crash in error handler (works with PHP 5.1)

Bug #33802

Submitted:

2005-07-21 13:14 UTC

Modified:

2008-07-11 21:12 UTC

Votes:	1
Avg. Score:	1.0 ± 0.0
Reproduced:	0 of 1 (0.0%)

From:

isitoya at wakhok dot ac dot jp

Assigned:

derick (profile)

Status:

Wont fix

Package:

Reproducible crash

PHP Version:

4CVS-2005-07-27

OS:

Suse9.2

Private report:

CVE-ID:

None

[2005-07-21 13:14 UTC] isitoya at wakhok dot ac dot jp

Description:
------------
When I using Phing, My testcase with PEAR-SOAP and rdfapi-php had stopped with segmentation fault.

And I Found that throwing exception in error_handler causes Seg fault.



Reproduce code:
---------------
<?php
set_error_handler('errorHandler', E_USER_ERROR);
try{
    test();
}catch(Exception $e){
}
restore_error_handler();

function test(){
    trigger_error("error", E_USER_ERROR);
}

function errorHandler($errno, $errstr, $errfile, $errline) {
    throw new Exception();
}
?>
-----
no try and catch
<?php
set_error_handler('errorHandler', E_USER_ERROR);
test();
restore_error_handler();

function test(){
    trigger_error("error", E_USER_ERROR);
}

function errorHandler($errno, $errstr, $errfile, $errline) {
    throw new Exception();
}
?>


Expected result:
----------------
nothing

Actual result:
--------------
*** glibc detected *** double free or corruption: 0x0000000000af7970 ***
*** glibc detected *** double free or corruption: 0x0000000000af7a10 ***
*** glibc detected *** double free or corruption: 0x0000000000af07b0 ***
------
no try and catch

Fatal error: Uncaught exception 'Exception' in /usr/home/kent/tests/trigger_errorTest.php:11
Stack trace:
#0 [internal function]: errorHandler(256, 'error', '/usr/home/kent/...', 7, Array)
#1 /usr/home/kent/tests/trigger_errorTest.php(7): trigger_error('error', 256)
#2 /usr/home/kent/tests/trigger_errorTest.php(3): test()
#3 {main}
  thrown in /usr/home/kent/tests/trigger_errorTest.php on line 11
*** glibc detected *** double free or corruption: 0x0000000000af7870 ***
*** glibc detected *** double free or corruption: 0x0000000000af7910 ***
Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-07-21 14:27 UTC] tony2001@php.net

Dmitry, I can see some valgrind errors appearing only with --disable-zend-memory-manager:

==7780== Invalid read of size 4
==7780==    at 0x823AF65: _zend_is_inconsistent (zend_hash.c:53)
==7780==    by 0x823C0F4: zend_hash_destroy (zend_hash.c:510)
==7780==    by 0x82285B5: shutdown_executor (zend_execute_API.c:268)
==7780==    by 0x8234722: zend_deactivate (zend.c:823)
==7780==    by 0x81F416F: php_request_shutdown (main.c:1331)
==7780==    by 0x829DB17: main (php_cli.c:1142)
==7780==  Address 0x1BD72CC0 is 40 bytes inside a block of size 44 free'd
==7780==    at 0x1B9057CD: free (in /usr/lib/valgrind/vgpreload_memcheck.so)
==7780==    by 0x82331EE: _zval_dtor_func (zend_variables.c:44)
==7780==    by 0x822B0D0: _zval_dtor (zend_variables.h:35)
==7780==    by 0x8228947: _zval_ptr_dtor (zend_execute_API.c:386)
==7780==    by 0x8233450: _zval_ptr_dtor_wrapper (zend_variables.c:175)
==7780==    by 0x823C13B: zend_hash_destroy (zend_hash.c:519)

[2008-07-11 21:12 UTC] jani@php.net

We are sorry, but we can not support PHP 4 related problems anymore.
Momentum is gathering for PHP 6, and we think supporting PHP 4 will
lead to a waste of resources which we want to put into getting PHP 6
ready.