PHP 5.2.1 crashing Apache/IIS...

18 years ago by Thomas Hruska — view source

unread

Heads up! Installed the latest Win32 binaries of thread-safe PHP 5.2.1
on Win32 Apache and IIS. PHP started crashing (definitely PHP -
php5ts.dll) when I went to access the MyProBB web forum. (Win32 Apache
flat out crashes, IIS bails with HTTP 500 errors).

Forum crashes PHP 5.2.1:
http://www.cubiclesoft.com/Forum/

Source to the forum software is here:
http://www.cubiclesoft.com/MyProBB/

Worked fine under 5.2.0. I only depend on PHP for the forum.
A straight-up phpinfo(); page seems to work fine.
I upgraded by killing each webserver instance, copying the files from
the ZIP file over the existing PHP directories and files, and restarting
the server.

So I then took the hard route of deleting the PHP directory and dumping
the binaries into it from scratch and putting together a working php.ini
file again...crash.

So I tried to narrow down the problem and it appeared to be crashing in
a VERY bizarre location:

$Data = str_ireplace("\n", " ", $Data);

So, I created a test script and eventually narrowed it down to:

<?
$Data = "Change tracking and management software designed to watch
for abnormal system behavior.\nSuggest features, report bugs, or ask
questions here.";
$Data = str_ireplace("\r\n", " ", $Data);
$Data = str_ireplace("\n", " ", $Data);
$Data = str_ireplace("\r\n", " ", $Data);
$Data = str_ireplace("\n", " ", $Data);
$Data = str_ireplace("\r\n", " ", $Data);
$Data = str_ireplace("\n", " ", $Data);
$Data = str_ireplace("\r\n", " ", $Data);
$Data = str_ireplace("\n", " ", $Data);
$Data = str_ireplace("\r\n", " ", $Data);
$Data = str_ireplace("\n", " ", $Data);
$Data = str_ireplace("\r\n", " ", $Data);
$Data = str_ireplace("\n", " ", $Data);
$Data = str_ireplace("\r\n", " ", $Data);
$Data = str_ireplace("\n", " ", $Data);
?>

This script crashes PHP 5.2.1 everywhere. Command-line and web server
(module and CGI modes). IMO, there's a bug somewhere in str_ireplace().
But it could be also more fundamental with how Zend treats variables.
All that showing data around assigning a variable to itself.

--
Thomas Hruska
CubicleSoft President
Ph: 517-803-4197

http://www.CubicleSoft.com/

18 years ago by Stanislav Malyshev — view source

unread

This script crashes PHP 5.2.1 everywhere. Command-line and web server
(module and CGI modes). IMO, there's a bug somewhere in str_ireplace().
But it could be also more fundamental with how Zend treats variables.
All that showing data around assigning a variable to itself.

I can reproduce it. Seems to be off-by-one here:

Z_STRVAL_P(result) = target = safe_emalloc(char_count, to_len, len);

introduced by this patch:

http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.445.2.14.2.36&r2=1.445.2.14.2.37
If I replace len with len+1, it seems to be OK.

Stanislav Malyshev, Zend Products Engineer
stas@zend.com http://www.zend.com/

18 years ago by Stanislav Malyshev — view source

unread

I can reproduce it. Seems to be off-by-one here:

Z_STRVAL_P(result) = target = safe_emalloc(char_count, to_len, len);

introduced by this patch:

http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.445.2.14.2.36&r2=1.445.2.14.2.37

If I replace len with len+1, it seems to be OK.

Looking more on this code of php_char_to_str_ex, it seems very strange
to me, especially this part:

if (char_count == 0 && case_sensitivity) {
	ZVAL_STRINGL(result, str, len, 1);
	return 0;
}

Why check case_sensitivity here? Looks like some code remained
un-cleaned from previous versions. Any arguments against removing this
check?

