[PHP-DEV] Bug #1110 Updated: str_replace still crashing undef OpenBSD 2.4 (See BugID #1028) From: Bug Database (php-dev <email protected>)
Date: 02/04/99

ID: 1110
User Update by: griggs <email protected>
Status: Open
Bug Type: Reproduceable crash
Description: str_replace still crashing undef OpenBSD 2.4 (See BugID #1028)

An Update:
 
  Matt Cox, Jerry Karasz, and I have spent some time debugging the problem
I found with the PHP function str_replace. We believe we have determined
the problem that is causing php3 to segfault.

  In the function _php3_str_to_str in string.c, in the second block of
code commented "if there is a rest, copy it", if realloc returns a
different pointer, you need to also recompute 's' since 'q' has changed.
Please see my patch below.

Thanks,
Greg Riggs
griggs <email protected>
Los Alamos Technical Associates

----- patch file --------- cut here ----------------------
diff -C 10 string.c.orig string.c
*** string.c.orig Thu Feb 4 13:48:50 1999
--- string.c Thu Feb 4 13:58:53 1999
***************
*** 1380,1399 ****
--- 1380,1401 ----
        /* if there is a rest, copy it */
        if((end - p) > 0) {
                s = (q) + (end - p);
                off = realloc(new, s - new + 1);
                if(off != new) {
                        if(!off) {
                                goto finish;
                        }
                        q += off - new;
                        new = off;
+ /* need to recompute s also, since q has changed */
+ s = (q) + (end - p);
                }
                memcpy(q, p, end - p);
                q = s;
        }
  finish:
        *q = '\0';
        if(_new_length) *_new_length = q - new;
        return new;
  }
----- cut here --------------------------------------
Hi,

The program below causes a reproducable crash under OpenBSD 2.4
I built PHP using the latest CVS as of feb 1, 1999, and the
str_replace function is still causing PHP to crash (please see BugID #1028).

Thanks,
  Greg Riggs
  griggs <email protected>

bash-2.02$ cat hack.php3
#!/home/gkr/php
<?

for($i=0; $i<3; $i++)
{
    $needle = 'needleneedle';
    $haystack = 'haystackhaystack';
    print "needle=|$needle|\n";
    print "hystack=|$haystack|\n";
    $foo = str_replace($needle, '', $haystack);
    $foolen = strlen($foo);
    print "foolen=|$foolen|\n";
    print "loop **** $i ****\n";
}

?>
bash-2.02$ gdb php
GNU gdb 4.16.1
Copyright 1996 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-unknown-openbsd2.4"...
(gdb) run hack.php3
Starting program: /home/gkr/php hack.php3
Content-type: text/html

needle=|needleneedle|
hystack=|haystackhaystack|
foolen=|242704|
loop **** 0 ****
needle=|needleneedle|
hystack=|haystackhaystack|

Program received signal SIGSEGV, Segmentation fault.
0x400e450f in tcgetattr ()
(gdb) where
#0 0x400e450f in tcgetattr ()
#1 0x400e482a in tcgetattr ()
#2 0x400e4f64 in malloc ()
#3 0x278bd in _emalloc (size=4294652113,
    filename=0x4142a "functions/string.c", lineno=1425) at alloc.c:129
#4 0x4332d in php3_str_replace (ht=0x7b218, return_value=0x5e374,
    list=0x707ac, plist=0x706fc) at functions/string.c:1425
#5 0xce90 in phpparse () at control_structures_inline.h:930
#6 0x1fe2a in php3_parse (yyin=0x4012800c) at main.c:1534
#7 0x20cc5 in main (argc=2, argv=0xefbfdcb4) at main.c:1842
(gdb)

Full Bug description available at: http://ca.php.net/bugs.php3?id=1110 

--
PHP Development Mailing List   http://www.php.net/
To unsubscribe send an empty message to php-dev-unsubscribe <email protected>
For help: php-dev-help <email protected>