PHP :: Bug #17240 :: curl crash with CURLOPT

Bug #17240	curl crash with CURLOPT_POSTFIELDS set to ""
Submitted:	2002-05-15 05:49 UTC	Modified:	2002-05-21 15:47 UTC
From:	chris-php at bolt dot cx	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	4.2.1	OS:	Linux 2.4.19-pre4 (Suse)
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	chris-php at bolt dot cx
New email:
PHP Version:		OS:

New Comment:

[2002-05-15 05:49 UTC] chris-php at bolt dot cx

This script will crash php:

<?
$cs = curl_init();
curl_setopt($cs, CURLOPT_VERBOSE, 1);
curl_setopt($cs, CURLOPT_URL, "http://www.google.com/");
curl_setopt($cs, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($cs, CURLOPT_POST, 1);
curl_setopt($cs, CURLOPT_POSTFIELDS, "");
echo(curl_exec($cs));
curl_close($cs);
?>

$ php -q curltest.php
* About to connect() to www.google.com:80
* Connected to www.google.com (216.239.51.101) port 80
Segmentation fault (core dumped)

$ gdb /usr/local/bin/php ./core
GNU gdb 5.2
...
Loaded symbols for /lib/libnss_dns.so.2
#0  0x40057766 in curl_mvaprintf (format=0x400ca692 "%s", ap_save=0xbfffe1fc)
    at mprintf.c:1065
1065      info.buffer[info.len] = 0; /* we terminate this with a zero byte */
(gdb) bt
#0  0x40057766 in curl_mvaprintf (format=0x400ca692 "%s", ap_save=0xbfffe1fc)
    at mprintf.c:1065
#1  0x4004ad4a in add_bufferf (in=0x81dd968, fmt=0x400ca692 "%s") at http.c:180
#2  0x4004c33e in Curl_http (conn=0x81dd2c0) at http.c:942
#3  0x40052906 in Curl_do (connp=0xbfffe3e4) at url.c:2428
#4  0x4005b676 in Curl_perform (data=0x81e2928) at transfer.c:1139
#5  0x4005babf in curl_easy_perform (curl=0x81e2928) at easy.c:245
#6  0x080f10a3 in zif_curl_exec (ht=1, return_value=0x81e2024, this_ptr=0x0,
    return_value_used=1) at curl.c:876
#7  0x0813f6fa in execute (op_array=0x81dd1b4) at ./zend_execute.c:1598
#8  0x080cde49 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at zend.c:810
#9  0x08066fb1 in php_execute_script (primary_file=0xbffffa44) at main.c:1381
#10 0x080611b1 in main (argc=3, argv=0xbffffad4) at cgi_main.c:778
#11 0x4018bc6f in __libc_start_main () from /lib/libc.so.6
(gdb)

$ php -v
4.2.1
$ curl --version
curl 7.9.7 (i686-pc-linux-gnu) libcurl 7.9.7 (OpenSSL 0.9.6c)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-05-15 17:57 UTC] daniel at haxx dot se

(I'm the main author of libcurl, in which this crash happens)

I believe the problem is related to what data that is actually passed in to libcurl for the CURLOPT_POSTFIELDS option.

If CURLOPT_POSTFIELDS is unused, or set to 0 (zero), libcurl will strlen() the previous pointer to find out the length of it. Frame #2 shows the library depending on the pointer and a zero termination.

[2002-05-21 15:47 UTC] edink@php.net

Thanks to daniel@haxx.se this was confirmed to be a bug in libcurl which will be fixed in the next release.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Jul 01 19:01:37 2025 UTC