203151 – php segmentation fault on setlocale function

Bug 203151 - php segmentation fault on setlocale function

Summary: php segmentation fault on setlocale function

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	php
Sub Component:
Version:	4.4
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Joe Orton
QA Contact:	David Lawrence
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-08-18 17:06 UTC by Dominik Gehl
Modified:	2009-05-18 20:32 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-05-18 20:32:26 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
test case to reproduce the bug (927 bytes, text/plain) 2006-08-28 17:33 UTC, Dominik Gehl	no flags	Details
patch (352 bytes, patch) 2006-08-29 13:37 UTC, Dominik Gehl	no flags	Details \| Diff
RPM spec (35.56 KB, text/plain) 2006-08-29 13:39 UTC, Dominik Gehl	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
PHP Bug Tracker	38534	0	None	Closed	TOTP QR Code Regeneration	2022-04-13 10:21:09 UTC
Red Hat Product Errata	RHBA-2009:1013	0	normal	SHIPPED_LIVE	php bug fix and enhancement update	2009-05-18 14:14:11 UTC

Description Dominik Gehl 2006-08-18 17:06:15 UTC

Description of problem:


Version-Release number of selected component (if applicable):

# httpd -V
Server version: Apache/2.0.52
Server built:   Aug  2 2006 05:21:10
Server's Module Magic Number: 20020903:9
Architecture:   32-bit
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D HTTPD_ROOT="/etc/httpd"
 -D SUEXEC_BIN="/usr/sbin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="logs/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

# php -v
PHP 4.3.9 (cgi) (built: Aug 18 2006 10:44:31) (DEBUG)
Copyright (c) 1997-2004 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies
    with Advanced PHP Debugger (APD) v0.9.1, , by George Schlossnagle


Steps to Reproduce:
1. Install Horde 3.1.3, IMP 4.1.3 (http://www.horde.org)
2. Configure horde with
$conf['log']['priority'] = PEAR_LOG_DEBUG
$conf['sessionhandler']['type'] = 'pgsql';
3. Open the Horde login page in a browser
  
Actual results:
httpd segfault

Expected results:
No segmentation fault

Additional info:
Segmentation fault can be prevented by changed the horde sessionhandler type to
'none' or, changed the log level to 'PEAR_LOG_INFO'

Here's the information from the httpd core dump and gdb:

