PHP :: Bug #43092 :: curl_copy_handle() crashes with

Bug #43092	curl_copy_handle() crashes with > 32 chars long URL
Submitted:	2007-10-24 03:55 UTC	Modified:	2007-11-16 14:21 UTC
From:	ezyang@php.net	Assigned:
Status:	Closed	Package:	cURL related
PHP Version:	5.2CVS-2007-10-24 (snap)	OS:	Windows Vista
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	ezyang@php.net
New email:
PHP Version:		OS:

New Comment:

[2007-10-24 03:55 UTC] ezyang@php.net

Description:
------------
I don't know what to make of this behavior. When CURL creates a handle with 32 characters or more to the local filesystem, duplicates it, and then PHP attempts to create a new object while passing in a parameter that is an array of values, PHP crashes. I could only produce this behavior on Windows Vista.

Reproduce code:
---------------
<?php
// for Windows Vista, PHP 5.2.4
class foo { function __construct($var) {} }
curl_copy_handle(curl_init('12345678901234567890123456789012')); // 32 or longer
new foo(array('foo'));
echo 'Yay!';

Expected result:
----------------
Output of 'Yay!'

Actual result:
--------------
PHP aborts prematurely

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-10-24 22:33 UTC] ezyang@php.net

Tested it on 5.2-dev and 6.0-dev snapshots, incorrect behavior is same on both.

[2007-11-12 21:19 UTC] ezyang@php.net

I'm not sure if I did this correctly, but here goes. Crash analysis using Debug Diagnostic on a PHP 5.3 snap:

Thread 0 - System ID 5952
Entry point   php+2c12 
Create time   11/12/2007 4:15:46 PM 
Time spent in user mode   0 Days 0:0:0.15 
Time spent in kernel mode   0 Days 0:0:0.140 






Function     Arg 1     Arg 2     Arg 3   Source 
php5ts!zend_mm_shutdown+139     00000030     00000027     100a07c8    
php5ts!emalloc+36     00000000     00000000     00000000    




PHP5TS!ZEND_MM_SHUTDOWN+139WARNING - DebugDiag was not able to locate debug symbols for php5ts.dll, so the information below may be incomplete.



In php__PID__4492__Date__11_12_2007__Time_04_15_56PM__383__Second_Chance_Exception_C0000005.dmp the assembly instruction at php5ts!zend_mm_shutdown+139 in C:\Software\PHP\versions\5.3.0-dev\php5ts.dll from The PHP Group has caused an access violation exception (0xC0000005) when trying to read from memory location 0x00000010 on thread 0

[2007-11-12 21:24 UTC] ezyang@php.net

It looks like the debug symbols weren't loaded. Here's an updated version, also with a cleaner configuration:

Thread 0 - System ID 5576
Entry point   php!mainCRTStartup 
Create time   11/12/2007 4:22:10 PM 
Time spent in user mode   0 Days 0:0:0.15 
Time spent in kernel mode   0 Days 0:0:0.15 






Function     Arg 1     Arg 2     Arg 3   Source 
php5ts!_zend_mm_alloc_int+49     00000030     00000027     100a07c8    
php5ts!_emalloc+36     00000027     0190fe28     01911328    
php5ts!_zend_hash_quick_add_or_update+208     00000006     01911288     00000004    
php5ts!ZEND_RECV_SPEC_HANDLER+76a     00c0fb2c     003e2950     0190fda0    
php5ts!execute+1b7     019111f0     003e2950     0190dcdd    
php5ts!zend_do_fcall_common_helper_SPEC+95b     00c0fc1c     003e2950     1001e207    
php5ts!ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER+15     00c0fbd0     003e2950     003e2950    
php5ts!execute+1b7     0190dd70     003e2950     00000000    
php5ts!zend_execute_scripts+107     00000008     003e2950     00000000    
php5ts!php_execute_script+20d     00c0fea8     003e2950     00000000    
php!main+c0e     00000005     003e28c8     003e1948    
php!mainCRTStartup+e3     7ffdf000     00c0ffec     7796a9bd    
kernel32!BaseThreadInitThunk+e     7ffdf000     00c0b59e     00000000    
ntdll!_RtlUserThreadStart+23     00402c12     7ffdf000     00000000    




PHP5TS!_ZEND_MM_ALLOC_INT+49In php__PID__1000__Date__11_12_2007__Time_04_22_20PM__712__Second_Chance_Exception_C0000005.dmp the assembly instruction at php5ts!_zend_mm_alloc_int+49 in C:\Software\PHP\versions\5.3.0-dev\php5ts.dll from The PHP Group has caused an access violation exception (0xC0000005) when trying to read from memory location 0x00000010 on thread 0

[2007-11-16 14:21 UTC] jani@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 15:01:30 2024 UTC