[php-maint] Bug#751936: php5: Segfault in highlight_string()/highlight_file() when pgsql module loaded
Andreas Ferber
af+debian-bugregports at chaos-agency.de
Tue Jun 17 23:33:56 UTC 2014
Package: php5, php5-cli, libapache2-mod-php5, php5-pgsql
Version: 5.6.0~beta4+dfsg-3
Severity: important
Hi,
I encountered a segmentation fault that is triggered when syntax highlighting
php source containing '__CLASS__' using the highlight_file() or
highlight_string() functions while having the pgsql.so module loaded.
To reproduce, install and enable the pgsql.so module and run the
following script (also attached as 'test.php'):
---------- test.php ----------
<?php
$s = <<<EOT
<?php
__CLASS__;
EOT;
highlight_string($s);
?>
------------------------------
(Note that it doesn't have anything to do with the fact that the
__CLASS__ is used outside of any class scope here, I originally
encountered the bug with a much longer script that had the __CLASS__
properly within a class)
Even though highlight_string()/highlight_file() might be considered
minor PHP functionality, I'm setting the severity to "important" since
the problem seriously hampers development (or makes it outright
impossible) using for example the popular Symfony php framework. Symfony
uses highlight_*() extensively to provide for example more friendly
exception outputs during development, so having your apache child always
dying with a segfault when encountering an error instead of displaying
the error with backtrace etc. is a real problem.
Backtrace of the Segfault:
#0 _zend_mm_free_int (heap=0x7fee5d9ed048, p=0x7fee5d9ed058)
at /tmp/buildd/php5-5.6.0~beta4+dfsg/Zend/zend_alloc.c:2104
#1 0x00000000006c68b8 in zend_highlight (
syntax_highlighter_ini=syntax_highlighter_ini at entry=0x7fff5203eaa0)
at /tmp/buildd/php5-5.6.0~beta4+dfsg/Zend/zend_highlight.c:153
#2 0x000000000069d865 in highlight_string (str=0x7fff5203e980,
syntax_highlighter_ini=syntax_highlighter_ini at entry=0x7fff5203eaa0,
str_name=str_name at entry=0x7fee5db28280 "/home/sunshine/php-bug/test.php(6) : highlighted code")
at Zend/zend_language_scanner.l:818
#3 0x00000000005fafa9 in zif_highlight_string (ht=<optimized out>, return_value=0x7fee5db267b8,
return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>)
at /tmp/buildd/php5-5.6.0~beta4+dfsg/ext/standard/basic_functions.c:5268
#4 0x00000000006c2c4a in dtrace_execute_internal (execute_data_ptr=<optimized out>,
fci=<optimized out>, return_value_used=<optimized out>)
at /tmp/buildd/php5-5.6.0~beta4+dfsg/Zend/zend_dtrace.c:97
#5 0x000000000077cdd8 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fee5daf00f8)
at /tmp/buildd/php5-5.6.0~beta4+dfsg/Zend/zend_vm_execute.h:560
#6 0x000000000070e410 in execute_ex (execute_data=0x7fee5daf00f8)
at /tmp/buildd/php5-5.6.0~beta4+dfsg/Zend/zend_vm_execute.h:363
#7 0x00000000006c2b08 in dtrace_execute_ex (execute_data=0x7fee5daf00f8)
at /tmp/buildd/php5-5.6.0~beta4+dfsg/Zend/zend_dtrace.c:73
#8 0x00000000006d4dc0 in zend_execute_scripts (type=1570689096, type at entry=8,
retval=0x7fee5d9ed058, retval at entry=0x0, file_count=1570796536, file_count at entry=3)
at /tmp/buildd/php5-5.6.0~beta4+dfsg/Zend/zend.c:1330
#9 0x0000000000673fdb in php_execute_script (primary_file=0x7fff52041140)
at /tmp/buildd/php5-5.6.0~beta4+dfsg/main/main.c:2584
#10 0x000000000077ed3d in do_cli (argc=1570689096, argv=0x7fee5d9ed058)
at /tmp/buildd/php5-5.6.0~beta4+dfsg/sapi/cli/php_cli.c:994
#11 0x00000000004620ea in main (argc=1570689096, argv=0x7fee5d9ed058)
at /tmp/buildd/php5-5.6.0~beta4+dfsg/sapi/cli/php_cli.c:1378
Please see the attached file for a "backtrace full". If necessary, I can
also provide a core dump.
