[php-maint] Bug#549492: php5-cgi causes segmention fault

Wed Oct 28 03:28:49 UTC 2009

Found this trace by googl'ing: http://pastie.org/pastes/508339/download

Looks relevant, it's about php5-5.2.6.dfsg.1 and fails on hashing
REMOTE_ADDR key with bogus value size. Although this one fails in a
'apache2' SAPI whereas my bugreport was about CGI SAPI in FastCGI
context.

#0  0x00007fa08d356fd9 in _zend_hash_add_or_update (ht=0x7fa09775e870,
arKey=0x7fa0969cd018 "REMOTE_ADDR", nKeyLength=12, 
    pData=0x88d068fa2, nDataSize=32767, pDest=0x8800003,
flag=-1926159818)
at /build/buildd/php5-5.2.6.dfsg.1/Zend/zend_hash.c:402
#1  0x00007fa08d312236 in php_register_variable_ex (var=0x7fff9c4b1c10
"x�\234\226�\177", val=0x7fa0969cbfb8, 
    track_vars_array=0x7fa08d844e20)
at /build/buildd/php5-5.2.6.dfsg.1/Zend/zend_hash.h:340
#2  0x00007fa08d19bdaf in php_sapi_filter (arg=-1768108000,
var=0x7fa08d841520 "", val=0x0, val_len=9, new_val_len=0x7fa096a7b338)
    at /build/buildd/php5-5.2.6.dfsg.1/ext/filter/filter.c:421
#3  0x00007fa08d30be82 in sapi_getenv (name=0x7fa08d56af9b
"REMOTE_ADDR", name_len=2711479345)
    at /build/buildd/php5-5.2.6.dfsg.1/main/SAPI.c:950
#4  0x00007fa08d317369 in php_security_log (loglevel=1,
fmt=0x7fa08d59bdc8 "canary mismatch on efree() - heap overflow
detected")
    at /build/buildd/php5-5.2.6.dfsg.1/main/suhosin_patch.c:139
#5  0x00007fa08d32d58d in _zend_mm_free_int (heap=0x7fa0967ed700,
p=0x7fff9c4ac620)
    at /build/buildd/php5-5.2.6.dfsg.1/Zend/zend_alloc.c:2018
#6  0x00007fa08d354738 in zend_hash_destroy (ht=0x7fa097732fe0)
at /build/buildd/php5-5.2.6.dfsg.1/Zend/zend_hash.c:717
#7  0x00007fa08d365b79 in zend_object_std_dtor (object=0x7fa097735ed0)
at /build/buildd/php5-5.2.6.dfsg.1/Zend/zend_objects.c:45
#8  0x00007fa08d365ba9 in zend_objects_free_object_storage
(object=0x7fa097735ed0)
    at /build/buildd/php5-5.2.6.dfsg.1/Zend/zend_objects.c:122
#9  0x00007fa08d3690cb in zend_objects_store_del_ref_by_handle
(handle=0)
    at /build/buildd/php5-5.2.6.dfsg.1/Zend/zend_objects_API.c:206
#10 0x00007fa08d3690ef in zend_objects_store_del_ref
(zobject=0x7fa097894f48)
    at /build/buildd/php5-5.2.6.dfsg.1/Zend/zend_objects_API.c:168
#11 0x00007fa08d33bb55 in _zval_ptr_dtor (zval_ptr=0x7fa0978a2338)
at /build/buildd/php5-5.2.6.dfsg.1/Zend/zend_variables.h:35
#12 0x00007fa08d354738 in zend_hash_destroy (ht=0x7fa0978a2eb0)
at /build/buildd/php5-5.2.6.dfsg.1/Zend/zend_hash.c:717
#13 0x00007fa08d348e0f in _zval_dtor_func (zvalue=0x7fa0978a2f98)
at /build/buildd/php5-5.2.6.dfsg.1/Zend/zend_variables.c:43
#14 0x00007fa08d33bb55 in _zval_ptr_dtor (zval_ptr=0x7fa09775f250)
at /build/buildd/php5-5.2.6.dfsg.1/Zend/zend_variables.h:35
#15 0x00007fa08d354738 in zend_hash_destroy (ht=0x7fa09775f1c0)
at /build/buildd/php5-5.2.6.dfsg.1/Zend/zend_hash.c:717
#16 0x00007fa08d365b79 in zend_object_std_dtor (object=0x7fa09775eeb8)
at /build/buildd/php5-5.2.6.dfsg.1/Zend/zend_objects.c:45
#17 0x00007fa08d365ba9 in zend_objects_free_object_storage
(object=0x7fa09775eeb8)
    at /build/buildd/php5-5.2.6.dfsg.1/Zend/zend_objects.c:122
#18 0x00007fa08d368cbf in zend_objects_store_free_object_storage
(objects=0x7fa08d845960)
    at /build/buildd/php5-5.2.6.dfsg.1/Zend/zend_objects_API.c:89
#19 0x00007fa08d33cc0c in shutdown_executor ()
at /build/buildd/php5-5.2.6.dfsg.1/Zend/zend_execute_API.c:299
#20 0x00007fa08d349ab2 in zend_deactivate ()
at /build/buildd/php5-5.2.6.dfsg.1/Zend/zend.c:941
#21 0x00007fa08d303b82 in php_request_shutdown (dummy=0x7fa0969cd020)
at /build/buildd/php5-5.2.6.dfsg.1/main/main.c:1494
#22 0x00007fa08d3bed53 in php_handler (r=0xa482da118d068fa2)

at /build/buildd/php5-5.2.6.dfsg.1/sapi/apache2handler/sapi_apache2.c:486
#23 0x00007fa094491293 in ap_run_handler () from /usr/sbin/apache2
#24 0x00007fa094494a2f in ap_invoke_handler () from /usr/sbin/apache2
#25 0x00007fa0944a23c0 in ap_internal_redirect () from /usr/sbin/apache2
#26 0x00007fa08c8f5bd5 in ?? ()
from /usr/lib/apache2/modules/mod_rewrite.so
#27 0x00007fa094491293 in ap_run_handler () from /usr/sbin/apache2
#28 0x00007fa094494a2f in ap_invoke_handler () from /usr/sbin/apache2
#29 0x00007fa0944a259e in ap_process_request () from /usr/sbin/apache2
#30 0x00007fa09449f3d8 in ?? () from /usr/sbin/apache2
#31 0x00007fa094498c63 in ap_run_process_connection ()
from /usr/sbin/apache2
---Type <return> to continue, or q <return> to quit---
#32 0x00007fa0944a6f06 in ?? () from /usr/sbin/apache2
#33 0x00007fa0944a7236 in ?? () from /usr/sbin/apache2
#34 0x00007fa0944a7d6d in ap_mpm_run () from /usr/sbin/apache2
#35 0x00007fa09447d60d in main () from /usr/sbin/apache2