[issue1006] digest is down; suggestions welcome
Dionysus Blazakis
dion.blazakis at gmail.com
Wed May 14 11:50:41 PDT 2008
It seems there was an off-by-one error in the strspn code in our libc.
The buffer was a byte too small and resulted in overwriting the saved
ebx which was the offset to the GOT -- but only if strspn was used
with a \xff in the second string.
I have a patch here:
http://dblaz.beevomit.org/dfly/strspn.patch
I've verified it fixes the PHP problem. Also, I tested it against a
small program that called strspn with a \xff in the second string and
verified that ebx was correctly restored (unlike prior to the patch).
-- Dion
On Wed, May 14, 2008 at 2:32 PM, Joerg Sonnenberger
<joerg at britannica.bec.de> wrote:
> On Wed, May 14, 2008 at 11:30:19AM -0400, Justin C. Sherrill wrote:
>> Antonio Huete Jimenez wrote:
>>> Antonio Huete Jimenez <tuxillo at quantumachine.net> added the comment:
>>>
>>> What about the commits between 1.12.1 and 1.12.2 related with threading lib?
>>
>> I'm still using the same threading library in both cases - libc_r.
>
> I've been seeing random PHP segfaults lately in the module init code.
> That's a standalone PHP using FastCGI.
>
> Joerg
>
More information about the Bugs
mailing list