Debian Bug report logs - #726295
php5: segfault on zend_deactivate

Package: php5; Maintainer for php5 is (unknown);

Reported by: William Dauchy <wdauchy@gmail.com>

Date: Mon, 14 Oct 2013 07:57:02 UTC

Severity: normal

Tags: patch

Fixed in versions php5/5.4.4-14+deb7u7, 5.4.4-14+deb7u6

Done: Thijs Kinkhorst <thijs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#726295; Package php5. (Mon, 14 Oct 2013 07:57:06 GMT) (full text, mbox, link).

Acknowledgement sent to William Dauchy <wdauchy@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.

Your message had a Version: pseudo-header with an invalid package version:

php5 5.4.4-14+deb7u5

please either use found or fixed to the control server with a correct version, or reply to this report indicating the correct version so the maintainer (or someone else) can correct it for you.

(Mon, 14 Oct 2013 07:57:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: php5
Version: php5 5.4.4-14+deb7u5
Severity: normal
Tags: patch

We are sometines getting segfault with the following trace:

==22607== Invalid read of size 4
==22607==    at 0x84EA438: _zval_dtor_func (zend_variables.c:46)
==22607==    by 0x84DAA42: _zval_dtor (zend_variables.h:35)
==22607==    by 0x84DAAEF: i_zval_ptr_dtor (zend_execute.h:81)
==22607==    by 0x84DB851: _zval_ptr_dtor (zend_execute_API.c:428)
==22607==    by 0x84E032A: cleanup_user_class_data (zend_opcode.c:169)
==22607==    by 0x84E0419: zend_cleanup_user_class_data (zend_opcode.c:202)
==22607==    by 0x84FC771: zend_hash_reverse_apply (zend_hash.c:799)
==22607==    by 0x84DB4BE: shutdown_executor (zend_execute_API.c:289)
==22607==    by 0x84EC528: zend_deactivate (zend.c:939)
==22607==    by 0x84744D6: php_request_shutdown (main.c:1800)
==22607==    by 0x8585386: do_cli (php_cli.c:1176)
==22607==    by 0x8585B2F: main (php_cli.c:1377)
==22607==  Address 0x4949fa8 is 0 bytes inside a block of size 20 free'd
==22607==    at 0x4007F0F: free (vg_replace_malloc.c:446)
==22607==    by 0x84BFEA5: _efree (zend_alloc.c:2437)
==22607==    by 0x851CDEB: i_zval_ptr_dtor (zend_execute.h:82)
==22607==    by 0x8541EA6: ZEND_UNSET_DIM_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:15900)
==22607==    by 0x8521499: execute_ex (zend_vm_execute.h:356)
==22607==    by 0x85214FD: zend_execute (zend_vm_execute.h:381)
==22607==    by 0x84DD3D5: zend_call_function (zend_execute_API.c:941)
==22607==    by 0x85080A9: zend_call_method (zend_interfaces.c:97)
==22607==    by 0x8515232: zend_objects_destroy_object (zend_objects.c:123)
==22607==    by 0x851B546: zend_objects_store_del_ref_by_handle_ex (zend_objects_API.c:207)
==22607==    by 0x851B426: zend_objects_store_del_ref (zend_objects_API.c:173)
==22607==    by 0x84EA474: _zval_dtor_func (zend_variables.c:54)

It appears that we found a related bug upstream:
https://bugs.php.net/64720

The patch attached is here
http://git.php.net/?p=php-src.git;a=commit;h=77fffff15762137e2d8173df9b733b4cb70fc996

The patch seems more than needed for the wheezy version.

Thanks,
-- 
William

Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. (Thu, 12 Dec 2013 21:00:25 GMT) (full text, mbox, link).

Notification sent to William Dauchy <wdauchy@gmail.com>:
Bug acknowledged by developer. (Thu, 12 Dec 2013 21:00:25 GMT) (full text, mbox, link).

Message #10 received at 726295-done@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Version: 5.4.4-14+deb7u6

php5 (5.4.4-14+deb7u6) stable; urgency=low

  [ William Dauchy ]
  * upstream fix: curl memory leak (Closes: #725868)
  * upstream fix: allow root to run php-fpm (Closes: #725890)
  * upstream fix: remove annoying warnings with php-fpm and user usage
    (Closes: #725972)
  * upstream fix: memoryleak in function declaration (Closes: #726033)
  * upstream fix: munmap() is called with the incorrect length (Closes: 
#726037)
  * upstream fix: segfault on zend_deactivate (Closes: #726295)
  * upstream fix: Possible null dereference (Closes: #726320)
  * upstream fix: Phar::buildFromDirectory creates corrupt archives
    (Closes: #726379)
  * upstream fix: segfault while loading extensions (Closes: #726627)
  * upstream fix: (un)serialize() leaves dangling pointers, causes crashes
    (Closes: #726633)

[signature.asc (application/pgp-signature, inline)]

Marked as fixed in versions php5/5.4.4-14+deb7u7. Request was from Ondřej Surý <ondrej@debian.org> to control@bugs.debian.org. (Thu, 12 Dec 2013 22:33:08 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 10 Jan 2014 07:36:03 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 03:28:15 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #726295 php5: segfault on zend_deactivate

Debian Bug report logs - #726295
php5: segfault on zend_deactivate