Stanislav Malyshev, Zend Products Engineer
stas@zend.com http://www.zend.com/

18 years ago by Antony Dovgal — view source

unread

<?
$Data = "Change tracking and management software designed to watch
for abnormal system behavior.\nSuggest features, report bugs, or ask
questions here.";
$Data = str_ireplace("\r\n", " ", $Data);
$Data = str_ireplace("\n", " ", $Data);
$Data = str_ireplace("\r\n", " ", $Data);
$Data = str_ireplace("\n", " ", $Data);
$Data = str_ireplace("\r\n", " ", $Data);
$Data = str_ireplace("\n", " ", $Data);
$Data = str_ireplace("\r\n", " ", $Data);
$Data = str_ireplace("\n", " ", $Data);
$Data = str_ireplace("\r\n", " ", $Data);
$Data = str_ireplace("\n", " ", $Data);
$Data = str_ireplace("\r\n", " ", $Data);
$Data = str_ireplace("\n", " ", $Data);
$Data = str_ireplace("\r\n", " ", $Data);
$Data = str_ireplace("\n", " ", $Data);
?>

Fixed in CVS, thanks for the reproduce case.

--
Wbr,
Antony Dovgal

18 years ago by Stanislav Malyshev — view source

unread

Fixed in CVS, thanks for the reproduce case.

I think there should be also no check for case_sensitivity earlier.

And we probably need to add testcase for this - our test suite seems to
have missed this bug).

Stanislav Malyshev, Zend Products Engineer
stas@zend.com http://www.zend.com/

18 years ago by Antony Dovgal — view source

unread

Fixed in CVS, thanks for the reproduce case.

I think there should be also no check for case_sensitivity earlier.

And we probably need to add testcase for this - our test suite seems to
have missed this bug).

I will add a test case, but not now - it's 4am here already =)

--
Wbr,
Antony Dovgal

18 years ago by William A. Rowe — view source

unread

Thomas Hruska wrote:

Heads up! Installed the latest Win32 binaries of thread-safe PHP 5.2.1
on Win32 Apache and IIS. PHP started crashing (definitely PHP -
php5ts.dll) when I went to access the MyProBB web forum. (Win32 Apache
flat out crashes, IIS bails with HTTP 500 errors).

Considering PHP 5.2.1 was a security release with borked safe malloc
code for threading, is there any chance of a 5.2.2 bugfix-only release
to get good 'official' code into users' hands? No 5.2.2_RC1 in sight,
but I'm pretty certain these fixes are already on PHP5.2 branch?

Bill

18 years ago by Thomas Hruska — view source

unread

William A. Rowe, Jr. wrote:

Thomas Hruska wrote:

Heads up! Installed the latest Win32 binaries of thread-safe PHP 5.2.1
on Win32 Apache and IIS. PHP started crashing (definitely PHP -
php5ts.dll) when I went to access the MyProBB web forum. (Win32 Apache
flat out crashes, IIS bails with HTTP 500 errors).

Considering PHP 5.2.1 was a security release with borked safe malloc
code for threading, is there any chance of a 5.2.2 bugfix-only release
to get good 'official' code into users' hands? No 5.2.2_RC1 in sight,
but I'm pretty certain these fixes are already on PHP5.2 branch?

Bill

Well, as you can tell, I'm back up and running:

http://www.cubiclesoft.com/Forum/

And I have a little discussion on what I did:

http://www.cubiclesoft.com/Forum/index.php?cmd=Topic&ID=16

Sort of an interim fix until 5.2.2 becomes available. (And, yes, the
fixes are apparently in the 5.2 branch because my forum works again).

--
Thomas Hruska
CubicleSoft President
Ph: 517-803-4197

NEW VerifyMyPC 2.2
Change tracking and management tool.
Reduce tech. support times from 2 hours to 5 minutes.

Free for personal use, $10 otherwise.
http://www.CubicleSoft.com/VerifyMyPC/

PHP 5.2.1 crashing Apache/IIS...

http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.445.2.14.2.36&r2=1.445.2.14.2.37 If I replace len with len+1, it seems to be OK.

Why check case_sensitivity here? Looks like some code remained un-cleaned from previous versions. Any arguments against removing this check?

And we probably need to add testcase for this - our test suite seems to have missed this bug).

http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.445.2.14.2.36&r2=1.445.2.14.2.37
If I replace len with len+1, it seems to be OK.

Why check case_sensitivity here? Looks like some code remained
un-cleaned from previous versions. Any arguments against removing this
check?

And we probably need to add testcase for this - our test suite seems to
have missed this bug).