php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #43092 curl_copy_handle() crashes with > 32 chars long URL
Submitted: 2007-10-24 03:55 UTC Modified: 2007-11-16 14:21 UTC
From: ezyang@php.net Assigned:
Status: Closed Package: cURL related
PHP Version: 5.2CVS-2007-10-24 (snap) OS: Windows Vista
Private report: No CVE-ID: None
 [2007-10-24 03:55 UTC] ezyang@php.net
Description:
------------
I don't know what to make of this behavior. When CURL creates a handle with 32 characters or more to the local filesystem, duplicates it, and then PHP attempts to create a new object while passing in a parameter that is an array of values, PHP crashes. I could only produce this behavior on Windows Vista.

Reproduce code:
---------------
<?php
// for Windows Vista, PHP 5.2.4
class foo { function __construct($var) {} }
curl_copy_handle(curl_init('12345678901234567890123456789012')); // 32 or longer
new foo(array('foo'));
echo 'Yay!';

Expected result:
----------------
Output of 'Yay!'

Actual result:
--------------
PHP aborts prematurely

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-10-24 22:33 UTC] ezyang@php.net
Tested it on 5.2-dev and 6.0-dev snapshots, incorrect behavior is same on both.
 [2007-11-12 21:19 UTC] ezyang@php.net
I'm not sure if I did this correctly, but here goes. Crash analysis using Debug Diagnostic on a PHP 5.3 snap:

Thread 0 - System ID 5952
Entry point   php+2c12 
Create time   11/12/2007 4:15:46 PM 
Time spent in user mode   0 Days 0:0:0.15 
Time spent in kernel mode   0 Days 0:0:0.140 






Function     Arg 1     Arg 2     Arg 3   Source 
php5ts!zend_mm_shutdown+139     00000030     00000027     100a07c8    
php5ts!emalloc+36     00000000     00000000     00000000    




PHP5TS!ZEND_MM_SHUTDOWN+139WARNING - DebugDiag was not able to locate debug symbols for php5ts.dll, so the information below may be incomplete.



In php__PID__4492__Date__11_12_2007__Time_04_15_56PM__383__Second_Chance_Exception_C0000005.dmp the assembly instruction at php5ts!zend_mm_shutdown+139 in C:\Software\PHP\versions\5.3.0-dev\php5ts.dll from The PHP Group has caused an access violation exception (0xC0000005) when trying to read from memory location 0x00000010 on thread 0
 [2007-11-12 21:24 UTC] ezyang@php.net
It looks like the debug symbols weren't loaded. Here's an updated version, also with a cleaner configuration:

Thread 0 - System ID 5576
Entry point   php!mainCRTStartup 
Create time   11/12/2007 4:22:10 PM 
Time spent in user mode   0 Days 0:0:0.15 
Time spent in kernel mode   0 Days 0:0:0.15 






Function     Arg 1     Arg 2     Arg 3   Source 
php5ts!_zend_mm_alloc_int+49     00000030     00000027     100a07c8    
php5ts!_emalloc+36     00000027     0190fe28     01911328    
php5ts!_zend_hash_quick_add_or_update+208     00000006     01911288     00000004    
php5ts!ZEND_RECV_SPEC_HANDLER+76a     00c0fb2c     003e2950     0190fda0    
php5ts!execute+1b7     019111f0     003e2950     0190dcdd    
php5ts!zend_do_fcall_common_helper_SPEC+95b     00c0fc1c     003e2950     1001e207    
php5ts!ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER+15     00c0fbd0     003e2950     003e2950    
php5ts!execute+1b7     0190dd70     003e2950     00000000    
php5ts!zend_execute_scripts+107     00000008     003e2950     00000000    
php5ts!php_execute_script+20d     00c0fea8     003e2950     00000000    
php!main+c0e     00000005     003e28c8     003e1948    
php!mainCRTStartup+e3     7ffdf000     00c0ffec     7796a9bd    
kernel32!BaseThreadInitThunk+e     7ffdf000     00c0b59e     00000000    
ntdll!_RtlUserThreadStart+23     00402c12     7ffdf000     00000000    




PHP5TS!_ZEND_MM_ALLOC_INT+49In php__PID__1000__Date__11_12_2007__Time_04_22_20PM__712__Second_Chance_Exception_C0000005.dmp the assembly instruction at php5ts!_zend_mm_alloc_int+49 in C:\Software\PHP\versions\5.3.0-dev\php5ts.dll from The PHP Group has caused an access violation exception (0xC0000005) when trying to read from memory location 0x00000010 on thread 0
 [2007-11-16 14:21 UTC] jani@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 30 14:01:28 2024 UTC