PHP :: Bug #11998 :: Crash on multipart file form upload

Bug #11998	Crash on multipart file form upload
Submitted:	2001-07-10 02:21 UTC	Modified:	2001-10-02 09:32 UTC
From:	me at philth dot net dot nz	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	4.0CVS-2001-07-10	OS:	FreeBSD 4.2-STABLE
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	me at philth dot net dot nz
New email:
PHP Version:		OS:

New Comment:

[2001-07-10 02:21 UTC] me at philth dot net dot nz

Crashes (signal 11) on file upload using multipart form data.

Worked with 4.0.4pl1, haven't tried 4.0.5, crashed with 4.0.6 and latest CVS since.

Compiled with:
./configure \
--enable-inline-optimization \
--enable-sysvsem \
--enable-sysvshm \
--with-mysql=/usr/local \
--with-pdflib=/usr/local \
--with-jpeg=/usr/local \
--with-jpeg-dir=/usr/local \
--with-png-dir=/usr/local \
--with-png=/usr/local \
--with-zlib-dir=/usr \
--with-pgsql=/usr/local \
--with-imap=/usr/local \
--with-gd=/usr/local \
--with-freetype=/usr/local \
--with-apxs=/usr/local/apache_test/bin/apxs

Backtrace:
(gdb) bt
#0  0x1822c8f3 in php_mime_split (
    buf=0x81bf00c '-' <repeats 29 times>, "7d1bb1e111070e\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n3319", cnt=80256, 
    boundary=0x818e02a '-' <repeats 27 times>, "7d1bb1e111070e", array_ptr=0x81389cc) at rfc1867.c:174
#1  0x1822d56f in rfc1867_post_handler (
    content_type_dup=0x818e00c "multipart/form-data; boundary=", '-' <repeats 27 times>, "7d1bb1e111070e", arg=0x81389cc)
    at rfc1867.c:472
#2  0x1822b675 in sapi_handle_post (arg=0x81389cc) at SAPI.c:110
#3  0x1822e52d in php_treat_data (arg=0, str=0x0, destArray=0x0) at php_variables.c:251
#4  0x18229486 in php_hash_environment () at main.c:1080
#5  0x18228b98 in php_request_startup () at main.c:650
#6  0x18226321 in apache_php_module_main (r=0x818406c, display_source_mode=0) at sapi_apache.c:67
#7  0x18226d6a in send_php (r=0x818406c, display_source_mode=0, filename=0x0) at mod_php4.c:581
#8  0x18226da6 in send_parsed_php (r=0x818406c) at mod_php4.c:594
#9  0x80758a1 in ap_invoke_handler ()
#10 0x8089fa8 in process_request_internal ()
#11 0x808a402 in ap_internal_redirect ()
#12 0x184e68d2 in mod_gzip_redir1_handler () from /usr/local/apache_test/libexec/mod_gzip.so
#13 0x184e4fa0 in mod_gzip_handler () from /usr/local/apache_test/libexec/mod_gzip.so
#14 0x80758a1 in ap_invoke_handler ()
#15 0x8089fa8 in process_request_internal ()
#16 0x808a402 in ap_internal_redirect ()
#17 0x80602b2 in handle_dir ()
#18 0x80758a1 in ap_invoke_handler ()
#19 0x8089fa8 in process_request_internal ()
#20 0x808a012 in ap_process_request ()
#21 0x8080fdf in child_main ()
#22 0x808119d in make_child ()
#23 0x8081316 in startup_children ()
#24 0x8081924 in standalone_main ()
#25 0x808213c in main ()
#26 0x804f429 in _start ()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-08-19 04:46 UTC] sniper@php.net

Please include the shortest possible example
script into this report.

[2001-08-19 07:21 UTC] me at philth dot net dot nz

Simply a form containing more than 26 <input type="file"> tag's.

