PHP :: Bug #33253 :: php_stream_mmap_range make apache core dump by returning wrong pointer

Bug #33253	php_stream_mmap_range make apache core dump by returning wrong pointer
Submitted:	2005-06-06 04:23 UTC	Modified:	2005-06-14 01:00 UTC
From:	hufan at baidu dot com	Assigned:
Status:	No Feedback	Package:	Reproducible crash
PHP Version:	5.0.4	OS:	redhat 7.3
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	hufan at baidu dot com
New email:
PHP Version:		OS:

New Comment:

[2005-06-06 04:23 UTC] hufan at baidu dot com

Description:
------------
on some conditions ,php_stream_mmap_range return wrong pointer ,which  make apache core dump (signal 7)

here is core file track
#0  0x420e14f2 in writev () from /lib/i686/libc.so.6
#1  0x081bee67 in writev_it_all ()
#2  0x081bf25f in large_write ()
#3  0x081bf31f in ap_bwrite ()
#4  0x081d2f3f in ap_rwrite ()
#5  0x0809024a in sapi_apache_ub_write (str=0x402da000 <Address 0x402da000 out of bounds>, str_length=33788)
    at /home/work/source/php5/php-5.0.4/sapi/apache/mod_php5.c:102
#6  0x080a146b in php_ub_body_write_no_header (str=0x402da000 <Address 0x402da000 out of bounds>, str_length=33788)
    at /home/work/source/php5/php-5.0.4/main/output.c:684
#7  0x080a150d in php_ub_body_write (str=0x402da000 <Address 0x402da000 out of bounds>, str_length=33788)
    at /home/work/source/php5/php-5.0.4/main/output.c:714
#8  0x080a075e in php_body_write (str=0x402da000 <Address 0x402da000 out of bounds>, str_length=33788)
    at /home/work/source/php5/php-5.0.4/main/output.c:119
#9  0x080a3099 in _php_stream_passthru (stream=0x84a29e4) at /home/work/source/php5/php-5.0.4/main/streams/streams.c:1157

(gdb) list
1152                    size_t mapped;
1153
1154                    p = php_stream_mmap_range(stream, php_stream_tell(stream), PHP_STREAM_COPY_ALL, PHP_STREAM_MAP_MODE_SHARED_READONLY, &mapped);
1155
1156                    if (p) {
1157                            PHPWRITE(p, mapped);
1158
1159                            php_stream_mmap_unmap(stream);
1160
1161                            return mapped;
(gdb) info locals
p = 0x31ec <Address 0x31ec out of bounds>
mapped = 33788
stream = (php_stream *) 0x84a29e4
bcount = 0
buf = "\001\0\0\0\224=F\b\b\0\0\0{p\aBJ,J\bl\206C\b:\0\0\0.p\aB\001\0\0\0\001\0 \0\0\0\0\0\0*=)@\f\003\023B\0\0\0\0\210\032???\004\005Bp\026??\0\0\0\0\0\0 \0\0?\002\005B\200\026??\0\0\0\0\0\0\0\0?\002\005B\001\0\0\0\004\0\0\00K\0 \0?\005BP_F\b\0\0\0\0\001\0\0\0?\005B\006\0\0\0\001\0\0\0\001\0\0\0\004\0\0\0\030K", '\0' <repeats 14 times>, "h?H\bt?B\b\n\0\0\0\001\0\0\0\001\0\0\0\004\0\0\0<\024???CJ\b\0\0\0\0\0 \0\0\0\001\0\0\0"...
b = 139078116

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-06-06 10:04 UTC] sniper@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip

[2005-06-14 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Jul 06 20:01:35 2025 UTC