php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #22283 fopen causes core dump
Submitted: 2003-02-18 15:51 UTC Modified: 2003-02-18 18:50 UTC
From: pprocacci at datapipe dot com Assigned: iliaa (profile)
Status: Closed Package: Reproducible crash
PHP Version: 4.3.0 5.0-dev OS: FreeBSD4.7-Stable
Private report: No CVE-ID: None
 [2003-02-18 15:51 UTC] pprocacci at datapipe dot com
PHP Version => 4.3.0

System => FreeBSD lucky 4.7-RELEASE-p4 FreeBSD 4.7-RELEASE-p4 #0: Mon  i386
Build Date => Feb 17 2003 01:29:45
Configure Command =>  './configure' '--with-apxs=/usr/local/sbin/apxs' '--with-config-file-path=/usr/local/etc' '--enable-versioning' '--with-regex=system' '--without-gd' '--without-mysql' '--with-gd=/usr/local' '--enable-gd-native-ttf' '--with-freetype-dir=/usr/local' '--with-jpeg-dir=/usr/local' '--with-png-dir=/usr/local' '--with-zlib' '--with-bz2=/usr' '--with
-mcrypt=/usr/local' '--with-mhash=/usr/local' '--with-pdflib=/usr/local' '--with-zlib-dir=/usr' '--with-jpeg-dir=/usr/local' '--with-png-dir=/usr/local' '--with-tiff-dir=/usr/local' '
--with-imap=/usr/local' '--with-mysql=/usr/local' '--with-pgsql=/usr/local' '--with-dbase' '--with-gdbm=/usr/local' '--with-ldap=/usr/local' '--with-openssl=/usr' '--with-snmp=/usr/lo
cal' '--enable-ucd-snmp-hack' '--with-openssl=/usr' '--with-expat-dir=/usr/local' '--with-xmlrpc' '--enable-xslt' '--with-xslt-sablot=/usr/local' '--enable-wddx' '--with-dom=/usr/loca
l' '--enable-ftp' '--with-curl=/usr/local' '--with-gettext=/usr/local' '--with-iconv=/usr/local' '--with-pspell=/usr/local' '--enable-mbregex' '--enable-mbstring' '--enable-yp' '--ena
ble-bcmath' '--with-hyperwave=yes' '--with-mcve=/usr/local' '--with-ming=/usr/local' '--with-mcal=/usr/local' '--enable-sockets' '--enable-sysvsem' '--enable-sysvshm' '--enable-trans-sid' '--with-yaz=/usr/local/bin' '--prefix=/usr/local' 'i386-portbld-freebsd4.7'
Server API => Command Line Interface
Virtual Directory Support => disabled
Configuration File (php.ini) Path => /usr/local/etc
PHP API => 20020918
PHP Extension => 20020429
Zend Extension => 20021010
Debug Build => no
Thread Safety => disabled
Registered PHP Streams => php, http, ftp, https, ftps, compress.bzip2, compress.zlib  


I know this sounds rediculous, but  the following dumps core:

#!/usr/local/bin/php
<?php

$fp = fopen("http://xanthus.net", "r");

if(!is_resource($fp))
        die("Couldn't open xanthus.net\n");


fclose($fp);

?>

#######################
while this one doesn't
#######################

#!/usr/local/bin/php
<?php

$fp = fopen("http://php.net", "r");

if(!is_resource($fp))
        die("Couldn't open php.net\n");


fclose($fp);

?>

############################
There seems to be a problem with the way php handles redirects.  That page "xanthus.net" gets redirected to elsewhere, while php.net doesn't (or at least I think this is the reason.)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-02-18 16:03 UTC] pprocacci at datapipe dot com
My Knowledge of gdb is very limited, but I can get this far.  ;(

Program received signal SIGSEGV, Segmentation fault.
0x819f13d in php_stream_url_wrap_http ()
 [2003-02-18 16:03 UTC] magnus@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

And if it still is crashing, please provide a backtrace.
 [2003-02-18 16:10 UTC] magnus@php.net
Backtrace with current head using Linux:

