From: twm at twmacinta dot com Operating system: Red Hat Enterprise Linux ES 3 PHP version: 5.2.5 PHP Bug Type: Reproducible crash Bug description: Invalid encoding in pspell_config_create() w/ pspell_new_config() causes abort
Description: ------------ When I pass an invalid encoding as the fourth argument to the function pspell_config_create() and then pass that return value to pspell_new_config(), PHP aborts and stops running. This is causing the "make test" script named "ext/pspell/tests/003.phpt" to fail on my system when I try to test my new build of PHP. I have created a simpler test case for this bug report and also read through the code a bit more to come up with an analysis which I think might be helpful. My test script works as expected in older versions of PHP on the same operating system. In particular, it works fine in PHP 4.3 on the same OS. This applies to both my custom compiled version of PHP as well as the most recent build from Red Hat. I believe that the problem was introduced in revision 1.45.2.4.2.5. See line 405 below: http://cvs.php.net/viewvc.cgi/php-src/ext/pspell/pspell.c?r1=1.45.2.4.2.4&r2=1.45.2.4.2.5&pathrev=PHP_5_2 The problem is that delete_pspell_manager() is called on a pointer obtained from new_pspell_manager() which isn't necessarily a pspell manager. It can either be an error or a pspell manager. Here is the code from the pspell library - note that the first return statement can result in PHP getting something which isn't a pspell manager (which is what it incorrectly frees): PspellCanHaveError * new_pspell_manager(PspellConfig * c) { PspellCanHaveError * possible_err = find_word_list(c); if (possible_err->error_number() != 0) return possible_err; PspellConfig * config = (PspellConfig *)(possible_err); possible_err = new_pspell_manager_class(config); delete config; return possible_err; } Perhaps this error isn't being triggered on your test systems since it depends upon whether the system's pspell library was compiled to enforce assertions. Note that there were several other changes like this made in revision 1.45.2.4.2.5. There were other lines added which call delete_pspell_*(), possibly with an invalid argument. I don't know if they are a problem in reality - I only caught the line that I'm reporting because "make test" failed for me. I was a little hesitant to remove those lines in my own code since they were added without other major changes, so there was presumably some reason for them, though the revision comment and change log don't mention what it was. I used "php -n" to run all of the tests, so as to rule out "php.ini" as a problem. I tried the test script with both PHP 5.2.5 and the latest CVS snapshot, php5.2-200804291230. Reproduce code: --------------- $cfg2 = pspell_config_create('en', 'british', '', 'b0rked'); $p2 = pspell_new_config($cfg2); print("Done\n"); Expected result: ---------------- Warning: pspell_new_config(): PSPELL couldn't open the dictionary. reason: The encoding "b0rked" is not known. This could also mean that the file "/usr/share/pspell/b0rked.map" could not be opened for reading or does not exist. in /tmp/timtest20080429.php on line 3 Done Actual result: -------------- Warning: pspell_new_config(): PSPELL couldn't open the dictionary. reason: The encoding "b0rked" is not known. This could also mean that the file "/usr/share/pspell/b0rked.map" could not be opened for reading or does not exist. in /tmp/timtest20080429.php on line 3 php: manager_impl.cc:30: void free_lt_handle(void*): Assertion `s == 0' failed. Aborted -- Edit bug report at http://bugs.php.net/?id=44862&edit=1 -- Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=44862&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=44862&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=44862&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=44862&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=44862&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=44862&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=44862&r=needscript Try newer version: http://bugs.php.net/fix.php?id=44862&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=44862&r=support Expected behavior: http://bugs.php.net/fix.php?id=44862&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=44862&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=44862&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=44862&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=44862&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=44862&r=dst IIS Stability: http://bugs.php.net/fix.php?id=44862&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=44862&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=44862&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=44862&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=44862&r=mysqlcfg
