Source

php-src / TODO_SEGFAULTS

    This is an overview over existing segfaults in the current PHP source
    tree.


Fixed:

    mb_convert_encoding (Moriyoshi)
    socket_iovec_alloc (Rasmus)
    exif_imagetype,exif_thumbnail (Rasmus)
    dbase_open (Rasmus)
    array_pad (Rasmus)
    setlocale (Rasmus)
    unregister_tick_function (Rasmus)
    bcsub (Rasmus)
    str_repeat (Ilia)
    imagecopyresized (Ilia)
    mhash_keygen_s2k (Ilia)
    bundled gd (Ilia)
    mb_ereg, mb_ereg_match, mb_eregi, mb_split (Moriyoshi)
    xml_parser_create (Moriyoshi)
    ob_start (Sascha)
    imagecreate/-truecolor (Sascha)
    flock (Sascha)
    register_shutdown_function (Sascha)
    mb_strcut('', [number greater than the length of first arg]) (Moriyoshi)
    ext/exif, ext/dba (Marcus)
    php_base64_encode (Moriyoshi)
	
Open:

    the dbase extension         (1)
    socket_select               (2)
    pack                        (3)
	
(1) heap corruption, mostly visible in malloc-related calls.  Whether you see 
    this or not might depend on your libc/compiler.  Hard to track down,
    because the result of the corruption might be quite delayed.

    Reproducable with glibc-2.3/gcc 3.2.2 by:
	
cat <<X | php do_crash
dbase_add_record
dbase_close
dbase_create
dbase_delete_record
dbase_get_record
dbase_get_record_with_names
dbase_numfields
dbase_numrecords
dbase_open
X 

(2) heap corruption, dies in efree()/execute()

Methodology

    1. Use a plain PHP_4_3 tree
    2. Use the config.nice from ammendment 1.
    3. Download the test script from:

        <URL:http://schumann.cx/do_crash.txt>

    4a. Use the scripts funcparse.awk/genfunclist.sh from phpdoc/scripts
        for creating a plain text function list.  Feed that list to
        the script.  Avoid calls like pcntl_fork.  Manually remove functions
        which take too long to finish/eat up all memory.
    
    4b. For testing a single function, echo the name of the function to
        the script like this:

        echo dbase_open | php do_crash.txt

(3) multiple integer overflows, ex. pack("d4294967297", 2);

Amendment 1.

CFLAGS='-O0 -g' \
'../src/php4/configure' \
'--enable-pcntl' \
'--enable-shmop' \
'--enable-sysvsem' \
'--enable-sysvshm' \
'--enable-wddx' \
'--enable-yp' \
'--enable-filepro' \
'--enable-ftp' \
'--enable-dba' \
'--enable-dbase' \
'--enable-dio' \
'--enable-exif' \
'--enable-mbstring' \
'--enable-mbregex' \
'--enable-sockets' \
'--enable-bcmath' \
'--enable-calendar' \
'--enable-pcntl' \
'--enable-shmop' \
'--enable-sysvsem' \
'--enable-sysvshm' \
'--enable-wddx' \
'--enable-yp' \
'--enable-filepro' \
'--enable-ftp' \
'--enable-dba' \
'--enable-dbase' \
'--enable-dio' \
'--enable-exif' \
'--enable-mbstring' \
'--enable-mbregex' \
'--enable-sockets' \
'--enable-bcmath' \
'--enable-calendar' \
"$@"
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.