#0  0x40118543 in strlen () from /lib/libc.so.6
No symbol table info available.
#1  0x08100482 in php_stream_url_wrap_http (wrapper=0x401e2c6c, path=0x401e2d98 "r", 
    mode=0xc <Address 0xc out of bounds>, options=0, opened_path=0x0, context=0x0, 
    __php_stream_call_depth=135947776, __zend_filename=0x565 <Address 0x565 out of bounds>, 
    __zend_lineno=0, __zend_orig_filename=0x0, __zend_orig_lineno=3221213880)
    at /php/php/php5/ext/standard/http_fopen_wrapper.c:352
        entry = (struct _zval_struct *) 0x0
        entryp = (struct _zval_struct **) 0x0
        new_path = '\0' <repeats 268 times>, "\016?\020@\220???\202 \035@\035", '\0' <repeats 19 times>, "T\224\034@\0\0\0\0????\230????\211\016@?????v\e\b", '\0' <repeats 52 times>, "????\0\0\0\0x?????\016@", '\0' <repeats 250 times>, "s \0\0\0\0????????", '\0' <repeats 36 times>, "\226w\e\b", '\0' <repeats 20 times>, "?v\e\b????\002\0\0\0\002\0\0\0????x???\0\0\0\0?v\e\b%\0\0\0????", '\0' <repeats 104 times>, "?v\e\b", '\0' <repeats 56 times>, "\027"...
        loc_path = '\0' <repeats 1023 times>
        stream = (struct _php_stream *) 0x81f86d0
        resource = (struct php_url *) 0x401e2c6c
        use_ssl = 0
        scratch = 0xffffffff <Address 0xffffffff out of bounds>
        tmp = 0x8177bba "\211E?\213E???U\211?\203?(\213E\020\211E?\203}\f"
        ua_str = 0xbfffd258 "????-?\v\bl,\036@\230-\036@\f"
        ua_zval = (struct _zval_struct **) 0x81daf8c
        scratch_len = 1381
        body = 135947776
        location = '\0' <repeats 628 times>, "?\206\0@\025?\n@\025?\n@\0\0\0\0\0\0\0\0 \0\0\0Z\b\0@?\005\0@\030\002\0@?1\001@\b\0\0\0\024\034\005@?4\001@?\032\005@g?\n@????vv\0@g?\n@?(?\0p.\n@`???p8\001@T\224\034@ ?\034@\0\0\0\0\001\0\0\0\0\0\0\0S?\026\b\0\0\0\024\030{\f@\0\0\0\004", '\0' <repeats 20 times>, "?\207\0@\nv\005\b\0\031\005@\0\0\0\0?4\001@`???\024?\b@\200????\206\0@\0\0\0\0??\020@?????\023\230| 0\001@"...
        response_header = (struct _zval_struct *) 0x72
        reqok = 2
        http_header_line = 0x2 <Address 0x2 out of bounds>
        tmp_line = "??\034@T???D???\0\0\0\0\0\0\0\0\0\035\036@\001\0\0\0\030\e\036@nuke/\0??8???){\027\b\002\0\0\0??\034@T???D???", '\0' <repeats 40 times>, "Q", '\0' <repeats 11 times>, "\002\0\0\0??\034@??\034@"
        chunk_size = 135755752
        file_size = 3221212600
        eol_detect = -1073753232
#2  0x0814d5c5 in _php_stream_open_wrapper_ex (path=0x401e2c6c "http://xanthus.net", 
    mode=0x401e2d98 "r", options=12, opened_path=0x0, context=0x0, __php_stream_call_depth=0, 
    __zend_filename=0x81a6600 "/php/php/php5/ext/standard/file.c", __zend_lineno=1381, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /php/php/php5/main/streams/streams.c:1500
        stream = (struct _php_stream *) 0x0
        wrapper = (struct _php_stream_wrapper *) 0x81f86d0
        path_to_open = 0x401e2c6c "http://xanthus.net"
        copy_of_path = 0x0
#3  0x080bc52d in php_if_fopen (ht=2, return_value=0x401e2cfc, this_ptr=0x0, return_value_used=1)
    at /php/php/php5/ext/standard/file.c:1379
        filename = 0x401e2c6c "http://xanthus.net"
        mode = 0x401e2d98 "r"
        filename_len = 18
        mode_len = 1
        use_include_path = 0 '\0'
        zcontext = (struct _zval_struct *) 0x0
        stream = (struct _php_stream *) 0x81ced60
        context = (struct _php_stream_context *) 0x0
#4  0x0818f298 in zend_do_fcall_common_helper (execute_data=0xbfffd3c0, op_array=0x401e1454)