Observations during investigating the problem:
* The segfault only happens if the pgsql.so module is loaded. I tested
different combinations of the PHP modules on my system, only the
pgsql.so makes a difference. Whether any other modules are loaded or
not doesn't affect the problem.
* It happens with both the CLI and the Apache2 SAPI. I didn't test any
other SAPIs, however they are probably affected as well.
* The problem doesn't exist in package version 5.5.12+dfsg-2, however
it is already present in 5.6.0~beta3+dfsg-2. No other versions
tested.
* The segfault happens right after outputting the '__CLASS__' token
itself.
* It is only triggered by '__CLASS__', other internal constants like
'__FILE__' or '__LINE__' are fine.
Regards,
Andreas Ferber
-- Package-specific info:
==== Additional PHP 5 information ====
++++ PHP 5 SAPI (php5query -S): ++++
apache2
cgi
cli
++++ PHP 5 Extensions (php5query -M -v): ++++
pgsql (Enabled for apache2 by maintainer script)
pgsql (Enabled for cgi by maintainer script)
pgsql (Enabled for cli by maintainer script)
++++ Configuration files: ++++
[PHP]
engine = On
short_open_tag = Off
asp_tags = Off
precision = 14
output_buffering = 4096
zlib.output_compression = Off
implicit_flush = Off
unserialize_callback_func =
serialize_precision = 17
disable_functions =
disable_classes =
zend.enable_gc = On
expose_php = On
max_execution_time = 30
max_input_time = 60
memory_limit = -1
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
track_errors = Off
html_errors = On
variables_order = "GPCS"
request_order = "GP"
register_argc_argv = Off
auto_globals_jit = On
post_max_size = 8M
auto_prepend_file =
auto_append_file =
default_mimetype = "text/html"
default_charset = "UTF-8"
doc_root =
user_dir =
enable_dl = Off
file_uploads = On
upload_max_filesize = 2M
max_file_uploads = 20
allow_url_fopen = On
allow_url_include = Off
default_socket_timeout = 60
[CLI Server]
cli_server.color = On
[Date]
[filter]
[iconv]
[intl]
[sqlite]
[sqlite3]
[Pcre]
[Pdo]
[Pdo_mysql]
pdo_mysql.cache_size = 2000
pdo_mysql.default_socket=
[Phar]
[mail function]
SMTP = localhost
smtp_port = 25
mail.add_x_header = On
[SQL]
sql.safe_mode = Off
[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1
[Interbase]
ibase.allow_persistent = 1
ibase.max_persistent = -1
ibase.max_links = -1
ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
ibase.dateformat = "%Y-%m-%d"
ibase.timeformat = "%H:%M:%S"
[MySQL]
mysql.allow_local_infile = On
mysql.allow_persistent = On
mysql.cache_size = 2000
mysql.max_persistent = -1
mysql.max_links = -1
mysql.default_port =
mysql.default_socket =
mysql.default_host =
mysql.default_user =
mysql.default_password =
mysql.connect_timeout = 60
mysql.trace_mode = Off
[MySQLi]
mysqli.max_persistent = -1
mysqli.allow_persistent = On
mysqli.max_links = -1
mysqli.cache_size = 2000
mysqli.default_port = 3306
mysqli.default_socket =
mysqli.default_host =
mysqli.default_user =
mysqli.default_pw =
mysqli.reconnect = Off
[mysqlnd]
mysqlnd.collect_statistics = On
mysqlnd.collect_memory_statistics = Off
[OCI8]
[PostgreSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0
[Sybase-CT]
sybct.allow_persistent = On
sybct.max_persistent = -1
sybct.max_links = -1
sybct.min_server_severity = 10
sybct.min_client_severity = 10
[bcmath]
bcmath.scale = 0
[browscap]
[Session]
session.save_handler = files
session.use_strict_mode = 0
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php
session.gc_probability = 0
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = 0
session.hash_bits_per_character = 5
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"