So,
<form action="/prop/" method="post" id="editForm" enctype="multipart/form-data">
	
	Image 1:<input type="file" name="img[1]" size="24" onclick="" onchange="">
	Image 2:<input type="file" name="img[2]" size="24" onclick="" onchange="">
		
		... [Lots more here] ...
	
	Image 18:<input type="file" name="img[18]" size="24" onclick="" onchange="">
	Image 19:<input type="file" name="img[19]" size="24" onclick="" onchange="">
		
		
	Virtual Image 1:<input type="file" name="virtimg[1]" size="24" onclick="" onchange="">
	Image IVR 1:<input type="file" name="virtivr[1]" size="24" onclick="" onchange="">
		
		... [Lots more here] ...
        
	Virtual Image 6:<input type="file" name="virtimg[6]" size="24" onclick="" onchange="">
	Image IVR 6:<input type="file" name="virtivr[6]" size="24" onclick="" onchange="">
	
	<input type="submit" value="  Submit  " id="submitButton">
</form>


It doesn't matter what's in the page it POST's too.

[2001-08-19 16:26 UTC] sniper@php.net

I can not reproduce this. I have a form with 30 indexed
file fields plus 50 with no preset indexes.
ie.

30 of these: <input type="file" name="test1[1]">
50 of these: <input type="file" name="test2[]">

And I can't get it to crash..do I have to upload ove 26
file or?

--Jani

[2001-08-19 17:22 UTC] me at philth dot net dot nz

Hmmm, maybe I missed something.

This form here crashes it:

http://philth.net.nz/upload.php

and the file it's posting to has 

<?
echo "foobar";
?>

in it.

[2001-08-20 19:48 UTC] sniper@php.net

I can not reproduce it with your form and with latest CVS.
Please provide a GDB backtrace of the crash (using latest CVS of PHP)

--Jani

[2001-08-21 00:11 UTC] me at philth dot net dot nz

From CVS as at 21/08/2001 16:15 NZDT using same form and uploading 2 images in the fields supplied.

(gdb) bt
#0  0x1823fdbf in php_mime_split (
    buf=0x820000c '-' <repeats 29 times>, "7d12252130332\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n3319", cnt=33534, 
    boundary=0x819762a '-' <repeats 27 times>, "7d12252130332", array_ptr=0x817eaec) at rfc1867.c:174
#1  0x18240a3b in rfc1867_post_handler (
    content_type_dup=0x819760c "multipart/form-data; boundary=", '-' <repeats 27 times>, "7d12252130332", arg=0x817eaec)
    at rfc1867.c:472
#2  0x1823eb25 in sapi_handle_post (arg=0x817eaec) at SAPI.c:107
#3  0x18241a01 in php_treat_data (arg=0, str=0x0, destArray=0x0) at php_variables.c:250
#4  0x1823c2ce in php_hash_environment () at main.c:1097
#5  0x1823b6f0 in php_request_startup () at main.c:684
#6  0x18238cd6 in apache_php_module_main (r=0x819e71c, display_source_mode=0) at sapi_apache.c:67
#7  0x18239822 in send_php (r=0x819e71c, display_source_mode=0, filename=0x0) at mod_php4.c:575
#8  0x18239882 in send_parsed_php (r=0x819e71c) at mod_php4.c:590
#9  0x80758a1 in ap_invoke_handler ()
#10 0x8089fa8 in process_request_internal ()
#11 0x808a402 in ap_internal_redirect ()
#12 0x181d48d2 in mod_gzip_redir1_handler () from /usr/local/apache_test/libexec/mod_gzip.so
#13 0x181d2fa0 in mod_gzip_handler () from /usr/local/apache_test/libexec/mod_gzip.so
#14 0x80758a1 in ap_invoke_handler ()
#15 0x8089fa8 in process_request_internal ()
#16 0x808a402 in ap_internal_redirect ()
#17 0x80602b2 in handle_dir ()
#18 0x80758a1 in ap_invoke_handler ()
#19 0x8089fa8 in process_request_internal ()
#20 0x808a012 in ap_process_request ()
#21 0x8080fdf in child_main ()
#22 0x808119d in make_child ()
#23 0x8081316 in startup_children ()
#24 0x8081924 in standalone_main ()
#25 0x808213c in main ()
#26 0x804f429 in _start ()
(gdb)

[2001-08-21 05:28 UTC] sniper@php.net

Just one more thing: What version of Apache? 
And does this happen with any browser? IE / NS / Mozilla ?

