php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #55121 Segfault with multipart/form-data POST / 404 request
Submitted: 2011-07-03 14:35 UTC Modified: 2011-12-23 06:22 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: nbpoole@php.net Assigned: laruence (profile)
Status: Closed Package: Built-in web server
PHP Version: 5.4SVN-2011-07-03 (snap) OS: Ubuntu 10.04.2 LTS (64-bit)
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: nbpoole@php.net
New email:
PHP Version: OS:

 

 [2011-07-03 14:35 UTC] nbpoole@php.net 
Description:
------------
The built-in webserver repeatably segfaults for me when I send the following requests (in this order):

1. A multipart/form-data POST request
2. A GET request for a non-existent file

Test script:
---------------
Create an empty (0 byte) PHP file named file.php. Start the webserver from that file's directory. Then run the following commands:

curl --form a=b http://127.0.0.1:8000/file.php
curl http://127.0.0.1:8000/does_not_exist

Expected result:
----------------
Requests should be returned by the server without segfaulting.

Actual result:
--------------
After the second request has been made, I receive a segfault:

Program received signal SIGSEGV, Segmentation fault.
_zend_mm_free_int (heap=0xc91250, p=0xc889c8) at /home/nbpoole/php/php5.4-201107031630/Zend/zend_alloc.c:2100
2100            if (ZEND_MM_IS_FREE_BLOCK(next_block)) {
(gdb) bt
#0  _zend_mm_free_int (heap=0xc91250, p=0xc889c8) at /home/nbpoole/php/php5.4-201107031630/Zend/zend_alloc.c:2100
#1  0x00000000006272f1 in destroy_uploaded_files_hash () at /home/nbpoole/php/php5.4-201107031630/main/rfc1867.c:199
#2  0x0000000000625585 in sapi_deactivate () at /home/nbpoole/php/php5.4-201107031630/main/SAPI.c:533
#3  0x000000000071fe81 in php_cli_server_send_error_page (server=<value optimized out>, client=<value optimized out>, status=<value optimized out>)
    at /home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:1524
#4  0x00000000007207c9 in php_cli_server_begin_send_static (server=0xc89ba0, client=0xdfecf0) at /home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:1635
#5  php_cli_server_dispatch (server=0xc89ba0, client=0xdfecf0) at /home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:1747
#6  php_cli_server_recv_event_read_request (server=0xc89ba0, client=0xdfecf0) at /home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:1890
#7  0x00000000007211ea in php_cli_server_do_event_for_each_fd_callback (_params=<value optimized out>, fd=<value optimized out>, event=<value optimized out>)
    at /home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:1976
#8  0x000000000072185a in php_cli_server_poller_iter_on_active (argc=<value optimized out>, argv=<value optimized out>)
    at /home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:670
#9  php_cli_server_do_event_for_each_fd (argc=<value optimized out>, argv=<value optimized out>) at /home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:2002
#10 php_cli_server_do_event_loop (argc=<value optimized out>, argv=<value optimized out>) at /home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:2012
#11 do_cli_server (argc=<value optimized out>, argv=<value optimized out>) at /home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:2097
#12 0x000000000071a33e in main (argc=<value optimized out>, argv=<value optimized out>) at /home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli.c:1359

Patches

fix-segfault-wit-multipart-form-data-POST-and-404-request (last revision 2011-12-09 02:52 UTC by reeze dot xia at gmail dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-07-05 14:33 UTC] sixd@php.net
-Assigned To: +Assigned To: moriyoshi
 [2011-07-20 06:50 UTC] fa@php.net 
Just tried this on Debian testing and 5_4-HEAD and can't reproduce it.

$ curl --form a=b  "http://localhost:8000/file.php"
$ curl  "http://localhost:8000/file2.php"

[Wed Jul 20 12:50:05 2011] ::1:50522 POST /file.php - Request read
[Wed Jul 20 12:50:05 2011] ::1:50522 POST /file.php - Response sent successfully 
(200)
[Wed Jul 20 12:50:13 2011] ::1:50523 GET /file.txt - Request read
[Wed Jul 20 12:50:13 2011] ::1:50523 GET /file.txt - No such file or directory
[Wed Jul 20 12:50:13 2011] ::1:50523 GET /file.txt - Sending error page (404)
 [2011-07-20 11:21 UTC] nbpoole@php.net 
Hmm, previous test-case is no longer working for me either.