    at /php/php/php5/Zend/zend_execute.c:2609
        original_return_value = (struct _zval_struct **) 0x31d
        current_scope = (struct _zend_class_entry *) 0x0
        current_this = (struct _zval_struct *) 0x0
        return_value_used = 1
        active_namespace = (struct _zend_class_entry *) 0x81e6e4c
#5  0x0818f8ef in zend_do_fcall_handler (execute_data=0xbfffd3c0, op_array=0x401e1454)
    at /php/php/php5/Zend/zend_execute.c:2737
        fname = (struct _zval_struct *) 0x401e16d0
#6  0x0818ab8a in execute (op_array=0x401e1454) at /php/php/php5/Zend/zend_execute.c:1231
        execute_data = {opline = 0x401e16ac, function_state = {function_symbol_table = 0x0, 
    function = 0x8203990, reserved = {0x0, 0x0, 0x401e1454, 0x0}}, fbc = 0x0, fbc_constructor = 0x0, 
  op_array = 0x401e1454, object = 0x0, Ts = 0xbfffd34c, original_in_execution = 0 '\0', 
  calling_scope = 0x0, prev_execute_data = 0x0}
#7  0x08176716 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /php/php/php5/Zend/zend.c:985
        files = 0xbfffd474 ""
        i = 1
        file_handle = (struct _zend_file_handle *) 0xbffff740
        orig_op_array = (struct _zend_op_array *) 0x0
        local_retval = (struct _zval_struct *) 0x0
#8  0x0813cb43 in php_execute_script (primary_file=0xbffff740) at /php/php/php5/main/main.c:1729
        orig_bailout = {{__jmpbuf = {1075614804, 1073819680, -1073743900, -1073743992, -1073744448, 
      135887336}, __mask_was_saved = 0, __saved_mask = {__val = {0 <repeats 32 times>}}}}
        orig_bailout_set = 1 '\001'
        prepend_file_p = (struct _zend_file_handle *) 0x0
        append_file_p = (struct _zend_file_handle *) 0x0
        prepend_file = {type = 1 '\001', filename = 0x82199b0 "STDIN", 
  opened_path = 0x6 <Address 0x6 out of bounds>, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, 
      reader = 0, closer = 0, interactive = 0}}, free_filename = 0 '\0'}
        append_file = {type = 1 '\001', filename = 0x82199f0 "STDOUT", 
  opened_path = 0x7 <Address 0x7 out of bounds>, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, 
      reader = 0x1, closer = 0, interactive = 1}}, free_filename = 7 '\a'}
        old_cwd = 0xbfffd47c ""
        old_primary_file_path = 0xbffff962 "crash.php"
        retval = 0
#9  0x0819829f in main (argc=3, argv=0xbffff7e4) at /php/php/php5/sapi/cli/php_cli.c:885
        orig_bailout = {{__jmpbuf = {0, 0, 0, 0, 0, 0}, __mask_was_saved = 0, __saved_mask = {
      __val = {0 <repeats 32 times>}}}}
        orig_bailout_set = 0 '\0'
        exit_status = 0
        c = -1
        file_handle = {type = 5 '\005', filename = 0xbfffe490 "/php/php/TEST/crash.php", 
  opened_path = 0x0, handle = {fd = 136419200, fp = 0x8219780, stream = {handle = 0x8219780, 
      reader = 0x8185bb0 <zend_stream_stdio_reader>, closer = 0x8185bd9 <zend_stream_stdio_closer>, 
      interactive = 0}}, free_filename = 0 '\0'}
        behavior = 1
        no_headers = 1
        orig_optind = 1
        orig_optarg = 0x0
        arg_free = 0xbffff962 "crash.php"
        arg_excp = (char **) 0xbffff7ec
        script_file = 0xbffff962 "crash.php"
        global_vars = {head = 0x0, tail = 0x0, count = 0, size = 4, dtor = 0, persistent = 0 '\0', 
  traverse_ptr = 0x2f}
        interactive = 0
        module_started = 1
        lineno = 2
        exec_direct = 0x0
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
        param_error = 0x0
        scan_input = 0
        hide_argv = 0