[MSSQL]
mssql.allow_persistent = On
mssql.max_persistent = -1
mssql.max_links = -1
mssql.min_error_severity = 10
mssql.min_message_severity = 10
mssql.compatibility_mode = Off
mssql.secure_connection = Off
[Assertion]
[COM]
[mbstring]
[gd]
[exif]
[Tidy]
tidy.clean_output = Off
[soap]
soap.wsdl_cache_enabled=1
soap.wsdl_cache_dir="/tmp"
soap.wsdl_cache_ttl=86400
soap.wsdl_cache_limit = 5
[sysvshm]
[ldap]
ldap.max_links = -1
[mcrypt]
[dba]
[opcache]
[curl]
[openssl]
**** /etc/php5/cli/conf.d/20-pgsql.ini ****
extension=pgsql.so
-- System Information:
Debian Release: 7.5
APT prefers stable
APT policy: (550, 'stable'), (500, 'stable-updates'), (250, 'testing'), (180, 'unstable'), (110, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.14-1-amd64 (SMP w/3 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages php5-cli depends on:
ii libbz2-1.0 1.0.6-4
ii libc6 2.19-1
ii libcomerr2 1.42.5-1.1
ii libdb5.3 5.3.28-3
ii libedit2 3.1-20140213-1
ii libgssapi-krb5-2 1.10.1+dfsg-5+deb7u1
ii libk5crypto3 1.10.1+dfsg-5+deb7u1
ii libkrb5-3 1.10.1+dfsg-5+deb7u1
ii libmagic1 5.11-2+deb7u3
ii libonig2 5.9.5-2
ii libpcre3 1:8.31-5
ii libqdbm14 1.8.78-2
ii libssl1.0.0 1.0.1e-2+deb7u11
ii libxml2 2.9.1+dfsg1-3
ii mime-support 3.52-1
ii php5-common 5.6.0~beta4+dfsg-3
ii php5-json 1.3.5-2
ii tzdata 2014a-0wheezy1
ii ucf 3.0025+nmu3
ii zlib1g 1:1.2.7.dfsg-13
Versions of packages php5-cli recommends:
ii php5-readline 5.6.0~beta4+dfsg-3
Versions of packages php5-cli suggests:
ii php-pear 5.4.4-14+deb7u11
Versions of packages php5-pgsql depends on:
ii dpkg 1.17.10
ii libc6 2.19-1
ii libpq5 9.3.4-2
ii php5-common [phpapi-20131226] 5.6.0~beta4+dfsg-3
ii ucf 3.0025+nmu3
php5-pgsql recommends no packages.
php5-pgsql suggests no packages.
Versions of packages php5-common depends on:
ii libc6 2.19-1
ii lsof 4.86+dfsg-1
ii psmisc 22.19-1+deb7u1
ii sed 4.2.1-10
ii ucf 3.0025+nmu3
Versions of packages php5-common suggests:
ii php5-apcu [php5-user-cache] 4.0.4-2
Versions of packages libapache2-mod-php5 depends on:
ii apache2 2.4.9-2
ii apache2-bin [apache2-api-20120211] 2.4.9-2
ii libbz2-1.0 1.0.6-4
ii libc6 2.19-1
ii libcomerr2 1.42.5-1.1
ii libdb5.3 5.3.28-3
ii libgssapi-krb5-2 1.10.1+dfsg-5+deb7u1
ii libk5crypto3 1.10.1+dfsg-5+deb7u1
ii libkrb5-3 1.10.1+dfsg-5+deb7u1
ii libmagic1 5.11-2+deb7u3
ii libonig2 5.9.5-2
ii libpcre3 1:8.31-5
ii libqdbm14 1.8.78-2
ii libssl1.0.0 1.0.1e-2+deb7u11
ii libstdc++6 4.9.0-6
ii libxml2 2.9.1+dfsg1-3
ii mime-support 3.52-1
ii php5-common 5.6.0~beta4+dfsg-3
ii php5-json 1.3.5-2
ii tzdata 2014a-0wheezy1
ii ucf 3.0025+nmu3
ii zlib1g 1:1.2.7.dfsg-13
Versions of packages libapache2-mod-php5 recommends:
ii php5-cli 5.6.0~beta4+dfsg-3
Versions of packages libapache2-mod-php5 suggests:
ii php-pear 5.4.4-14+deb7u11
-- no debconf information
-- debsums errors found:
sh: /usr/sbin/dpkg-divert: No such file or directory
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test.php
Type: text/x-php
Size: 65 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20140618/7e96adae/attachment-0001.bin>
-------------- next part --------------
#0 _zend_mm_free_int (heap=0x7f65baf44048, p=0x7f65baf44058)
at /tmp/buildd/php5-5.6.0~beta4+dfsg/Zend/zend_alloc.c:2104
mm_block = 0x7f65baf44048
next_block = 0xfecb75ea2440
#1 0x00000000006c68b8 in zend_highlight (
syntax_highlighter_ini=syntax_highlighter_ini at entry=0x7fff7f8ea3b0)
at /tmp/buildd/php5-5.6.0~beta4+dfsg/Zend/zend_highlight.c:153
token = {value = {lval = 140074904993880, dval = 6.9206198401952573e-310, str = {
val = 0x7f65baf44058 "", len = 0}, ht = 0x7f65baf44058, obj = {handle = 3136569432,
