php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #51977 thttpd segfault on X86_64?
Submitted: 2010-06-02 17:18 UTC Modified: 2013-12-18 00:29 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: znfwhy at 163 dot com Assigned: sas (profile)
Status: Closed Package: Other web server
PHP Version: 5.2.13 OS: Debian Squeeze
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: znfwhy at 163 dot com
New email:
PHP Version: OS:

 

 [2010-06-02 17:18 UTC] znfwhy at 163 dot com 
Description:
------------
HTTP POST with 16KB more content will cause thttpd segfault on X86_64.

here is the back trace result:
...
Program received signal SIGSEGV, Segmentation fault.
0x0000003d7d278d80 in strlen () from /lib/libc.so.6
(gdb) bt
#0  0x0000003d7d278d80 in strlen () from /lib/libc.so.6
#1  0x0000003d7d278ab6 in strdup () from /lib/libc.so.6
#2  0x0000000000432cf0 in thttpd_php_request ()
#3  0x000000000042d7bb in httpd_start_request ()
#4  0x0000000000423a84 in _start ()

Test script:
---------------
<html>
  <head>
    PHP5 test page
  </head>
  <body>

    <div id=main style="width: 130px; height: 130px;">
      <form  method="POST"  enctype="text/html" action="/test.php">
        <textarea name=test>
        </textarea>
        <input type="submit" value="submit">
      </form>
    </div>
  </body>
</html>

Expected result:
----------------
info of PHP5 printed by test.php.

Actual result:
--------------
nothing, but thttpd exit with segfault.

Patches

php5_thttpd_upload_large_content_segfault.patch (last revision 2010-06-02 15:19 UTC by znfwhy at 163 dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-06-02 17:26 UTC] johannes@php.net
-Status: Open +Status: Feedback
 [2010-06-02 17:26 UTC] johannes@php.net 
The thttpd code isn't really maintained since 2005. I looked throught code but couldn't find the relevant strdup call. Could you please recompile PHP using --enable-debug and then generate a "bt full", maybe the issue can be found then.
 [2010-06-03 05:08 UTC] znfwhy at 163 dot com
-Status: Feedback +Status: Open
 [2010-06-03 05:08 UTC] znfwhy at 163 dot com 
Recompiled php5 with --enable-debug, and backtrace info listed below.
But this issue is cased by line 1770, file sapi/thttpd/thttpd_patch of php5.
Type miss match whiling convert pointer to int on X86_64.

(gdb) bt
#0  0x0000003d7d278d80 in strlen () from /lib/libc.so.6
#1  0x0000003d7d278ab6 in strdup () from /lib/libc.so.6
#2  0x000000000043b693 in thttpd_request_ctor () at php_thttpd.c:458
#3  0x000000000043b848 in thttpd_real_php_request (hc=0xa1f300, show_source=0)
    at php_thttpd.c:671
#4  0x000000000043b938 in thttpd_php_request (hc=0xa1f300, show_source=0)
    at php_thttpd.c:704
#5  0x0000000000432c44 in really_start_request (hc=0xa1f300,
    nowP=0x7fff4b0bba20) at libhttpd.c:3708
#6  0x0000000000433077 in httpd_start_request (hc=0xa1f300,
    nowP=0x7fff4b0bba20) at libhttpd.c:3801
#7  0x000000000042707c in boot_request (c=0x9fb880, tvP=0x7fff4b0bba20)
    at thttpd.c:1548
#8  0x00000000004277a3 in handle_read_body (c=0x9fb880, tvP=0x7fff4b0bba20)
    at thttpd.c:1774
#9  0x0000000000424a7d in main (argc=3, argv=0x7fff4b0bcc68) at thttpd.c:617
 [2010-06-20 19:54 UTC] felipe@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: sas
 [2013-12-18 00:28 UTC] sas@php.net 
Hi,

please reopen ticket if this particular issue reoccurs.

Preferrably try another web server..

Thank you for using PHP.

Best
Sascha
 [2013-12-18 00:29 UTC] sas@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Dec 21 15:01:29 2024 UTC