 [2003-02-18 17:38 UTC] pprocacci at datapipe dot com
Here's my gdb output ..... (Not sure how to use gdb...hopefully my 5 minutes in the man page is useful)


lucky# gdb php
GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...Deprecated bfd_read called at /usr/src/gnu/usr.bin/binutils/gdb/../../../../contrib/gdb/gdb/dbxread.c line 2627 in elfstab_build_psymtabs
Deprecated bfd_read called at /usr/src/gnu/usr.bin/binutils/gdb/../../../../contrib/gdb/gdb/dbxread.c line 933 in fill_symbuf

(gdb) set args ./l_checker.php
(gdb) r
Starting program: /usr/local/bin/php ./l_checker.php

Program received signal SIGSEGV, Segmentation fault.
0x81bd6bd in php_stream_url_wrap_http (wrapper=0x82d06c0, path=0x83adea4 "http://xanthus.net", mode=0x83bc0a4 "r", options=4, opened_path=0x0, context=0x0, 
    __php_stream_call_depth=1, __zend_filename=0x8278080 "/usr/ports/www/mod_php4/work/php-4.3.0/main/streams.c", __zend_lineno=2380, 
    __zend_orig_filename=0x8267840 "/usr/ports/www/mod_php4/work/php-4.3.0/ext/standard/file.c", __zend_orig_lineno=1096)
    at /usr/ports/www/mod_php4/work/php-4.3.0/ext/standard/http_fopen_wrapper.c:351
351     /usr/ports/www/mod_php4/work/php-4.3.0/ext/standard/http_fopen_wrapper.c: No such file or directory.
(gdb) backtrace
#0  0x81bd6bd in php_stream_url_wrap_http (wrapper=0x82d06c0, path=0x83adea4 "http://xanthus.net", mode=0x83bc0a4 "r", options=4, opened_path=0x0, context=0x0, 
    __php_stream_call_depth=1, __zend_filename=0x8278080 "/usr/ports/www/mod_php4/work/php-4.3.0/main/streams.c", __zend_lineno=2380, 
    __zend_orig_filename=0x8267840 "/usr/ports/www/mod_php4/work/php-4.3.0/ext/standard/file.c", __zend_orig_lineno=1096)
    at /usr/ports/www/mod_php4/work/php-4.3.0/ext/standard/http_fopen_wrapper.c:351
#1  0x81f7040 in _php_stream_open_wrapper_ex (path=0x83adea4 "http://xanthus.net", mode=0x83bc0a4 "r", options=12, opened_path=0x0, context=0x0, __php_stream_call_depth=0, 
    __zend_filename=0x8267840 "/usr/ports/www/mod_php4/work/php-4.3.0/ext/standard/file.c", __zend_lineno=1096, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /usr/ports/www/mod_php4/work/php-4.3.0/main/streams.c:2378
#2  0x818142b in php_if_fopen (ht=2, return_value=0x83bc124, this_ptr=0x0, return_value_used=1) at /usr/ports/www/mod_php4/work/php-4.3.0/ext/standard/file.c:1094
#3  0x822b4c8 in execute (op_array=0x83b0824) at /usr/ports/www/mod_php4/work/php-4.3.0/Zend/zend_execute.c:1598
#4  0x8216ec8 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/ports/www/mod_php4/work/php-4.3.0/Zend/zend.c:864
#5  0x81eae7a in php_execute_script (primary_file=0xbfbffb74) at /usr/ports/www/mod_php4/work/php-4.3.0/main/main.c:1573
#6  0x8233b8a in main (argc=2, argv=0xbfbffbdc) at /usr/ports/www/mod_php4/work/php-4.3.0/sapi/cli/php_cli.c:746
#7  0x8080c45 in _start ()
 [2003-02-18 18:50 UTC] iliaa@php.net
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 11:01:29 2024 UTC