handlers = 0x0}, ast = 0x7f65baf44058}, refcount__gc = 16, type = 6 '\006',
is_ref__gc = 0 '\000'}
token_type = 368
last_color = 0xb36a25 "#0000BB"
next_color = 0xb36a25 "#0000BB"
#2 0x000000000069d865 in highlight_string (str=0x7fff7f8ea290,
syntax_highlighter_ini=syntax_highlighter_ini at entry=0x7fff7f8ea3b0,
str_name=str_name at entry=0x7f65bb07f280 "/home/sunshine/php-bug/test.php(6) : highlighted code")
at Zend/zend_language_scanner.l:818
original_lex_state = {yy_leng = 0, yy_start = 0x0, yy_text = 0x0, yy_cursor = 0x0,
yy_marker = 0x0, yy_limit = 0x0, yy_state = 0, state_stack = {top = 0, max = 0,
elements = 0x0}, heredoc_label_stack = {top = 0, max = 0, elements = 0x0,
top_element = 0x0, persistent = 0 '\000'}, in = 0x0, lineno = 0, filename = 0x0,
script_org = 0x0, script_org_size = 0, script_filtered = 0x0, script_filtered_size = 0,
input_filter = 0x0, output_filter = 0x0, script_encoding = 0x0}
tmp = {value = {lval = 140074906284768, dval = 6.9206199039735986e-310, str = {
val = 0x7f65bb07f2e0 "<?php\n__CLASS__;", len = 16}, ht = 0x7f65bb07f2e0, obj = {
handle = 3137860320, handlers = 0x10}, ast = 0x7f65bb07f2e0}, refcount__gc = 2,
type = 6 '\006', is_ref__gc = 0 '\000'}
#3 0x00000000005fafa9 in zif_highlight_string (ht=<optimized out>, return_value=0x7f65bb07d7b8,
return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>)
at /tmp/buildd/php5-5.6.0~beta4+dfsg/ext/standard/basic_functions.c:5268
expr = 0x7f65bb0471a8
syntax_highlighter_ini = {highlight_html = 0xb36a2d "#000000",
highlight_comment = 0xb36a1d "#FF8000", highlight_default = 0xb36a25 "#0000BB",
highlight_string = 0xb36a3d "#DD0000", highlight_keyword = 0xb36a35 "#007700"}
hicompiled_string_description = 0x7f65bb07f280 "/home/sunshine/php-bug/test.php(6) : highlighted code"
i = 0 '\000'
old_error_reporting = 22527
#4 0x00000000006c2c4a in dtrace_execute_internal (execute_data_ptr=<optimized out>,
fci=<optimized out>, return_value_used=<optimized out>)
at /tmp/buildd/php5-5.6.0~beta4+dfsg/Zend/zend_dtrace.c:97
lineno = <optimized out>
filename = <optimized out>
#5 0x000000000077cdd8 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f65bb0470f8)
at /tmp/buildd/php5-5.6.0~beta4+dfsg/Zend/zend_vm_execute.h:560
ret = 0x7f65bb0470b8
opline = 0x7f65bb07e3a0
fbc = 0x1ff5860
num_args = 0
#6 0x000000000070e410 in execute_ex (execute_data=0x7f65bb0470f8)
at /tmp/buildd/php5-5.6.0~beta4+dfsg/Zend/zend_vm_execute.h:363
ret = 1978278976
original_in_execution = 0 '\000'
#7 0x00000000006c2b08 in dtrace_execute_ex (execute_data=0x7f65bb0470f8)
at /tmp/buildd/php5-5.6.0~beta4+dfsg/Zend/zend_dtrace.c:73
lineno = 32613
scope = 0x0
filename = 0x0
funcname = 0x0
classname = 0x0
#8 0x00000000006d4dc0 in zend_execute_scripts (type=-1158397880, type at entry=8,
retval=0x7f65baf44058, retval at entry=0x0, file_count=-1158290440, file_count at entry=3)
at /tmp/buildd/php5-5.6.0~beta4+dfsg/Zend/zend.c:1330
files = {{gp_offset = 40, fp_offset = 32613, overflow_arg_area = 0x7fff7f8ea6a0,
reg_save_area = 0x7fff7f8ea630}}
i = 1
file_handle = 0x7fff7f8eca50
#9 0x0000000000673fdb in php_execute_script (primary_file=0x7fff7f8eca50)
at /tmp/buildd/php5-5.6.0~beta4+dfsg/main/main.c:2584
realfile = "/home/sunshine/php-bug/test.php\000\f\000\000\000\000\000\000\000 \373\345\000\000\000\000\000@\\\003\002\000\000\000\000?m\000\000\000\000\000 \360\002\002\000\000\000\000\b\000\000\000 \000\000\000h\\\003\002\000\000\000\000\240\271\216\177\377\177\000\000\230\271\216\177\377\177\000\000\060_\003\002\000\000\000\000\003\000\000\000\n\000\000\000\060\216\004\273e\177\000\000\v", '\000' <repeats 87 times>...
