[PHP-DEV] Bug #5385: PHP engine bug that causes memory block freed multiple times leading to crashes From: priit <email protected>
Date: 07/05/00

From: priit <email protected>
Operating system: SunOS 2.7 / RH Linux 6.1
PHP version: 3.0.16
PHP Bug Type: Reproduceable crash
Bug description: PHP engine bug that causes memory block freed multiple times leading to crashes

In certain conditions several functions inserted to symbol table by end_function_decleration() function have value.func.arg_types pointer reffering to same memory block. This will cause that memory block freed multiple times during request cleanup proccess, witch mixes up internal PHP memory structures and leads to crashes

Here is example of that condition:
test.phtml:
<?
function test(&$vvv){
        include("test1.phtml");
        test1($vvv);
}
test($qqq);
?>
test1.phtml:
<?
function test1(&$vvv){
        $vvv=6;
}
?>

When requesting test.phtml, with DEBUG turned on you get following error in error log:
[Tue Jul 4 17:30:31 2000] [error] Illegal _efree: 2 bytes from control_structures_inline.h:454 (variables.c:84)
---------------------------------------
Block 0x08842140 status at variables.c:84:
Beginning: Cached (allocated on control_structures_inline.h:454, 2 bytes)
      End: OK
---------------------------------------

Fix:
Initialze GLOBAL(function_state).func_arg_types with NULL in start_function_decleration() function:
pluto:/u2/src/php-3.0.15>diff control_structures_inline.h.old control_structures_inline.h
495a496
> GLOBAL(function_state).func_arg_types = NULL; 

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>