8.13.4/8.13.4) with ESMTP id j7B3sBB6016355
	for <submit at bugs.debian.org>; Thu, 11 Aug 2005 10:54:11 +0700 (NOVST)
	(envelope-from feldgendler at feldgendler.plesk.ru)
Received: from feldgendler by localhost with local (Exim 4.52)
	id 1E348i-0004T3-1I
	for submit at bugs.debian.org; Thu, 11 Aug 2005 10:53:56 +0700
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: php5: Crash in catch block when many arguments are used
X-Debbugs-CC: Alexey Feldgendler <feldgendler at mail.ru>
User-Agent: SEMI/1.14.6 (Maruoka) FLIM/1.14.7 (=?ISO-8859-4?Q?Sanj=F2?=)
 APEL/10.6 Emacs/21.4 (i386-pc-linux-gnu) MULE/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Message-Id: <E1E348i-0004T3-1I at localhost>
From: Alexey Feldgendler <feldgendler at feldgendler.plesk.ru>
Date: Thu, 11 Aug 2005 10:53:56 +0700
X-Antivirus: Dr.Web (R) for Mail Servers on master.plesk.ru host
X-Antivirus-Code: 100000
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
	X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02

Package: php5
Version: 5.0.4-3
Severity: important

Note: I have already reported the bug upstream, and it has been fixed.
http://bugs.php.net/bug.php?id=34062
At the end of this bug report is the patch to fix the bug.

PHP crashes in a catch block. It happened in a real program, and I've
gradually reduced its complexity until I came to the simple testcase I'm
posting below. Both mod_php5 for Apache 2 and php5-cli crash on this
testcase.

Here is what I found during research:

In the beginning, I had multiple functions calling each other, like
this:

catch (Exception $e) {
    function f2() { f3(0, 0); }
}
function f3() { f4(0, 0, 0); }
function f4() { f5(0, 0); }

...up to a quite deep nesting. I found that I can keep PHP crashing if I
carry the zeros from one function call to another, as long as their
total number does not decrese. I could even carry the zeros between the
catch block and the try block. Also I could exchange one level of
nesting for two additional zeros. So I collapsed them all in the
argument list of max(). The max() function was chosen arbitararily, any
function that takes unlimited number of arguments will do. The zeros can
also be replaced with values of any type. The crash can also be
reproduced using set_exception_handler() instead of a catch block.

Reproduce code:
---------------
<?

function f1() { throw new Exception; }
function f2() { echo "here\n"; }

try {
      // Currently it's the minimum required number of zeros
      // If you remove one, it won't crash
max(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, f1());
} catch (Exception $e) {
echo "(((\n";
f2(0, 0, 0); // Won't crash if less than 3 zeros here
echo ")))\n";
}

?>

Expected result:
----------------
(((
here
)))

Actual result:
--------------
(((
here
Segmentation fault

Here is the stack dump (obtained from php-cli):

#0  0x081fb0b6 in _zval_ptr_dtor ()
#1  0x0822b47c in zend_do_fcall_common_helper ()
#2  0x0823bb73 in zend_do_fcall_handler ()
#3  0x08228c39 in execute ()
#4  0x08208414 in zend_execute_scripts ()
#5  0x081ce03d in php_execute_script ()
#6  0x0824c284 in main ()

Patch to fix the bug:
---------------------

--- Zend/zend_execute.c	10 Aug 2005 10:37:23 -0000	1.652.2.47
+++ Zend/zend_execute.c	10 Aug 2005 13:11:29 -0000	1.652.2.48
@@ -4381,6 +4381,7 @@
 	while (*stack_zval_pp != NULL) {
 		zval_ptr_dtor(stack_zval_pp);
 		EG(argument_stack).top_element--;
+		EG(argument_stack).top--;
 		stack_zval_pp--;
 	}
 



-- System Information:
Debian Release: testing/unstable
  APT prefers testing-proposed-updates
  APT policy: (900, 'testing-proposed-updates'), (900, 'testing'), (900, 'stable'), (800, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.11-1-686
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)

Versions of packages php5 depends on:
ii  libapache2-mod-php5           5.0.4-3    server-side, HTML-embedded scripti
ii  php5-cgi                      5.0.4-3    server-side, HTML-embedded scripti
ii  php5-common                   5.0.4-3    Common files for packages built fr

php5 recommends no packages.