__orig_bailout = 0x7fff7f8ecc10
__bailout = {{__jmpbuf = {140735333452816, -5356074442865410802, 140735333452120,
11862712, 1, 2, -5356074439172326130, 5356356106574593294}, __mask_was_saved = 0,
__saved_mask = {__val = {140735333449232, 140735333447808, 140074895247185,
140735333449300, 23, 33139248, 2998357319905036800, 11862712, 140735333453024,
33139248, 140735333447856, 11862712, 140735333453024, 33139248, 7305356,
140074906054760}}}}
prepend_file_p = 0x0
append_file_p = 0x0
prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {
fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0,
map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0x0}, reader = 0x0,
fsizer = 0x0, closer = 0x0}}, free_filename = 0 '\000'}
append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {
fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0,
map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0x0}, reader = 0x0,
fsizer = 0x0, closer = 0x0}}, free_filename = 0 '\000'}
old_cwd = 0x7fff7f8ea6a0 ""
retval = 0
#10 0x000000000077ed3d in do_cli (argc=-1158397880, argv=0x7f65baf44058)
at /tmp/buildd/php5-5.6.0~beta4+dfsg/sapi/cli/php_cli.c:994
__bailout = {{__jmpbuf = {33139696, 5356356319795576078, 11865328, 140735333457320,
140735333457316, 15219392, -5356074442871702258, 5356355961509739790},
__mask_was_saved = 0, __saved_mask = {__val = {11757860, 11757884, 11652179, 11652200,
11757897, 11757917, 11757934, 11758488, 11757955, 11757969, 11757991, 11758010,
11758037, 11758066, 0, 7955998172649846063}}}}
file_handle = {type = ZEND_HANDLE_MAPPED, filename = 0x1f9aa30 "test.php",
opened_path = 0x0, handle = {fd = -1157111328, fp = 0x7f65bb07e1e0, stream = {
handle = 0x7f65bb07e1e0, isatty = 0, mmap = {len = 65, pos = 0,
map = 0x7f65bb0c4000, buf = 0x7f65bb0c4000 <Address 0x7f65bb0c4000 out of bounds>,
old_handle = 0x2186010, old_closer = 0x6e94d0 <zend_stream_stdio_closer>},
reader = 0x6e9500 <zend_stream_stdio_reader>,
fsizer = 0x6e9470 <zend_stream_stdio_fsizer>,
closer = 0x6e93f0 <zend_stream_mmap_closer>}}, free_filename = 0 '\000'}
request_started = 1
exit_status = 0
php_optarg = 0x0
php_optind = 2
arg_excp = 0x1f9a9f8
lineno = 1
#11 0x00000000004620ea in main (argc=-1158397880, argv=0x7f65baf44058)
at /tmp/buildd/php5-5.6.0~beta4+dfsg/sapi/cli/php_cli.c:1378
__bailout = {{__jmpbuf = {33139696, 5356356319795576078, 11865328, 140735333457320,
140735333457316, 15219392, -5356074442206905074, 5356355822038383886},
__mask_was_saved = 0, __saved_mask = {__val = {140074848695456, 140074850859936,
140074906624096, 0, 140074906629376, 140735333457488, 140735333457472, 4131212846,
4411053, 4294967295, 140074904448567, 140074850947496, 140074906343912,
140074856828280, 140074850928296, 1}}}}
c = 1978278976
php_optarg = 0x0
php_optind = 1
ini_ignore = 0
quit
More information about the pkg-php-maint
mailing list