PHP :: Bug #52944 :: fclose: quiet script interruption

Bug #52944	fclose: quiet script interruption
Submitted:	2010-09-28 21:40 UTC	Modified:	2010-09-29 20:59 UTC
From:	svimik at mail dot ru	Assigned:	cataphract (profile)
Status:	Closed	Package:	*Network Functions
PHP Version:	5.3.3	OS:	Debian-50-lenny-64
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	svimik at mail dot ru
New email:
PHP Version:		OS:

New Comment:

[2010-09-28 21:40 UTC] svimik at mail dot ru

Description:
------------
Don't know exactly, is it bug in zlib filter or in streams, but this combination can produce a script crash without any error output.

Lets take some binary data like corrupted compressed data (not every random data produce crash, so try file from my example). Use stream_socket_pair with zlib.inflate filter on the second socket, which is used for reading in my case.
Use non-blocking streams.
Then make exactly following sequence to produce crash:
1. write corrupted data to socket 0
2. call fread for socket 1 (returns nothing as expected, because string cannot be uncompressed)
3. call fclose for socket 0
4. try fread for socket 1 once again
5. call fclose for socket 1 - on this step scrips dies.

Sorry, can't make a backtrace on a production server, because it is necessary to recompile the php. Waiting for someone to confirm the bug.

Test script:
---------------
<?
error_reporting(E_ALL);
$sockets = stream_socket_pair(STREAM_PF_UNIX, STREAM_SOCK_STREAM, STREAM_IPPROTO_IP);
stream_set_blocking($sockets[0], 0);
stream_set_blocking($sockets[1], 0);
stream_filter_append($sockets[1], "zlib.inflate", STREAM_FILTER_READ);

$in=file_get_contents("http://188.40.74.4/corrupted.gz");
$out="";

fwrite($sockets[0], $in);
$out.=fread($sockets[1], 1);
fclose($sockets[0]);
$out.=fread($sockets[1], 1);

echo "closing...";
fclose($sockets[1]);
echo "done\r\n";
?>

Expected result:
----------------
Script should output "closing...done"

Actual result:
--------------
Script prints "closing..." but never "done"

Patches

zlib_filter_segfault_fix (last revision 2010-09-29 01:54 UTC by cataphract@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2010-09-28 21:58 UTC] cataphract@php.net

I can confirm some sort of bug in both PHP 5.3.3 and trunk on Debian Lenny x64.

On trunk:

[Tue Sep 28 20:54:06 2010]  Script:  '-'
---------------------------------------
/tmp/trunk/ext/zlib/zlib_filter.c(165) : Block 0x7fba5a6120c0 status:
Beginning:      OK (allocated on /tmp/trunk/ext/zlib/zlib_filter.c:311, 2048 bytes)
    Start:      OK
      End:      Overflown (magic=0x00000018 instead of 0x5289A744)
                At least 4 bytes overflown
---------------------------------------
done
[Tue Sep 28 20:54:06 2010]  Script:  '-'
/tmp/trunk/ext/zlib/zlib_filter.c(311) :  Freeing 0x7FBA5A6120C0 (2048 bytes), script=-
=== Total 1 memory leaks detected ===

On PHP 5.3.3 (sorry, not debug build), there's a segfault:

#0  zend_mm_remove_from_free_list (heap=0x11fc290, mm_block=0x1407380)
    at /opt/php-5.3.3/Zend/zend_alloc.c:841
#1  0x000000000069613e in _zend_mm_free_int (heap=0x11fc290, p=0x1406b80)
    at /opt/php-5.3.3/Zend/zend_alloc.c:2019
#2  0x00007f029fa548c9 in php_zlib_inflate_dtor (
    thisfilter=<value optimized out>)
    at /opt/php-5.3.3/ext/zlib/zlib_filter.c:161
#3  0x0000000000678ae2 in php_stream_filter_free (filter=0x1409950)
    at /opt/php-5.3.3/main/streams/filter.c:312
#4  0x0000000000678b8a in php_stream_filter_remove (filter=0x0, call_dtor=1)
    at /opt/php-5.3.3/main/streams/filter.c:531
#5  0x000000000067559a in _php_stream_free (stream=0x14096a0, close_options=11)
    at /opt/php-5.3.3/main/streams/streams.c:369
#6  0x00000000006757d1 in stream_resource_regular_dtor (
    rsrc=<value optimized out>) at /opt/php-5.3.3/main/streams/streams.c:1426
#7  0x00000000006c34a2 in list_entry_destructor (ptr=0x14097e0)
    at /opt/php-5.3.3/Zend/zend_list.c:184
#8  0x00000000006c2566 in zend_hash_del_key_or_index (ht=0xc6e7b0, arKey=0x0,
    nKeyLength=0, h=2, flag=<value optimized out>)
    at /opt/php-5.3.3/Zend/zend_hash.c:497
#9  0x00000000006c3719 in _zend_list_delete (id=<value optimized out>)
    at /opt/php-5.3.3/Zend/zend_list.c:58
#10 0x00000000005fbd88 in zif_fclose (ht=<value optimized out>,
    return_value=0x1409228, return_value_ptr=<value optimized out>,
    this_ptr=<value optimized out>, return_value_used=<value optimized out>)
    at /opt/php-5.3.3/ext/standard/file.c:928
#11 0x0000000000704cce in zend_do_fcall_common_helper_SPEC (
    execute_data=0x7f029f9ce050) at /opt/php-5.3.3/Zend/zend_vm_execute.h:316
#12 0x00000000006e0589 in execute (op_array=0x14067c8)
    at /opt/php-5.3.3/Zend/zend_vm_execute.h:107
#13 0x00000000006b349b in zend_execute_scripts (type=8, retval=0x0,
    file_count=3) at /opt/php-5.3.3/Zend/zend.c:1194
#14 0x000000000065e5e8 in php_execute_script (primary_file=0x7fff04d51350)
    at /opt/php-5.3.3/main/main.c:2260
#15 0x0000000000740717 in main (argc=1, argv=0x7fff04d515b8)
    at /opt/php-5.3.3/sapi/cli/php_cli.c:1192

[2010-09-28 21:59 UTC] cataphract@php.net

-Status: Open +Status: Verified

[2010-09-28 22:10 UTC] cataphract@php.net

Valgrind log for trunk:

http://nebm.ist.utl.pt/~glopes/valgrind-52944.log

[2010-09-29 03:54 UTC] cataphract@php.net

The following patch has been added/updated:

Patch Name: zlib_filter_segfault_fix
Revision:   1285725279
URL:        http://bugs.php.net/patch-display.php?bug=52944&patch=zlib_filter_segfault_fix&revision=1285725279

[2010-09-29 03:56 UTC] cataphract@php.net

-Status: Verified +Status: Analyzed

[2010-09-29 03:56 UTC] cataphract@php.net

Fixed in the attached patch, which also includes a test.

[2010-09-29 20:59 UTC] cataphract@php.net

Automatic comment from SVN on behalf of cataphract
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=303878
Log: - Fixed bug #52944 (Invalid write on second and subsequent reads with an inflate filter fed invalid data).

[2010-09-29 20:59 UTC] cataphract@php.net

-Status: Analyzed +Status: Closed -Assigned To: +Assigned To: cataphract

[2010-09-29 20:59 UTC] cataphract@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

[2013-10-03 20:39 UTC] clyde dot adams at mailismagic dot com

Related To: Bug #65775

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Dec 22 07:01:30 2024 UTC