PHP :: Bug #30027 :: segmentation fault in ftp

Bug #30027

segmentation fault in ftp_get/memchr()

Submitted:

2004-09-08 17:00 UTC

Modified:

2004-10-06 01:55 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

sbrown at truckstuffusa dot com

Assigned:

Status:

Closed

Package:

FTP related

PHP Version:

4.3.8

OS:

Redhat 9

Private report:

CVE-ID:

None

View Developer Edit

[2004-09-08 17:00 UTC] sbrown at truckstuffusa dot com

Description:
------------
I'm using PHP 4.3.8 in CLI on a Redhat 9 server.  Using the FTP functions to backup some files via FTP.  The script connects to a server via FTP, downloads some files and tars them up.  I'm getting an intermittent segfault during the download process.  By "intermittent", I mean that the fault does not occur every time, nor does it occur after downloading the same file every time.  I am connecting to a windows-based host if that matters.  I have been able to reproduce this crash on two different systems:

================================
System 1:
Redhat 9
PHP 4.3.8 compiled as Apache2 module
SMP-based system
Config.nice: './configure' \
'--with-mysql' \
'--with-apxs2=/pub/apache/bin/apxs' \
'--with-mcrypt=/usr/local/lib' \
'--with-curl=/usr/local' \
'--enable-ftp' \
'--with-imap=/usr/local/imap' \
'--with-jpeg' \
'--with-jpeg-dir=/usr/local/lib' \
'--with-png' \
'--with-png-dir=/usr/local/lib' \
'--with-zlib-dir=/usr/local/lib' \
'--with-gd' \
'--with-freetype' \
'--with-freetype-dir=/usr/local/lib' \
'--with-ttf' \
'--enable-debug' \
"$@"

=====================================

System 2:
Redhat 9
PHP 4.3.8 compiled as Apache2 module
Single CPU
Config.nice: './configure' \
'--with-mysql' \
'--with-apxs2=/pub/apache/bin/apxs' \
'--enable-ftp' \
'--enable-debug' \
"$@"
==========================

When this fault occurs, both systems produce identical backtraces:


Program received signal SIGSEGV, Segmentation fault.
0x4207bb01 in memchr () from /lib/tls/libc.so.6
(gdb) bt
#0  0x4207bb01 in memchr () from /lib/tls/libc.so.6
#1  0x0807ebb0 in ftp_get (ftp=0x8366c4c, outstream=0x83a22f4, path=0x839bcb4 "/x-stuff/ssl/reconcilepo.php", type=FTPTYPE_ASCII, resumepos=0)
    at /usr/local/src/php-4.3.8/ext/ftp/ftp.c:730
#2  0x0807bf69 in zif_ftp_get (ht=4, return_value=0x839da54, this_ptr=0x0, return_value_used=1) at /usr/local/src/php-4.3.8/ext/ftp/php_ftp.c:637
#3  0x081ecfb0 in execute (op_array=0x836c920) at /usr/local/src/php-4.3.8/Zend/zend_execute.c:1635
#4  0x081ed22b in execute (op_array=0x836d648) at /usr/local/src/php-4.3.8/Zend/zend_execute.c:1679
#5  0x081ed22b in execute (op_array=0x8366b74) at /usr/local/src/php-4.3.8/Zend/zend_execute.c:1679
#6  0x081d9783 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/local/src/php-4.3.8/Zend/zend.c:891
#7  0x0819e9b7 in php_execute_script (primary_file=0xbffffad0) at /usr/local/src/php-4.3.8/main/main.c:1734
#8  0x081f3e3d in main (argc=2, argv=0xbffffb64) at /usr/local/src/php-4.3.8/sapi/cli/php_cli.c:822

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-09-08 17:37 UTC] rasmus@php.net

In gdb for that core, could you type:
  up
  p s
  p ptr
  p e
and add the output to this bug please.