-- debconf information:
  php5/update_apache_php_ini: true

---------------------------------------
Received: (at 322507-close) by bugs.debian.org; 12 Sep 2005 08:40:24 +0000
>From katie at spohr.debian.org Mon Sep 12 01:40:24 2005
Return-path: <katie at spohr.debian.org>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
	id 1EEjjT-0007Ut-00; Mon, 12 Sep 2005 01:32:07 -0700
From: Adam Conrad <adconrad at 0c3.net>
To: 322507-close at bugs.debian.org
X-Katie: $Revision: 1.56 $
Subject: Bug#322507: fixed in php5 5.0.5-1
Message-Id: <E1EEjjT-0007Ut-00 at spohr.debian.org>
Sender: Archive Administrator <katie at spohr.debian.org>
Date: Mon, 12 Sep 2005 01:32:07 -0700
Delivered-To: 322507-close at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 2

Source: php5
Source-Version: 5.0.5-1

We believe that the bug you reported is fixed in the latest version of
php5, which is due to be installed in the Debian FTP archive:

libapache-mod-php5_5.0.5-1_i386.deb
  to pool/main/p/php5/libapache-mod-php5_5.0.5-1_i386.deb
libapache2-mod-php5_5.0.5-1_i386.deb
  to pool/main/p/php5/libapache2-mod-php5_5.0.5-1_i386.deb
php-pear_5.0.5-1_all.deb
  to pool/main/p/php5/php-pear_5.0.5-1_all.deb
php5-cgi_5.0.5-1_i386.deb
  to pool/main/p/php5/php5-cgi_5.0.5-1_i386.deb
php5-cli_5.0.5-1_i386.deb
  to pool/main/p/php5/php5-cli_5.0.5-1_i386.deb
php5-common_5.0.5-1_i386.deb
  to pool/main/p/php5/php5-common_5.0.5-1_i386.deb
php5-curl_5.0.5-1_i386.deb
  to pool/main/p/php5/php5-curl_5.0.5-1_i386.deb
php5-dev_5.0.5-1_i386.deb
  to pool/main/p/php5/php5-dev_5.0.5-1_i386.deb
php5-gd_5.0.5-1_i386.deb
  to pool/main/p/php5/php5-gd_5.0.5-1_i386.deb
php5-ldap_5.0.5-1_i386.deb
  to pool/main/p/php5/php5-ldap_5.0.5-1_i386.deb
php5-mhash_5.0.5-1_i386.deb
  to pool/main/p/php5/php5-mhash_5.0.5-1_i386.deb
php5-mysql_5.0.5-1_i386.deb
  to pool/main/p/php5/php5-mysql_5.0.5-1_i386.deb
php5-odbc_5.0.5-1_i386.deb
  to pool/main/p/php5/php5-odbc_5.0.5-1_i386.deb
php5-pgsql_5.0.5-1_i386.deb
  to pool/main/p/php5/php5-pgsql_5.0.5-1_i386.deb
php5-recode_5.0.5-1_i386.deb
  to pool/main/p/php5/php5-recode_5.0.5-1_i386.deb
php5-snmp_5.0.5-1_i386.deb
  to pool/main/p/php5/php5-snmp_5.0.5-1_i386.deb
php5-sqlite_5.0.5-1_i386.deb
  to pool/main/p/php5/php5-sqlite_5.0.5-1_i386.deb
php5-sybase_5.0.5-1_i386.deb
  to pool/main/p/php5/php5-sybase_5.0.5-1_i386.deb
php5-xmlrpc_5.0.5-1_i386.deb
  to pool/main/p/php5/php5-xmlrpc_5.0.5-1_i386.deb
php5-xsl_5.0.5-1_i386.deb
  to pool/main/p/php5/php5-xsl_5.0.5-1_i386.deb
php5_5.0.5-1.diff.gz
  to pool/main/p/php5/php5_5.0.5-1.diff.gz
php5_5.0.5-1.dsc
  to pool/main/p/php5/php5_5.0.5-1.dsc
php5_5.0.5-1_all.deb
  to pool/main/p/php5/php5_5.0.5-1_all.deb
php5_5.0.5.orig.tar.gz
  to pool/main/p/php5/php5_5.0.5.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 322507 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adam Conrad <adconrad at 0c3.net> (supplier of updated php5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 12 Sep 2005 02:29:24 +1000
Source: php5
Binary: php5-gd php5-ldap php5 php5-xmlrpc libapache2-mod-php5 php5-xsl php5-cgi php-pear php5-pgsql php5-cli php5-recode php5-mhash php5-sybase php5-curl php5-odbc php5-mysql php5-common php5-snmp php5-dev php5-sqlite libapache-mod-php5
Architecture: source i386 all
Version: 5.0.5-1
Distribution: unstable
Urgency: low
Maintainer: Debian PHP Maintainers <pkg-php-maint at lists.alioth.debian.org>
Changed-By: Adam Conrad <adconrad at 0c3.net>
Description: 
 libapache-mod-php5 - server-side, HTML-embedded scripting language (apache 1.3 module)
 libapache2-mod-php5 - server-side, HTML-embedded scripting language (apache 2.0 module)
 php-pear   - PEAR - PHP Extension and Application Repository
 php5       - server-side, HTML-embedded scripting language (meta-package)
 php5-cgi   - server-side, HTML-embedded scripting language (CGI binary)
