Ubuntu
php5 package

eval() with base64_decode causes segfault

Bug #594696 reported by Matthew Chambers
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
php5 (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

Binary package hint: php5

Description: Ubuntu 10.04 LTS
Release: 10.04

php5:
  Installed: (none)
  Candidate: 5.3.2-1ubuntu4.2
  Version table:
     5.3.2-1ubuntu4.2 0
        500 http://us.archive.ubuntu.com/ubuntu/ lucid-updates/main Packages
     5.3.2-1ubuntu4 0
        500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages

<?php
    //echo base64_encode('printf("output text");'); // Generates the string used below
    eval(base64_decode('cHJpbnRmKCJvdXRwdXQgdGV4dCIpOw==')); // Should print 'output text'
?>

Revision history for this message
Matthew Chambers (matt-chambers) wrote :

I should also say making the following change does not cause a segfault and the code works as expected.

<?php
    //echo base64_encode('printf("output text");'); // Generates the string used below
    $decoded = base64_decode('cHJpbnRmKCJvdXRwdXQgdGV4dCIpOw==');
    eval($decoded); // Should print 'output text', and it does!
?>

Revision history for this message
Matthew Chambers (matt-chambers) wrote :

root@ripley:/var/www# dpkg -l | grep php
ii libapache2-mod-php5 5.3.2-1ubuntu4.2 server-side, HTML-embedded scripting languag
ii php5-common 5.3.2-1ubuntu4.2 Common files for packages built from the php
ii php5-mysql 5.3.2-1ubuntu4.2 MySQL module for php5
ii php5-xdebug 2.0.5-1ubuntu1 Xdebug Module for PHP 5

Revision history for this message
Matthew Chambers (matt-chambers) wrote :

This is actually a problem with xdebug it appears:

(gdb) bt
#0 0x00007f2c59235022 in ?? () from /lib/libc.so.6
#1 0x00000000005f9e59 in php_addcslashes (str=0x3c0656d988681c07 <Address 0x3c0656d988681c07 out of bounds>, length=0, new_length=0x0, should_free=1, what=0x7f2c581cdaea "'\\", wlength=6)
    at /build/buildd/php5-5.3.2/ext/standard/string.c:3121
#2 0x00007f2c581c1acb in xdebug_var_export (struc=0x7fff8205e3b8, str=0x7fff8205e3c0, level=1, debug_zval=0, options=0x1585090) at /build/buildd/xdebug-2.0.5/build-php5/xdebug_var.c:283
#3 0x00007f2c581c1f8e in xdebug_get_zval_value (val=0x155bd10, debug_zval=0, options=0x1585090) at /build/buildd/xdebug-2.0.5/build-php5/xdebug_var.c:365
#4 0x00007f2c581a727e in add_stack_frame (zdata=0x7f2c5bdbb068, op_array=0x155d238, type=2) at /build/buildd/xdebug-2.0.5/build-php5/xdebug.c:1081
#5 0x00007f2c581a8984 in xdebug_execute (op_array=0x155d238) at /build/buildd/xdebug-2.0.5/build-php5/xdebug.c:1512
#6 0x00000000006d165c in ZEND_INCLUDE_OR_EVAL_SPEC_VAR_HANDLER (execute_data=0x7f2c5bdbb068) at /build/buildd/php5-5.3.2/Zend/zend_vm_execute.h:8576
#7 0x00000000006bd400 in execute (op_array=0x155c710) at /build/buildd/php5-5.3.2/Zend/zend_vm_execute.h:104
#8 0x00007f2c581a8b9e in xdebug_execute (op_array=0x155c710) at /build/buildd/xdebug-2.0.5/build-php5/xdebug.c:1562
#9 0x000000000069512d in zend_execute_scripts (type=0, retval=0x7fff8205e920, file_count=3) at /build/buildd/php5-5.3.2/Zend/zend.c:1266
#10 0x0000000000640d98 in php_execute_script (primary_file=0x2) at /build/buildd/php5-5.3.2/main/main.c:2288
#11 0x0000000000726236 in main (argc=0, argv=0x1) at /build/buildd/php5-5.3.2/sapi/cli/php_cli.c:1196

Thierry Carrez (ttx)
Changed in php5 (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
Matthew Chambers (matt-chambers) wrote :

xdebug built from latest SVN snapshot does not have this issue. http://bugs.xdebug.org/view.php?id=586

Ubuntu is using the latest stable version already. Hopefully a new stable release is made soon.

Revision history for this message
Chuck Short (zulcss) wrote :

This should be fixed in natty please re-open if you cant reproduce it there.

chuck

Changed in php5 (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.