[2004-09-08 18:10 UTC] sbrown at truckstuffusa dot com

Program received signal SIGSEGV, Segmentation fault.
0x4207bae0 in memchr () from /lib/tls/libc.so.6
(gdb) up
#1  0x0807ebb0 in ftp_get (ftp=0x8366c4c, outstream=0x83a0fdc, path=0x83991cc "/x-stuff/mir_libraries/lib-htmlMimeMail.php", type=FTPTYPE_ASCII, resumepos=0)
    at /usr/local/src/php-4.3.8/ext/ftp/ftp.c:730
730                             while ((s = memchr(ptr, '\r', (e - ptr)))) {
(gdb) p s
$1 = 0x83a0ea9 "\r:\b?\016:\b\f"
(gdb) p ptr
$2 = 0x83a0eaa ":\b?\016:\b\f"
(gdb) p e
$3 = 0x838be9c "\n\t\t\t\t\t$content_type = $this->image_types[strtolower($ext)];\r\n\t\t\t\t\t$this->addHtmlImage($image, basename($html_images[$i]), $content_type);\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t}\r\n\t}\r\n\r\n/**\r\n* Adds an image to the list of e"...
(gdb)

[2004-09-08 18:11 UTC] sbrown at truckstuffusa dot com

And just in case, here's the bt:

(gdb) bt
#0  0x4207bae0 in memchr () from /lib/tls/libc.so.6
#1  0x0807ebb0 in ftp_get (ftp=0x8366c4c, outstream=0x83a0fdc, path=0x83991cc "/x-stuff/mir_libraries/lib-htmlMimeMail.php", type=FTPTYPE_ASCII, resumepos=0)
    at /usr/local/src/php-4.3.8/ext/ftp/ftp.c:730
#2  0x0807bf69 in zif_ftp_get (ht=4, return_value=0x83a0f9c, this_ptr=0x0, return_value_used=1) at /usr/local/src/php-4.3.8/ext/ftp/php_ftp.c:637
#3  0x081ecfb0 in execute (op_array=0x836c920) at /usr/local/src/php-4.3.8/Zend/zend_execute.c:1635
#4  0x081ed22b in execute (op_array=0x836d648) at /usr/local/src/php-4.3.8/Zend/zend_execute.c:1679
#5  0x081ed22b in execute (op_array=0x8366b74) at /usr/local/src/php-4.3.8/Zend/zend_execute.c:1679
#6  0x081d9783 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/local/src/php-4.3.8/Zend/zend.c:891
#7  0x0819e9b7 in php_execute_script (primary_file=0xbffffad0) at /usr/local/src/php-4.3.8/main/main.c:1734
#8  0x081f3e3d in main (argc=2, argv=0xbffffb64) at /usr/local/src/php-4.3.8/sapi/cli/php_cli.c:822
(gdb)

[2004-09-16 10:48 UTC] sniper@php.net

Get the latest stable CVS snapshot of PHP 4 and configure it with this line:

# ./configure --disable-all --enable-ftp --enable-debug

Run your script in command line instead and try to generate the gdb backtrace with it.

[2004-09-17 16:25 UTC] sbrown at truckstuffusa dot com

Downloaded CVS last night, still get the seg fault:

# php --version
PHP 4.3.9RC4-dev (cgi) (built: Sep 17 2004 09:19:39) (DEBUG)
Copyright (c) 1997-2004 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies

# gdb php
(gdb) run script-backup
Starting program: /usr/local/bin/php script-backup
...
 
Program received signal SIGSEGV, Segmentation fault.
0x4207bb01 in memchr () from /lib/tls/libc.so.6
(gdb) bt
#0  0x4207bb01 in memchr () from /lib/tls/libc.so.6
#1  0x0805eaa8 in ftp_get (ftp=0x81828ac, outstream=0x81a6afc, path=0x81a6604 "/x-stuff/php/dashboard_projectmgmt.php", type=FTPTYPE_ASCII, resumepos=0)
    at /usr/local/src/php-src/ext/ftp/ftp.c:730
#2  0x0805c141 in zif_ftp_get (ht=4, return_value=0x81a6184, this_ptr=0x0, return_value_used=1) at /usr/local/src/php-src/ext/ftp/php_ftp.c:637
#3  0x0811cb8f in execute (op_array=0x81885b8) at /usr/local/src/php-src/Zend/zend_execute.c:1640
#4  0x0811cdbb in execute (op_array=0x8189310) at /usr/local/src/php-src/Zend/zend_execute.c:1684
#5  0x0811cdbb in execute (op_array=0x81827d4) at /usr/local/src/php-src/Zend/zend_execute.c:1684
#6  0x0810ac19 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/local/src/php-src/Zend/zend.c:891
#7  0x080d6795 in php_execute_script (primary_file=0xbffff0e0) at /usr/local/src/php-src/main/main.c:1735
#8  0x081238cc in main (argc=2, argv=0xbffff184) at /usr/local/src/php-src/sapi/cgi/cgi_main.c:1592
(gdb) up
#1  0x0805eaa8 in ftp_get (ftp=0x81828ac, outstream=0x81a6afc, path=0x81a6604 "/x-stuff/php/dashboard_projectmgmt.php", type=FTPTYPE_ASCII, resumepos=0)
    at /usr/local/src/php-src/ext/ftp/ftp.c:730
730                             while ((s = memchr(ptr, '\r', (e - ptr)))) {
(gdb) p s
$1 = 0x81a6e57 "\n var contacts_win = "
(gdb) p ptr
$2 = 0x81a6e58 " var contacts_win = "
(gdb) p e
$3 = 0x81a6c4a "\n<tcus();\r\n}\r\n-->\r\n</script>\r\n<?\r\nif (isset($_GET['publisher']))\r\n   echo '<form name=\"frm_deleteprj\" action=\"'.$_SERVER['PHP_SELF'].'?publisher='.$publisher.'\" method=POST>';\r\n elseif (isset($_GET['s"...
(gdb)

