As reported by SecurityReason on 2006/04/08 http://securityreason.com/achievement_securityalert/35 php team, please verify
So basically this bug is saying if you define a function which infinitely recurses calling itself, then you will have a crash? I would normally take that as a given... Having said that, I can (kind of) see where that might be an issue (on shared hosting systems) but it would only kill one Apache child, and Apache just spawns a new child, so it doesn't cause a DoS. This was discussed on the PHP list a while back, and they don't currently have a way to catch this type of segfault, but I believe they are working on it.
Closing this, since this was already discussed a while back on the php-dev ml ( http://marc.theaimsgroup.com/?l=php-dev&m=114086091014548&w=2 ), and no real outcome was reached there. I now contacted upstream and they told me that "There is not going to be any patch for stack overflows in PHP, you can bump up the size of the stack, but that only means you need more iterations to trigger the crash.", so basically this will remain as it is now and no fix is planned for now, only "workaround" is to increase the memory_limit in php.ini, but that would only make this take longer to happen, it would anyway happen exactly the same, so we'll keep the actual default of 8MB on Gentoo. Just for reference, the Hardened-PHP patch ("hardenedphp" USE flag) and the Xdebug module (dev-php[4,5]/xdebug) have a feature to set the maximum recursion limit, thus helping avoid this if set correctly. Best regards, CHTEKK.