 php5-cli   - command-line interpreter for the php5 scripting language
 php5-common - Common files for packages built from the php5 source
 php5-curl  - CURL module for php5
 php5-dev   - Files for PHP5 module development
 php5-gd    - GD module for php5
 php5-ldap  - LDAP module for php5
 php5-mhash - MHASH module for php5
 php5-mysql - MySQL module for php5
 php5-odbc  - ODBC module for php5
 php5-pgsql - PostgreSQL module for php5
 php5-recode - recode module for php5
 php5-snmp  - SNMP module for php5
 php5-sqlite - SQLite module for php5
 php5-sybase - Sybase / MS SQL Server module for php5
 php5-xmlrpc - XML-RPC module for php5
 php5-xsl   - XSL module for php5
Closes: 321930 322507 327107
Changes: 
 php5 (5.0.5-1) unstable; urgency=low
 .
   * New upstream release, adjust patch offsets and fuzz, and drop patches:
     - Drop 009-snmp-int-sizes.patch, finally fixed upstream.
     - Drop 051-gcc-4.0.patch, fixed differently upstream.
     - Drop 102-php_streams.patch, fixed upstream.
     - Drop 103-catch_segv.patch, also fixed upstream.
   * Distribute the shiny new manpages for php-config and phpize.
 .
 php5 (5.0.4-4) unstable; urgency=low
 .
   * Ondřej Surý <ondrej at sury.org>:
     - Add patch from CVS to fix regression in PHP 5.0.4, where file related
       functions all stop reading at 2,000,000 bytes (closes: #321930)
   * Adam Conrad <adconrad at 0c3.net>:
     - Enable support for gdbm files in the dba handler; half the base system
       already appears to depend on libgdm, so we can't make things worse.
     - Add another patch from CVS to fix a segfault in the catch/throw
       handler under interesting nesting cases (closes: #322507)
     - Rebuild against libsnmp9-dev for new libsnmp SOVER (closes: #327107)
Files: 
 ad7d7d3f54bb70d323fa200d60f47c4b 1770 web optional php5_5.0.5-1.dsc
 ae36a2aa35cfaa58bdc5b9a525e6f451 6082082 web optional php5_5.0.5.orig.tar.gz
 63db103538a68e9e9e7d9575924976f3 93880 web optional php5_5.0.5-1.diff.gz
 8c3120555d7db2e547c49f266537cc8d 126430 web optional php5-common_5.0.5-1_i386.deb
 b803ff4f734e9e35b2104d2cecf77fa5 1883658 web optional libapache-mod-php5_5.0.5-1_i386.deb
 411034dba2869dda299e17d1d74467bd 1884766 web optional libapache2-mod-php5_5.0.5-1_i386.deb
 2b97985c1c069483efbe0ae7d5e1690f 3744524 web optional php5-cgi_5.0.5-1_i386.deb
 4dc7a54e29dc127fbb291c061f290fc2 1880544 web optional php5-cli_5.0.5-1_i386.deb
 07d38812b5f4ab1a268512e26b662fa8 218732 devel optional php5-dev_5.0.5-1_i386.deb
 daa35e2fbe3acb4842523ae296c1e2a3 22184 web optional php5-curl_5.0.5-1_i386.deb
 8a6e93109c064256072613c4e381a49a 32962 web optional php5-gd_5.0.5-1_i386.deb
 ea6d1f65847f642d523bb5cfe26c4933 19250 web optional php5-ldap_5.0.5-1_i386.deb
 df2c0cd7e524bdd98616ec916dc7451b 8342 web optional php5-mhash_5.0.5-1_i386.deb
 53750a014edbf1e5db9a15446870c6cb 22058 web optional php5-mysql_5.0.5-1_i386.deb
 17c374ac74a22994433b86e3b51b22db 27658 web optional php5-odbc_5.0.5-1_i386.deb
 a99433fd119262cb0125ecb9e0538d67 36932 web optional php5-pgsql_5.0.5-1_i386.deb
 960f2f6d4623da46ea47493c04eb262c 7954 web optional php5-recode_5.0.5-1_i386.deb
 4e08a96dd03a94fb820ca01154c44bae 14088 web optional php5-snmp_5.0.5-1_i386.deb
 a2773715e6877f60dc62ad46c8b03b5d 24812 web optional php5-sqlite_5.0.5-1_i386.deb
 537e04b5ad4fffe4ae0175f50983b0d8 20896 web optional php5-sybase_5.0.5-1_i386.deb
 b1dae9b2dac22abb6e0759be0239e3e0 38324 web optional php5-xmlrpc_5.0.5-1_i386.deb
 66053f2107780aa9c7726bdd74fba2c2 14224 web optional php5-xsl_5.0.5-1_i386.deb
 5f7684b43a059cd903e4cde24ec6ab9a 1034 web optional php5_5.0.5-1_all.deb
 f19ea9186daa91563a18829cb901144b 173730 web optional php-pear_5.0.5-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDJRy1vjztR8bOoMkRAgYgAJ4lvAItqfuMPabQoizrYYtPJntLTACePWuH
Q0f/4iv8wOZFCr6z8c7ZGQg=
=u+AL
-----END PGP SIGNATURE-----

More information about the pkg-php-maint mailing list