Bug #51588 [Opn->Fbk]: calling zend_parse_ini_string/file recursively core dump

[bjori]

Edit report at https://bugs.php.net/bug.php?id=51588&edit=1

 ID:                 51588
 Updated by:         bj...@php.net
 Reported by:        f...@php.net
 Summary:            calling zend_parse_ini_string/file recursively core
                     dump
-Status:             Open
+Status:             Feedback
 Type:               Bug
 Package:            Reproducible crash
 Operating System:   any
 PHP Version:        5.3.2
 Block user comment: N
 Private report:     N

 New Comment:

Any particular reason you haven't committed this yet?


Previous Comments:
------------------------------------------------------------------------
[2010-04-18 12:29:13] f...@php.net

The following patch has been added/updated:

Patch Name: zend_ini_parser.y.patch
Revision:   1271586553
URL:        
http://bugs.php.net/patch-display.php?bug=51588&patch=zend_ini_parser.y.patch&revision=1271586553

------------------------------------------------------------------------
[2010-04-18 12:28:33] f...@php.net

Description:
------------
when zend_parse_ini_string or zend_parse_ini_file is called recursively, it 
crashes. The lexical state variable is global, calling those function 
recursively 
overwrites previous version and crashes at liberation/destruction.

to prevent this behaviour, the following patch makes zend_parse_ini_string or 
zend_parse_ini_file returning an error when called recursively.

Test script:
---------------
void fpm_conf_ini_load_file(filename);

static void fpm_conf_ini_parser(zval *arg1, zval *arg2, zval *arg3,
int callback_type, void *arg TSRMLS_DC) {
 if (!arg1) return;
 if (callback_type != ZEND_INI_PARSER_ENTRY) return;
 if (!strcmp(Z_STRVAL_P(arg1), "include")) {
   fpm_conf_load_ini_file(Z_STRVAL_P(arg1));
 }
}

void fpm_conf_ini_load_file(filename)  {
 zend_file_handle fh;

 fh.handle.fp = VCWD_FOPEN(filename, "r");
 fh.opened_path = NULL;
 fh.free_filename = 0;
 fh.filename = filename;
 Z_TYPE(fh) = ZEND_HANDLE_FP;

 zend_parse_ini_file(&fh, 1, ZEND_INI_SCANNER_RAW,
(zend_ini_parser_cb_t)fpm_conf_ini_parser, NULL TSRMLS_CC);
}

Expected result:
----------------
it doesn't crash, it works or returns an error

Actual result:
--------------
core dump


#0  _zend_mm_free_int (heap=0x8271c000, p=0x8271c000) at /LIBRE/dev/php-
5.3.2/Zend/zend_alloc.c:2018
#1  0x1c23154a in _efree (ptr=0x7d3fe1f8) at /LIBRE/dev/php-
5.3.2/Zend/zend_alloc.c:2351
#2  0x1c245b5b in zend_stack_destroy (stack=0x3c2c2804) at /LIBRE/dev/php-
5.3.2/Zend/zend_stack.c:104
#3  0x1c22bd1c in shutdown_ini_scanner () at zend_ini_scanner.l:201
#4  0x1c22b035 in zend_parse_ini_file (fh=0xcfbd3c70, unbuffered_errors=1 
'\001', scanner_mode=0, ini_parser_cb=0x8271c000, arg=0x8271c000) at 
/LIBRE/dev/php-5.3.2/Zend/zend_ini_parser.c:322
#5  0x1c2aefa8 in fpm_conf_load_ini_file (filename=0xcfbd602e "/usr/local/php-
5.3.2/etc/fpm.ini") at /LIBRE/dev/php-5.3.2/sapi/fpm/fpm/fpm_conf.c:739
#6  0x1c2af002 in fpm_conf_load_ini_file (filename=0xcfbd602e "/usr/local/php-
5.3.2/etc/fpm.ini") at /LIBRE/dev/php-5.3.2/sapi/fpm/fpm/fpm_conf.c:751
#7  0x1c2ad489 in fpm_init (argc=-2106474496, argv=0x8271c000, 
config=0x8271c000 
"\001", base=0x3c2bf81c) at /LIBRE/dev/php-5.3.2/sapi/fpm/fpm/fpm.c:32
#8  0x1c2b14ff in main (argc=3, argv=0xcfbd5eac) at /LIBRE/dev/php-
5.3.2/sapi/fpm/fpm/fpm_main.c:1695



------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=51588&edit=1