PHP :: Bug #35781 :: stream_filter_append will cause segfault

Bug #35781

stream_filter_append will cause segfault

Submitted:

2005-12-23 03:00 UTC

Modified:

2005-12-23 15:46 UTC

Votes:	1
Avg. Score:	4.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

sqchen at citiz dot net

Assigned:

tony2001 (profile)

Status:

Closed

Package:

Filesystem function related

PHP Version:

5.1.2RC1

OS:

redhat 7.3

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	sqchen at citiz dot net
New email:
PHP Version:		OS:

New Comment:

[2005-12-23 03:00 UTC] sqchen at citiz dot net

Description:
------------
stream_filter_append($fp, "string.rot13", -49)
will cause Segmentation fault

Reproduce code:
---------------
<?php
$fp = fopen("test.txt", "w");
stream_filter_append($fp, "string.rot13", -49);
fwrite($fp, "This is a test\n");
rewind($fp);
fpassthru($fp);
fclose($fp);
?>

Actual result:
--------------
Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-12-23 04:17 UTC] judas dot iscariote at gmail dot com

==308== Process terminating with default action of signal 11 (SIGSEGV)
==308==  Bad permissions for mapped region at address 0x1669DFFF
==308==    at 0x11B1CEC7: memcpy (in /usr/lib64/valgrind/vgpreload_memcheck.so)
==308==    by 0x508DDA: php_stream_bucket_make_writeable (string3.h:52)
==308==    by 0x4E48C4: ??? (filters.c:46)
==308==    by 0x506424: ??? (streams.c:458)
==308==    by 0x50689A: _php_stream_read (streams.c:584)
==308==    by 0x506E9F: _php_stream_passthru (streams.c:1183)
==308==    by 0x49F60E: zif_fpassthru (file.c:1487)
==308==    by 0x54F5E4: ??? (zend_vm_execute.h:192)
==308==    by 0x54ECD2: execute (zend_vm_execute.h:92)
==308==    by 0x526ADA: zend_eval_string (zend_execute_API.c:1085)
==308==    by 0x526C27: zend_eval_string_ex (zend_execute_API.c:1119)
==308==    by 0x5C2FBD: main (php_cli.c:1116)
 
php -v
PHP 5.1.2RC1 (cli) (built: Dec 22 2005 19:34:24)
Copyright (c) 1997-2005 The PHP Group
Zend Engine v2.1.0, Copyright (c) 1998-2005 Zend Technologies

[2005-12-23 04:36 UTC] judas dot iscariote at gmail dot com

(gdb) bt
#0  0x00002aaaab5433f0 in memcpy () from /lib64/tls/libc.so.6
#1  0x0000000000000003 in ?? ()
#2  0x000000000071ca50 in php_register_internal_extensions ()
#3  0x000000000062acfa in strfilter_rot13_filter (stream=0xaa6fc0, thisfilter=0xaa7360, buckets_in=0x7fffffc21d60,
    buckets_out=0x7fffffc21d50, bytes_consumed=0x0, flags=0) at /local/local/bodegon/php-debug/ext/standard/filters.c:46
#4  0x000000000065e69d in php_stream_fill_read_buffer (stream=0xaa6fc0, size=8192)
    at /local/local/bodegon/php-debug/main/streams/streams.c:458
#5  0x000000000065ecfa in _php_stream_read (stream=0xaa6fc0, buf=0x7fffffc21e70 "", size=8192)
    at /local/local/bodegon/php-debug/main/streams/streams.c:584
#6  0x00000000006602d2 in _php_stream_passthru (stream=0xaa6fc0, __php_stream_call_depth=0,
    __zend_filename=0x762ae0 "/local/local/bodegon/php-debug/ext/standard/file.c", __zend_lineno=1487,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /local/local/bodegon/php-debug/main/streams/streams.c:1183
#7  0x00000000005ca9ff in zif_fpassthru (ht=1, return_value=0xaa4f90, return_value_ptr=0x0, this_ptr=0x0,
    return_value_used=0) at /local/local/bodegon/php-debug/ext/standard/file.c:1487
#8  0x00000000006c2ef2 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fffffc241a0) at zend_vm_execute.h:192
#9  0x00000000006c8e57 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7fffffc241a0) at zend_vm_execute.h:1587
#10 0x00000000006c2a66 in execute (op_array=0xaa5e70) at zend_vm_execute.h:92
#11 0x000000000069ce03 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /local/local/bodegon/php-debug/Zend/zend.c:1101
#12 0x0000000000649cd3 in php_execute_script (primary_file=0x7fffffc26830)
    at /local/local/bodegon/php-debug/main/main.c:1720
#13 0x000000000071bd3d in main (argc=2, argv=0x7fffffc26a28) at /local/local/bodegon/php-debug/sapi/cli/php_cli.c:1077

[2005-12-23 15:12 UTC] sniper@php.net

Assigned to the streams author.

[2005-12-23 15:17 UTC] tony2001@php.net

I'll commit a patch shortly.

[2005-12-23 15:46 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 12:01:29 2024 UTC