#0  0x00ad1a2c in memcpy () from /lib/tls/libc.so.6
(gdb) bt
#0  0x00ad1a2c in memcpy () from /lib/tls/libc.so.6
#1  0x00e9534b in _mem_block_check (ptr=0x9a08b84, silent=0,
__zend_filename=0xed9970
"/usr/src/redhat/BUILD/php-4.3.9/ext/standard/string.c", __zend_lineno=3127,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at
/usr/src/redhat/BUILD/php-4.3.9/Zend/zend_alloc.c:675
#2  0x00e9530d in _mem_block_check (ptr=0x9a08b84, silent=1,
__zend_filename=0xed9970
"/usr/src/redhat/BUILD/php-4.3.9/ext/standard/string.c", __zend_lineno=3127,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at
/usr/src/redhat/BUILD/php-4.3.9/Zend/zend_alloc.c:667
#3  0x00e944cb in _efree (ptr=0x9a08b84, __zend_filename=0xed9970
"/usr/src/redhat/BUILD/php-4.3.9/ext/standard/string.c", __zend_lineno=3127,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at
/usr/src/redhat/BUILD/php-4.3.9/Zend/zend_alloc.c:243
#4  0x00e41b24 in zif_setlocale (ht=2, return_value=0x9a18344, this_ptr=0x0,
return_value_used=0) at /usr/src/redhat/BUILD/php-4.3.9/ext/standard/string.c:3127
#5  0x00ebd4f6 in execute (op_array=0x91657cc) at
/usr/src/redhat/BUILD/php-4.3.9/Zend/zend_execute.c:1640
#6  0x00ebd771 in execute (op_array=0x93210ac) at
/usr/src/redhat/BUILD/php-4.3.9/Zend/zend_execute.c:1684
#7  0x00e9e977 in call_user_function_ex (function_table=0x9332000,
object_pp=0x932a768, function_name=0x932178c, retval_ptr_ptr=0xbfe9ebe4,
param_count=2,
    params=0x9723fac, no_separation=1, symbol_table=0x0) at
/usr/src/redhat/BUILD/php-4.3.9/Zend/zend_execute_API.c:567
#8  0x00e9df81 in call_user_function (function_table=0x901ab18, object_pp=0x0,
function_name=0x932a844, retval_ptr=0x9a1bccc, param_count=2, params=0xbfe9ec68)
    at /usr/src/redhat/BUILD/php-4.3.9/Zend/zend_execute_API.c:409
#9  0x00dde06e in ps_call_handler (func=0x932a844, argc=2, argv=0xbfe9ec68) at
/usr/src/redhat/BUILD/php-4.3.9/ext/session/mod_user.c:60
#10 0x00dde695 in ps_write_user (mod_data=0xf07310, key=0x92d698c
"555d66f42dd88768d0c97638a5a2c821",
    val=0x9a64164
"imp|a:29:{s:5:\"cache\";a:0:{}s:4:\"pass\";s:7:\"v\036\032?207\rN\";s:11:\"_logintasks\";i:0;s:4:\"user\";s:11:\"xxxxxxxxxxx\";s:8:\"uniquser\";s:23:\"xxxxxxxxxxxxxxxxxxxxxxx\";s:6:\"server\";s:9:\"localhost\";s:3:\"acl\";b:0;s:5:\""...,
vallen=80476) at /usr/src/redhat/BUILD/php-4.3.9/ext/session/mod_user.c:148
#11 0x00dd9d27 in php_session_save_current_state () at
/usr/src/redhat/BUILD/php-4.3.9/ext/session/session.c:696
#12 0x00ddd123 in php_session_flush () at
/usr/src/redhat/BUILD/php-4.3.9/ext/session/session.c:1605
#13 0x00ddd14e in zm_deactivate_session (type=1, module_number=8) at
/usr/src/redhat/BUILD/php-4.3.9/ext/session/session.c:1619
#14 0x00eaccea in module_registry_cleanup (module=0x90b7df8) at
/usr/src/redhat/BUILD/php-4.3.9/Zend/zend_API.c:1167
#15 0x00eafea3 in zend_hash_apply (ht=0xf0b720, apply_func=0xeacca7
<module_registry_cleanup>) at /usr/src/redhat/BUILD/php-4.3.9/Zend/zend_hash.c:703
#16 0x00ea8954 in zend_deactivate_modules () at
/usr/src/redhat/BUILD/php-4.3.9/Zend/zend.c:652
#17 0x00e6b6c2 in php_request_shutdown (dummy=0x0) at
/usr/src/redhat/BUILD/php-4.3.9/main/main.c:993
#18 0x00ec3079 in php_apache_request_dtor (r=0x911c948) at
/usr/src/redhat/BUILD/php-4.3.9/sapi/apache2handler/sapi_apache2.c:461
#19 0x00ec384c in php_handler (r=0x911c948) at
/usr/src/redhat/BUILD/php-4.3.9/sapi/apache2handler/sapi_apache2.c:595
#20 0x002839d7 in ap_run_handler () from /usr/sbin/httpd
#21 0x00283e43 in ap_invoke_handler () from /usr/sbin/httpd
#22 0x002808c5 in ap_process_request () from /usr/sbin/httpd
#23 0x0027b63f in _start () from /usr/sbin/httpd
#24 0x0911c948 in ?? ()
#25 0x00000004 in ?? ()
#26 0x0911c948 in ?? ()
#27 0x09110450 in ?? ()
#28 0x091108ff in ?? ()
#29 0x00000000 in ?? ()
(gdb) frame 5
#5  0x00ebd4f6 in execute (op_array=0x91657cc) at
/usr/src/redhat/BUILD/php-4.3.9/Zend/zend_execute.c:1640
1640                                                           
((zend_internal_function *)
EX(function_state).function)->handler(EX(opline)->extended_value,
EX(Ts)[EX(opline)->result.u.var].var.ptr, EX(object).ptr, return_value_used
TSRMLS_CC);
(gdb) print (char
*)(executor_globals.function_state_ptr->function)->common.function_name
$1 = 0xed1dfd "setlocale"
(gdb) print (char *)executor_globals.active_op_array->function_name
$2 = 0x9163cfc "logmessage"
(gdb) print (char *)executor_globals.active_op_array->filename
$3 = 0x9164544 "/var/www/html/horde-3.1.3/lib/Horde.php"

Comment 1 Dominik Gehl 2006-08-28 17:33:40 UTC

Created attachment 135063 [details]
test case to reproduce the bug

Allows to reproduce the bug

Comment 2 Dominik Gehl 2006-08-29 13:37:38 UTC

Created attachment 135130 [details]
patch

patch in the php cvs (4.4.4), applied to php-4.3.9

Comment 3 Dominik Gehl 2006-08-29 13:39:47 UTC

Created attachment 135131 [details]
RPM spec

new spec file for php-4.3.9 rpm (includes the patch)

Comment 5 RHEL Program Management 2008-02-01 19:12:39 UTC

This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".

Comment 6 RHEL Program Management 2008-09-05 17:11:32 UTC

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 11 errata-xmlrpc 2009-05-18 20:32:26 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1013.html

Note You need to log in before you can comment on or make changes to this bug.