PHP :: Bug #48774 :: SIGSEGVs when using curl_copy

Bug #48774	SIGSEGVs when using curl_copy_handle()
Submitted:	2009-07-02 13:20 UTC	Modified:	2009-07-22 14:15 UTC
From:	felipe@php.net	Assigned:	srinatar (profile)
Status:	Closed	Package:	cURL related
PHP Version:	5.3CVS-2009-07-02 (CVS)	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

[2009-07-02 13:20 UTC] felipe@php.net

Description:
------------
See below.

Reproduce code:
---------------
1?
<?php

$url = "http://localhost/";
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, array("Hello" => "World"));
curl_setopt($ch, CURLOPT_URL, $url);
$copy = curl_copy_handle($ch);
curl_close($ch);

2?
<?php

$url = "http://localhost/";
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, array("Hello" => "World"));
curl_setopt($ch, CURLOPT_URL, $url);
$copy = curl_copy_handle($ch);
curl_close($ch);
curl_exec($copy);
curl_close($copy);

Expected result:
----------------
No SIGSEGV.

Actual result:
--------------
1?
*** glibc detected *** sapi/cli/php: double free or corruption (fasttop): 0x0a663260 ***
======= Backtrace: =========
/lib/i686/cmov/libc.so.6[0xb65a81d4]
/lib/i686/cmov/libc.so.6(cfree+0x96)[0xb65aa186]
/usr/local/lib/libcurl.so.4(curl_formfree+0x8a)[0xb74533ca]
sapi/cli/php[0x819c1af]
sapi/cli/php(zend_llist_destroy+0x33)[0x8612f05]
sapi/cli/php(zend_llist_clean+0x11)[0x8612f71]
sapi/cli/php[0x81a0a40]
sapi/cli/php[0x81a0d81]
sapi/cli/php[0x86321e4]
sapi/cli/php(zend_hash_del_key_or_index+0x192)[0x862f5d9]
sapi/cli/php(_zend_list_delete+0xa0)[0x8631df4]
sapi/cli/php(_zval_dtor_func+0x198)[0x861cb28]
sapi/cli/php[0x860cfcc]
sapi/cli/php(_zval_ptr_dtor+0xb8)[0x860d3b1]
sapi/cli/php(_zval_ptr_dtor_wrapper+0x21)[0x861cf08]
sapi/cli/php[0x862fa96]
sapi/cli/php(zend_hash_graceful_reverse_destroy+0x3e)[0x862fc1a]
sapi/cli/php[0x860c5bb]
sapi/cli/php[0x861f79a]
sapi/cli/php(php_request_shutdown+0x682)[0x8590ac0]
sapi/cli/php[0x87035c7]
/lib/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb654f775]
sapi/cli/php[0x8078a91]


2?
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb631a6f0 (LWP 4050)]
0xb74ef368 in curl_formfree () from /usr/local/lib/libcurl.so.4
Current language:  auto; currently asm
(gdb) bt
#0  0xb74ef368 in curl_formfree () from /usr/local/lib/libcurl.so.4
#1  0xb74ef37c in curl_formfree () from /usr/local/lib/libcurl.so.4
#2  0x0819c1af in curl_free_post (post=0xaa1741c) at /home/felipe/dev/php5/ext/curl/interface.c:1246
#3  0x08612f05 in zend_llist_destroy (l=0xaa17230) at /home/felipe/dev/php5/Zend/zend_llist.c:114
#4  0x08612f71 in zend_llist_clean (l=0xaa17230) at /home/felipe/dev/php5/Zend/zend_llist.c:126
#5  0x081a0a40 in _php_curl_close_ex (ch=0xaa17128, tsrm_ls=0xa7aa4b8) at /home/felipe/dev/php5/ext/curl/interface.c:2302
#6  0x081a0d81 in _php_curl_close (rsrc=0xaa174d8, tsrm_ls=0xa7aa4b8) at /home/felipe/dev/php5/ext/curl/interface.c:2343
#7  0x086321e4 in list_entry_destructor (ptr=0xaa174d8) at /home/felipe/dev/php5/Zend/zend_list.c:184
#8  0x0862f5d9 in zend_hash_del_key_or_index (ht=0xa7ac7d4, arKey=0x0, nKeyLength=0, h=5, flag=1) at /home/felipe/dev/php5/Zend/zend_hash.c:497
#9  0x08631df4 in _zend_list_delete (id=5, tsrm_ls=0xa7aa4b8) at /home/felipe/dev/php5/Zend/zend_list.c:58
#10 0x081a09b5 in zif_curl_close (ht=1, return_value=0xaa16fe8, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0, tsrm_ls=0xa7aa4b8)
    at /home/felipe/dev/php5/ext/curl/interface.c:2279

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-07-09 16:31 UTC] daniel at haxx dot se

I think it would help the devs if you'd also specify what libcurl version you use (preferably with curl -V or similar to give all the details).

[2009-07-11 10:12 UTC] sriram dot natarajan at gmail dot com

i was able to reproduce this on rhel 5 which ships with curl 7.15.5.

and this below patch seems to fix this problem
--- ext/curl/interface.c.ORIG   2009-07-09 15:24:00.000000000 -0700
+++ ext/curl/interface.c        2009-07-11 03:08:56.000000000 -0700
@@ -1444,9 +1444,13 @@
        zend_llist_copy(&dupch->to_free.str, &ch->to_free.str);
        /* Don't try to free copied strings, they're free'd when the original handle is destroyed */
        dupch->to_free.str.dtor = NULL;
-#endif
+
        zend_llist_copy(&dupch->to_free.slist, &ch->to_free.slist);
+       dupch->to_free.slist.dtor = NULL;
+
        zend_llist_copy(&dupch->to_free.post, &ch->to_free.post);
+       dupch->to_free.post.dtor = NULL;
+#endif
 
        ZEND_REGISTER_RESOURCE(return_value, dupch, le_curl);
        dupch->id = Z_LVAL_P(return_value);


need to investigate and possibly add couple of test cases

[2009-07-11 10:54 UTC] sriram dot natarajan at gmail dot com

here is a better way to read the patches..
http://pastebin.org/1041

[2009-07-14 09:40 UTC] sriram dot natarajan at gmail dot com

Hi
 though the above patch does fix the crash reported by the developer, on further investigation this patch is not the right fix. 

the issue that is happening is when the form input data is a array, the constructed form data is not available when executing curl_exec on the cloned handle.

[2009-07-18 07:10 UTC] srinatar@php.net

while looking into this bug, i also realized that this below test case is also broken

less curl_copy_handle_basic_002.phpt 
...
  curl_setopt($ch, CURLOPT_POSTFIELDS, "Hello=World&Foo=Bar&Person=John%20Doe");
  curl_setopt($ch, CURLOPT_URL, $url); //set the url we want to use
  
  $copy = curl_copy_handle($ch);
  curl_close($ch);
...

(currently, marked as expected failure..) so, i have filed a separate bug : 48965 to track this separately

[2009-07-20 14:54 UTC] jani@php.net

See also bug #48965

[2009-07-21 20:32 UTC] svn@php.net

Automatic comment from SVN on behalf of srinatar
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=284557
Log: - Fixed bug #48774 (SIGSEGVs when using curl_copy_handle()).

[2009-07-21 22:57 UTC] svn@php.net

Automatic comment from SVN on behalf of jani
Revision: http://svn.php.net/viewvc/?view=revision&revision=284567
Log: - Fix badly applied patch (bug #48774)

[2009-07-22 13:47 UTC] srinatar@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 08:01:29 2024 UTC