php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #14036 Segfault when using multipart form data
Submitted: 2001-11-12 16:29 UTC Modified: 2001-11-18 18:32 UTC
From: hans at clubned dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 4.0CVS-2001-11-12 OS: Linux 2.2.20 and 2.4.14
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: hans at clubned dot com
New email:
PHP Version: OS:

 

 [2001-11-12 16:29 UTC] hans at clubned dot com 
When submitting a form with enctype multipart/form-data Apache childs segfault. Weird thing is that the problem is not reproducible when compiling PHP with debugging enabled. I have tried PHP-4.0.6 and CVS snapshot php4-200111120600.

Apache compiled with:

EAPI_MM=../mm-1.1.3 \
SSL_BASE=/usr \
./configure \
--with-layout=Apache \
--prefix=/usr/local/apache \
--enable-module=rewrite \
--enable-module=ssl \
--add-module=/root/downloads/mod_gzip.c \
--activate-module=src/modules/php4/libphp4.a \

(tried and tested with Apache_1.3.20 and Apache_1.3.22, also tried without mod_gzip)

PHP compiled with:

./configure --with-apache=../apache_1.3.22 --with-mysql=/usr/local/mysql --with-gd --enable-gd-native-ttf --with-freetype-dir=/usr/local --with-curl --with-openssl --with-zlib --enable-track-vars --enable-memory-limit --enable-debug=no

Linux osiris 2.4.14 #1 Thu Nov 8 15:02:47 CET 2001 i686 unknown
also tested and reproducable on linux-2.2.20
tested and reproducable with glibc-2.1.3(Slackware 7.1) and glibc-2.2.3(Slackware 8.0)

gdb output:

2 different segmentation faults happening on the same script, occuring at random (sometimes the request succeeds). Crashes are definately related to multipart form data since removing the enctype from the form in the script makes the segfaults disappear.

Program received signal SIGSEGV, Segmentation fault.
0x4037faf0 in __libc_free (mem=0x8345138) at malloc.c:3055
3055    malloc.c: No such file or directory.
(gdb) bt
#0  0x4037faf0 in __libc_free (mem=0x8345138) at malloc.c:3055
#1  0x40372c0f in _IO_new_fclose (fp=0x8345138) at iofclose.c:87
#2  0x8076f50 in rfc1867_post_handler (content_type_dup=0x833438c "multipart/form-data; boundary=", '-' <repeats 27 times>, "7d187376074e",
    arg=0x832eedc) at rfc1867.c:707
#3  0x8075211 in sapi_handle_post (arg=0x832eedc) at SAPI.c:108
#4  0x8077f35 in php_treat_data (arg=0, str=0x0, destArray=0x0) at php_variables.c:250
#5  0x807340f in php_hash_environment () at main.c:1097
#6  0x8072b73 in php_request_startup () at main.c:684
#7  0x8106c51 in apache_php_module_main (r=0x8316cf8, display_source_mode=0) at sapi_apache.c:67
#8  0x8070e96 in send_php () at eval.c:88
#9  0x8070ef2 in send_parsed_php () at eval.c:88
#10 0x8167859 in ap_invoke_handler () at eval.c:88
#11 0x817cbcf in process_request_internal () at eval.c:88
#12 0x817cc36 in ap_process_request () at eval.c:88
#13 0x8173a36 in child_main () at eval.c:88
#14 0x8173c15 in make_child () at eval.c:88
#15 0x8173d8c in startup_children () at eval.c:88
#16 0x817441d in standalone_main () at eval.c:88
#17 0x8174c9c in main () at eval.c:88
#18 0x4032c2eb in __libc_start_main (main=0x81748e8 <main>, argc=2, ubp_av=0xbffffb44, init=0x806d9c0 <_init>, fini=0x81b343c <_fini>,
    rtld_fini=0x4000c130 <_dl_fini>, stack_end=0xbffffb3c) at ../sysdeps/generic/libc-start.c:129


Program received signal SIGSEGV, Segmentation fault.
0x4037fc3d in chunk_free (ar_ptr=0x40418cc0, p=0x834a740) at malloc.c:3134
3134    malloc.c: No such file or directory.
(gdb) bt
#0  0x4037fc3d in chunk_free (ar_ptr=0x40418cc0, p=0x834a740) at malloc.c:3134
#1  0x4037fb03 in __libc_free (mem=0x834a928) at malloc.c:3057
#2  0x80f1eac in shutdown_memory_manager (silent=0, clean_cache=0) at zend_alloc.c:524
#3  0x8072e0e in php_request_shutdown (dummy=0x0) at main.c:743
#4  0x8106d05 in apache_php_module_main (r=0x8316cf8, display_source_mode=0) at sapi_apache.c:96
#5  0x8070e96 in send_php () at eval.c:88
#6  0x8070ef2 in send_parsed_php () at eval.c:88
#7  0x8167859 in ap_invoke_handler () at eval.c:88
#8  0x817cbcf in process_request_internal () at eval.c:88
#9  0x817cc36 in ap_process_request () at eval.c:88
#10 0x8173a36 in child_main () at eval.c:88
#11 0x8173c15 in make_child () at eval.c:88
#12 0x8173d8c in startup_children () at eval.c:88
#13 0x817441d in standalone_main () at eval.c:88
#14 0x8174c9c in main () at eval.c:88
#15 0x4032c2eb in __libc_start_main (main=0x81748e8 <main>, argc=2, ubp_av=0xbffffb44, init=0x806d9c0 <_init>, fini=0x81b343c <_fini>,
    rtld_fini=0x4000c130 <_dl_fini>, stack_end=0xbffffb3c) at ../sysdeps/generic/libc-start.c:129


If you need more info contact me private or on the php-dev list (i am subscribed)

HTH,

Hans Rakers
ClubNed
Badhoevedorp, NL

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-11-18 18:32 UTC] sniper@php.net 
This is fixed in CVS now.

--Jani
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Mon May 20 06:01:34 2024 UTC