[2004-09-21 23:31 UTC] cfield at affinitysolutions dot com

I have the same problem on an SMP redhat 9 system, i can get it to stop the segmentation faults by adding "((e-ptr)>0) &&" to the while loop condition on line 732 of ftp.c, however now i am getting sporadic extra newlines (always in the same places in the file,see below for line numbers etc. ) however, if i slowly step through the interaction it does not put the extra new line in....

line number	written bytes	total bytes
504	126475	126475
689	46333	172808
2589	474698	647506
3088	105999	753505
3766	145320	898825
5005	304503	1203328
5163	40804	1244132
5221	12232	1256364
5587	91208	1347572
7454	424119	1771691
7790	80126	1851817
10501	686879	2538696
10680	42243	2580939
12103	361663	2942602
13382	311479	3254081
13921	137267	3391348
16803	724748	4116096
18468	414953	4531049
18654	43412	4574461
18934	63798	4638259
18988	13696	4651955
20429	349357	5001312
21981	390490	5391802
25524	906947	6298749
27445	448641	6747390
29239	497920	7245310
30083	220342	7465652
30274	46327	7511979
31340	270732	7782711
32882	353352	8136063
33421	123803	8259866
34365	224338	8484204
36254	449849	8934053

[2004-10-05 14:49 UTC] cfield at affinitysolutions dot com

The following patch fixes this bug(also avaliable at http://beta.affinitysolutions.com/bug30027.patch) :

Index: ext/ftp/ftp.c
===================================================================
RCS file: /repository/php-src/ext/ftp/ftp.c,v
retrieving revision 1.68.2.17
diff -u -r1.68.2.17 ftp.c
--- ext/ftp/ftp.c       31 Mar 2004 20:44:04 -0000      1.68.2.17
+++ ext/ftp/ftp.c       5 Oct 2004 12:41:18 -0000
@@ -727,12 +727,12 @@
                                ptr = s;
                        }
 #else
-                       while ((s = memchr(ptr, '\r', (e - ptr)))) {
+                       while ((e>ptr) && (s = memchr(ptr, '\r', (e - ptr)))) {
                                php_stream_write(outstream, ptr, (s - ptr));
                                if (*(s + 1) == '\n') {
                                        s++;
+                                       php_stream_putc(outstream, '\n');
                                }
-                               php_stream_putc(outstream, '\n');
                                ptr = s + 1;
                        }
 #endif

[2004-10-05 15:50 UTC] sbrown at truckstuffusa dot com

A comment on cfield at affinitysolutions dot com's patch:  He sent this patch to me and I applied it to both CVS and php 4.3.8.  The patch seemed to resolve the segmentation fault without adding extra line breaks to the files, however, gdb would throw some wierd errors when the script was finished executing.  I'm wondering if someone else can interpret these results from gdb (or if this isn't anything to worry about):

warning: Unexpected waitpid result 000000 when waiting for vfork-done
[tcsetpgrp failed in terminal_inferior: Operation not permitted]
ptrace: No such process.
Cannot remove breakpoints because program is no longer writable.
It might be running in another process.
Further execution is probably impossible.
0x420ac7a8 in vfork () from /lib/tls/libc.so.6

[2004-10-06 01:55 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 09:01:32 2024 UTC