PHP :: Bug #48203 :: crash when CURLOPT_STDERR is set to regular file

Bug #48203	crash when CURLOPT_STDERR is set to regular file
Submitted:	2009-05-09 13:44 UTC	Modified:	2011-09-08 14:38 UTC
From:	php-bug at paulsohier dot nl	Assigned:	bjori (profile)
Status:	Closed	Package:	cURL related
PHP Version:	5.*, 6CVS (2009-05-09)	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	php-bug at paulsohier dot nl
New email:
PHP Version:		OS:

New Comment:

[2009-05-09 13:44 UTC] php-bug at paulsohier dot nl

Description:
------------
Discovered during testfest in Utrecht and asked by Piere to report.

When calling curl with a certian url and without closing the curl stream curl will segfault.

Curl version:
paul@dwerg:~/php/php5.3-200905090830$ curl-config --version
libcurl 7.18.2

Used host where it segfault: www.hosthuis.nl
Used host where it NOT segfault: www.example.org

Reproduce code:
---------------
<?php

$host = 'www.hosthuis.nl';

$temp_file = tempnam(sys_get_temp_dir(), '');
$handle = fopen($temp_file, 'w');

$url = "{$host}/";
$ch = curl_init();

ob_start(); // start output buffering
curl_setopt($ch, CURLOPT_VERBOSE, 1);
curl_setopt($ch, CURLOPT_STDERR, $handle);
curl_setopt($ch, CURLOPT_URL, $url); //set the url we want to use

curl_exec($ch);

fclose($handle);
?>

Expected result:
----------------
The contents of the site

Actual result:
--------------
The contents of the site and a segfault

from run test (Bit different script)

*** glibc detected *** /home/paul/php/php5.3-200905090830/sapi/cli/php: free(): invalid pointer: 0x4001f000 ***
======= Backtrace: =========
/lib/i686/cmov/libc.so.6[0x40624624]
/lib/i686/cmov/libc.so.6(cfree+0x96)[0x40626826]
/lib/i686/cmov/libc.so.6(_IO_free_backup_area+0x34)[0x40622b54]
/lib/i686/cmov/libc.so.6(_IO_file_overflow+0x1c2)[0x40620962]
/lib/i686/cmov/libc.so.6(_IO_file_xsputn+0x65)[0x4061f9d5]
/lib/i686/cmov/libc.so.6(fwrite+0x10a)[0x4061586a]
/usr/lib/libcurl.so.4[0x40363428]
/usr/lib/libcurl.so.4[0x40363547]
/usr/lib/libcurl.so.4[0x403640d9]
/usr/lib/libcurl.so.4[0x4036a81a]
/usr/lib/libcurl.so.4[0x4036abdf]
/usr/lib/libcurl.so.4[0x4036ef77]
/usr/lib/libcurl.so.4(curl_easy_cleanup+0x21)[0x4037aec1]
/home/paul/php/php5.3-200905090830/sapi/cli/php[0x80f288b]
/home/paul/php/php5.3-200905090830/sapi/cli/php[0x82f9a22]
/home/paul/php/php5.3-200905090830/sapi/cli/php(zend_hash_del_key_or_index+0xe2)[0x82f8a42]
/home/paul/php/php5.3-200905090830/sapi/cli/php(_zend_list_delete+0x70)[0x82f9c70]
/home/paul/php/php5.3-200905090830/sapi/cli/php(_zval_ptr_dtor+0x3d)[0x82dfd6d]
/home/paul/php/php5.3-200905090830/sapi/cli/php[0x82f65e2]
/home/paul/php/php5.3-200905090830/sapi/cli/php(zend_hash_graceful_reverse_destroy+0x1f)[0x82f686f]
/home/paul/php/php5.3-200905090830/sapi/cli/php[0x82e20e8]
/home/paul/php/php5.3-200905090830/sapi/cli/php[0x82eb843]
/home/paul/php/php5.3-200905090830/sapi/cli/php(php_request_shutdown+0x15f)[0x829b5df]
/home/paul/php/php5.3-200905090830/sapi/cli/php[0x836b079]
/lib/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0x405cc455]
/home/paul/php/php5.3-200905090830/sapi/cli/php(realloc+0x95)[0x8065241]

