[PHP-DEV] latest cvs: crash in str_replace() From: Chuck Hagenbuch (chuck <email protected>)
Date: 11/14/00

Doing a str_replace() on any relatively large string with the latest php4 cvs
gives me the following backtrace:

(gdb) run -X
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /usr/sbin/apache.dbg -X

Program received signal SIGSEGV, Segmentation fault.
0x400f7c15 in free () from /lib/libc.so.6
(gdb) bt
#0 0x400f7c15 in free () from /lib/libc.so.6
#1 0x400f8501 in realloc () from /lib/libc.so.6
#2 0x400f7ffd in realloc () from /lib/libc.so.6
#3 0x401e870b in zend_do_do_while_begin () at zend_compile.c:1304
#4 0x402838a8 in php_sscanf_internal (
    string=0x80ffd9c "<?php\n/*\n * $Horde: imp/message.php,v 2.170 2000/11/13
20:49:03 chuck Exp $\n *\n * Copyright 1999, 2000 Charles J. Hagenbuch
<chuck <email protected>>\n * Copyright 1999, 2000 Jon Parise <jon <email protected>>\n *\n *
S"...,
    format=0x3a51 <Address 0x3a51 out of bounds>, argCount=135199668,
    args=0x2, varStart=134979444, return_value=0x7) at scanf.c:661
#5 0x40283c9e in php_sscanf_internal (string=0x3 <Address 0x3 out of bounds>,
    format=0x80fa12c "", argCount=0, args=0x1, varStart=2047,
    return_value=0x402e25bc) at scanf.c:866
#6 0x401f34d9 in execute (op_array=0x80eaac4) at ./zend_execute.c:2237
#7 0x4020191f in zend_hash_index_update_or_next_insert (ht=0x8, h=3,
    pData=0x0, nDataSize=3221223080, pDest=0x0, flag=4095) at zend_hash.c:402
#8 0x40213104 in php_mime_split (
    buf=0xbffff6a8 "\002t/@¬\200\016\bÄ\237\013\b «\016\b", cnt=1076852288,
    boundary=0xbffff6bc "ìöÿ¿H\002!@,f\016\b", array_ptr=0x4020f869)
    at rfc1867.c:259
#9 0x4020f8cf in php_hash_environment () at main.c:1034
#10 0x40210248 in php_lint_script (file=0x80e662c) at main.c:1275
#11 0x40210286 in php_lint_script (file=0x80e662c) at main.c:1285
---Type <return> to continue, or q <return> to quit---
#12 0x8053e74 in ap_invoke_handler (r=0x80e662c) at http_config.c:508
#13 0x806271c in process_request_internal (r=0x80e662c) at http_request.c:1214
#14 0x8062778 in ap_process_request (r=0x80e662c) at http_request.c:1230
#15 0x805c509 in child_main (child_num_arg=0) at http_main.c:4122
#16 0x805c69c in make_child (s=0x8099f44, slot=0, now=974233605)
    at http_main.c:4235
#17 0x805c7b9 in startup_children (number_to_start=5) at http_main.c:4317
#18 0x805cc6b in standalone_main (argc=2, argv=0xbffff954) at http_main.c:4605
#19 0x805d31d in main (argc=2, argv=0xbffff954) at http_main.c:4933
(gdb)

Here's the script to reproduce it:

<?php

error_reporting(E_ALL);

$text = implode(file('/var/www/horde/imp/message.php'), '');

$text = str_replace(' ', ' &nbsp;', $text);

echo htmlspecialchars(nl2br($text));

?>

Substitute any relatively large file, or other source of a large string in the
implode line - I originally got this on a string retrieved from an email
message.

-chuck 

--
Charles Hagenbuch, <chuck <email protected>>
"If you can't stand the heat, get out of the chicken!" - Baby Blues

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>