Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:4567
Return-Path: <tony2001@phpclub.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 57456 invoked by uid 1010); 24 Sep 2003 17:50:04 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 57430 invoked from network); 24 Sep 2003 17:50:04 -0000
Received: from unknown (HELO is.magroup.ru) (213.147.47.162)
  by pb1.pair.com with SMTP; 24 Sep 2003 17:50:04 -0000
Received: from grp-dovgal.MEDIA-ARTS.RU ([192.168.3.226]) by is.magroup.ru with Microsoft SMTPSVC(5.0.2195.5329);
	 Wed, 24 Sep 2003 21:49:44 +0400
Date: Wed, 24 Sep 2003 21:49:44 +0400
To: internals@lists.php.net
Message-ID: <20030924214944.4d86ae14.tony2001@phpclub.net>
X-Mailer: Sylpheed version 0.9.5 (GTK+ 1.2.10; i686-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: multipart/mixed;
 boundary="Multipart_Wed__24_Sep_2003_21_49_44_+0400_083f8580"
X-OriginalArrivalTime: 24 Sep 2003 17:49:44.0953 (UTC) FILETIME=[3D435690:01C382C4]
Subject: Segfault in HEAD & PHP_4_3 (and possible patch)
From: tony2001@phpclub.net (Antony Dovgal)

--Multipart_Wed__24_Sep_2003_21_49_44_+0400_083f8580
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Hi, all!

This script (you need to compile PHP with --enable-memory-limit first):
<?
ini_set("memory_limit",0);
phpinfo();
?>
produces for me segfault with last HEAD and PHP_4_3 branch.

Backtrace:

Program received signal SIGSEGV, Segmentation fault.
_efree (ptr=0x0) at /root/CVS/php-src/Zend/zend_alloc.c:257
257             CALCULATE_REAL_SIZE_AND_CACHE_INDEX(p->size);
(gdb) bt
#0  _efree (ptr=0x0) at /root/CVS/php-src/Zend/zend_alloc.c:257
#1  0x4035268b in php_end_ob_buffer (send_buffer=1 '\001', just_flush=0 '\0') at /root/CVS/php-src/main/output.c:315
#2  0x40352a80 in php_end_ob_buffers (send_buffer=0 '\0') at /root/CVS/php-src/main/output.c:339
#3  0x40345e77 in php_request_shutdown (dummy=0x0) at /root/CVS/php-src/main/main.c:1204
#4  0x403a0f7f in apache_php_module_main (r=0x8185cbc, display_source_mode=0)
    at /root/CVS/php-src/sapi/apache/sapi_apache.c:60
#5  0x403a1b0b in send_php (r=0x8185cbc, display_source_mode=0, filename=0x0)
    at /root/CVS/php-src/sapi/apache/mod_php5.c:621
#6  0x403a1cd5 in send_parsed_php (r=0x8185cbc) at /root/CVS/php-src/sapi/apache/mod_php5.c:636
#7  0x08068eee in ap_invoke_handler ()
#8  0x0807e83e in process_request_internal ()
#9  0x0807ec74 in ap_internal_redirect ()
#10 0x0805e39a in handle_dir ()
#11 0x08068eee in ap_invoke_handler ()
#12 0x0807e83e in process_request_internal ()
#13 0x0807e89b in ap_process_request ()
#14 0x0807535f in child_main ()
#15 0x08075511 in make_child ()
#16 0x08075690 in startup_children ()
#17 0x08075d00 in standalone_main ()
#18 0x0807659a in main ()
#19 0x400d1af7 in __libc_start_main () from /lib/i686/libc.so.6

I can propose a patch, see attachment.
Dunno is this patch optimal or not, but it works for me.

---
WBR,
Antony Dovgal aka tony2001
tony2001@phpclub.net

--Multipart_Wed__24_Sep_2003_21_49_44_+0400_083f8580
Content-Type: text/plain;
 name="diff.txt"
Content-Disposition: attachment;
 filename="diff.txt"
Content-Transfer-Encoding: 7bit

Index: output.c
===================================================================
RCS file: /repository/php-src/main/output.c,v
retrieving revision 1.142.2.15
diff -u -r1.142.2.15 output.c
--- output.c	8 Aug 2003 23:44:04 -0000	1.142.2.15
+++ output.c	24 Sep 2003 17:44:30 -0000
@@ -311,10 +311,11 @@
 		zval_ptr_dtor(&alternate_buffer);
 	}
 
-	if (status & PHP_OUTPUT_HANDLER_END) {
+	if (status & PHP_OUTPUT_HANDLER_END && to_be_destroyed_handler_name) {
 		efree(to_be_destroyed_handler_name);
 	}
-	if (!just_flush) {
+	if (!just_flush && to_be_destroyed_buffer) {
+		
 		efree(to_be_destroyed_buffer);
 	} else {
 		OG(active_ob_buffer).text_length = 0;

--Multipart_Wed__24_Sep_2003_21_49_44_+0400_083f8580--