Patches

reset_to_default_with_multi.patch.txt (last revision 2011-06-09 07:31 UTC by shein@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-05-09 20:51 UTC] jani@php.net

<?php

$url = 'www.hosthuis.nl';
$ch = curl_init();

$handle = fopen('/tmp/tt.tmp', 'w');
// $handle = STDERR; // This works

curl_setopt($ch, CURLOPT_VERBOSE, 1);
curl_setopt($ch, CURLOPT_STDERR, $handle);
curl_setopt($ch, CURLOPT_URL, $url);

curl_exec($ch);

?>

[2009-05-09 20:51 UTC] jani@php.net

Verified with all branches using cURL 7.15.5

[2009-05-09 20:58 UTC] php-bug at paulsohier dot nl

Its also related somehow to the url thats used to fetch, as when you try it with example.org the script works okay.

[2009-05-09 21:23 UTC] mark at dynom dot nl

I can reproduce it on cURL 7.19.4 on PHP 5.2.9, but only when not using the verbose option. 
When CURLOPT_VERBOSE is false, or not set at all, I get no segfaults. When true, it segfaults.

[2009-05-09 21:30 UTC] jani@php.net

Adding this as last line also fixes the problem (ie. reset to default..)

curl_setopt($ch, CURLOPT_STDERR, STDERR);

I don't know why the other hosts work and other don't. Propably there's 
some traffic / error and the file handle gets destroyed or otherwise 
mangled during shutdown and curl then tries to use it..

[2009-05-09 21:30 UTC] jani@php.net

Mark:

CURLOPT_STDERR

Pass a FILE * as parameter. Tell libcurl to use this stream instead of 
stderr when showing the progress meter and displaying CURLOPT_VERBOSE 
data.

[2009-05-09 21:35 UTC] php-bug at paulsohier dot nl

We just tried it with some more different hosts, and it happens at at least google.nl and nu.nl as well.

Also, adding the curl_close() to the end fixs the problem. But should php's GC not do the same call internally?

[2009-05-10 16:27 UTC] jani@php.net

It's about the order in which stuff is freed/destroyed. Common problem 
with some other extensions as well.

[2009-05-26 06:09 UTC] jani@php.net

It's also the bad implementation for CURLOPT_STDERR which causes such problems. It should be handled using the debugging facilities in cURL.

[2009-05-26 12:34 UTC] jani@php.net

This fixes all the test cases I could come up with:

  http://pecl.php.net/~jani/patches/bug48203.patch

Even the quite insane ones too. It falls back to using STDERR which is the default anyway if the file pointer is closed prematurely.

[2009-05-26 17:16 UTC] jani@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

[2011-06-09 09:16 UTC] shein@php.net

Automatic comment from SVN on behalf of shein
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=311959
Log: Updated (currently failing) test for bug48203 with curl_stderr and added also curl_multi_exec variant of this test.

[2011-06-09 09:30 UTC] shein@php.net

-Status: Closed +Status: Re-Opened

[2011-06-09 09:30 UTC] shein@php.net

Added patch for updated tests (tests were commited here 
http://news.php.net/php.cvs/65161). See also discussion here: 
http://markmail.org/message/dfjgty27qfhj4ulf

[2011-06-09 09:31 UTC] shein@php.net

The following patch has been added/updated:

Patch Name: reset_to_default_with_multi.patch.txt
Revision:   1307604675
URL:        http://bugs.php.net/patch-display.php?bug=48203&patch=reset_to_default_with_multi.patch.txt&revision=1307604675

[2011-06-12 00:55 UTC] felipe@php.net

-Status: Re-Opened +Status: Assigned -Assigned To: jani +Assigned To: iliaa

[2011-09-08 11:53 UTC] bjori@php.net

-Assigned To: iliaa +Assigned To: bjori

[2011-09-08 14:38 UTC] bjori@php.net

-Status: Assigned +Status: Closed

[2011-09-08 14:38 UTC] bjori@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

Fixed with bug#54798

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Apr 07 15:01:31 2025 UTC