[Obelix]

Ok, I don't have much time do a lot of investigation.

Below goes some recursive code. It causes apache.exe to crash when php5 is loaded as a module and php.exe to crash if the latter is run as a cgi executable.

I find that the problem is in the recursion itself, though other recursive code goes well. Can anybody help?

PHP Code:

    function DigCondition() {
        static $i=0;
        
        $start = 0;
        
        // DEBUG
        static $instance;
        $instance ++;
                // END DEBUG */
        
        for($i;$i<count($this->tpl_arr);$i++) {
            if(preg_match("/{if ([\s\S]+)}/",trim($this->tpl_arr[$i]),$extracted)) {
                $start = $i;
                
                $this->DigCondition();
                
                if(!$this->CheckCond($extracted[1])) {
                    for($j=$start;$j<=$i;$j++) {
                        $this->tpl_arr[$i]='';
                    }
                }
            }
            
            if(preg_match("/{else}/",trim($this->tpl_arr[$i]))) {
                    
            }
            
            if(preg_match("/{endif}/",trim($this->tpl_arr[$i]))) {
                $this->tpl_arr[$i]='';
                return;
            }
        } //for
    } //DigCondition() 


[Obelix]

I did a couplee of tests. Seems php.exe crashes when thrown into an infinite recursion cycle. Btw, the same happens with 4.x.x .

Can anybody confirm or try that on a linux box?

[acid]

So the problem is to prevent code from running into infinite recursion or to teach php not to crash?

It's kinda hard to test this code, since in my understanding this is a part of some class, where the other member variables and functions are being used. In order to be able to test this code you should provide either the full class with testing part or simplified extraction of problematic part.

[Obelix]

No, actually you don't need the whole class, the following code will end up with an exception.

Code:

<?php
function foo() {
foo();
}

foo();
?>

Actually sending the script into an infinite recursive cycle is not in my interests however I would expect this to be a bug.

[acid]

I won't consider this is as a bug, because the program's stack can't be made of rubber. Stack overflow is a common thing and developer's responsibility is to prevent such situations. Throwing an exception is proper thing in this case, so developer will know that there is potential unsafe place in his code.

Cheers.

[Obelix]

Quote:

Originally Posted by acid

I won't consider this is as a bug, because the program's stack can't be made of rubber. Stack overflow is a common thing and developer's responsibility is to prevent such situations. Throwing an exception is proper thing in this case, so developer will know that there is potential unsafe place in his code.

Cheers.

Now, I don't know how vulnerable can the stack overflow be, however, if it is more vulnerable than something a php script is aught to be able to do there is space for concern.

After all, there are a lot of vulnerable scripts around the web which will let you execute php script on the server, but generally that won't be of much good to the bad guy. But what if the bad guy gets off executing php code resulting in a stack overflow? ...