--Jani

[2001-08-21 05:42 UTC] me at philth dot net dot nz

Crashes with 1.3.14, 1.3.17 and 1.3.20.

I've tried it with IE5, IE5.5, Mozilla 0.9.3 and Netscape 6.1.

Whoa, just found it _doesn't_ crash with Netscape 4.08 or Opera 5.11.

I can't test it in Linux, as I'm currently sans-external-DSL-modem and therefore stuck in windows until a new one arrives.

[2001-08-23 05:54 UTC] sniper@php.net

Reproduced with IE 5.5. The rfc1867.c has some bugs
in it after all..

Marked as fix before release. (4.0.7)

--Jani

[2001-08-30 13:32 UTC] troels@php.net

The bug also exists when running PHP on Linux. And it may be reproduced with Mozilla, too. Please don't forget this one before 4.0.7 is released.

[2001-08-30 14:22 UTC] troels@php.net

Some follow-up.

PHP 4.0.5 does _not_ have the bug.
Current CVS (August 30 2001) does have the bug.

The bug doesn't seem to show up unless around 30 files are uploaded.

Here's a back-trace from PHP current CVS.

#0  php_mime_split (
    buf=0x80fbaf4 '-' <repeats 29 times>, "172461271845611381008674657\r\nContent-Disposition: form-data; name=\"date_debut\"\r\n\r\n2001-08-25", cnt=28292, boundary=0x80c387a '-' <repeats 27 times>, "172461271845611381008674657", array_ptr=0x80fb0e4) at rfc1867.c:177
#1  0x4042a55f in rfc1867_post_handler (
    content_type_dup=0x80c385c "multipart/form-data; boundary=", '-' <repeats 27 times>, "172461271845611381008674657", arg=0x80fb0e4)
    at rfc1867.c:472
#2  0x40427c83 in sapi_handle_post (arg=0x80fb0e4) at SAPI.c:107
#3  0x4042b768 in php_treat_data (arg=0, str=0x0, destArray=0x0) at php_variables.c:250
#4  0x40425036 in php_hash_environment () at main.c:1097
#5  0x404244d0 in php_request_startup () at main.c:684
#6  0x404216c0 in apache_php_module_main (r=0x80e5218, display_source_mode=0) at sapi_apache.c:67
#7  0x40422324 in send_php (r=0x80e5218, display_source_mode=0, filename=0x0) at mod_php4.c:575
#8  0x40422383 in send_parsed_php (r=0x80e5218) at mod_php4.c:590
#9  0x080551cd in ap_invoke_handler () at eval.c:41
#10 0x0806732c in ap_some_auth_required () at eval.c:41
#11 0x080673a3 in ap_process_request () at eval.c:41
#12 0x0805fa47 in ap_child_terminate () at eval.c:41
#13 0x0805fbea in ap_child_terminate () at eval.c:41
#14 0x0805fd2d in ap_child_terminate () at eval.c:41
#15 0x08060350 in ap_child_terminate () at eval.c:41
#16 0x08060c13 in main () at eval.c:41
#17 0x4015c4b7 in __libc_start_main (main=0x8060790 <main>, argc=2, ubp_av=0xbffff9c4, init=0x804fb20 <_init>, fini=0x80894d0 <_fini>, 
    rtld_fini=0x4000dbb4 <_dl_fini>, stack_end=0xbffff9bc) at ../sysdeps/generic/libc-start.c:129

[2001-10-02 09:32 UTC] sniper@php.net

This is fixed now.

--Jani

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Oct 25 20:00:01 2025 UTC