Try the following:

$ curl --form a=b  "http://localhost:8000/file.php"
$ curl  "http://localhost:8000/file2.php"
$ curl  "http://localhost:8000/file2.php"
$ curl --form a=b  "http://localhost:8000/file.php"

It results in a different segfault.


Program received signal SIGSEGV, Segmentation fault.
_zend_mm_alloc_int (heap=0x8649170, size=40) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/Zend/zend_alloc.c:1906
1906				heap->cache[index] = best_fit->prev_free_block;
(gdb) bt
#0  _zend_mm_alloc_int (heap=0x8649170, size=40) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/Zend/zend_alloc.c:1906
#1  0x082a79f0 in _ecalloc (nmemb=1, size=40) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/Zend/zend_alloc.c:2556
#2  0x08275fc5 in multipart_buffer_new (content_type_dup=<value optimized out>, 
arg=0xb7fc42f8) at /home/nbpoole/Desktop/php/php5.4-
201107201430/main/rfc1867.c:283
#3  rfc1867_post_handler (content_type_dup=<value optimized out>, 
arg=0xb7fc42f8) at /home/nbpoole/Desktop/php/php5.4-
201107201430/main/rfc1867.c:749
#4  0x08273b46 in sapi_handle_post (arg=0xb7fc42f8) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/main/SAPI.c:182
#5  0x0827a628 in php_default_treat_data (arg=0, str=0x0, destArray=0x0) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/main/php_variables.c:330
#6  0x082792aa in php_auto_globals_create_post (name=0xb7ea9bf4 "_POST", 
name_len=5) at /home/nbpoole/Desktop/php/php5.4-
201107201430/main/php_variables.c:690
#7  0x082a7d45 in zend_auto_global_init (auto_global=0x86524b8) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/Zend/zend_compile.c:6233
#8  0x082d564f in zend_hash_apply (ht=0x8649478, apply_func=0x82a7d20 
<zend_auto_global_init>) at /home/nbpoole/Desktop/php/php5.4-
201107201430/Zend/zend_hash.c:716
#9  0x082b523b in zend_activate_auto_globals () at 
/home/nbpoole/Desktop/php/php5.4-201107201430/Zend/zend_compile.c:6243
#10 0x0827a7df in php_hash_environment () at /home/nbpoole/Desktop/php/php5.4-
201107201430/main/php_variables.c:650
#11 0x0826ba5d in php_request_startup () at /home/nbpoole/Desktop/php/php5.4-
201107201430/main/main.c:1493
#12 0x0836e610 in php_cli_server_dispatch_script (server=0x86443c0, 
client=0x872d900) at /home/nbpoole/Desktop/php/php5.4-
201107201430/sapi/cli/php_cli_server.c:1599
#13 0x0836e8f5 in php_cli_server_dispatch (server=0x86443c0, client=0x872d900) 
at /home/nbpoole/Desktop/php/php5.4-201107201430/sapi/cli/php_cli_server.c:1755
#14 php_cli_server_recv_event_read_request (server=0x86443c0, client=0x872d900) 
at /home/nbpoole/Desktop/php/php5.4-201107201430/sapi/cli/php_cli_server.c:1924
#15 0x0836f0ff in php_cli_server_do_event_for_each_fd_callback 
(_params=0xbfffe15c, fd=6, event=1) at /home/nbpoole/Desktop/php/php5.4-
201107201430/sapi/cli/php_cli_server.c:2015
#16 0x0836fbd7 in php_cli_server_poller_iter_on_active (argc=3, argv=0xbffff394) 
at /home/nbpoole/Desktop/php/php5.4-201107201430/sapi/cli/php_cli_server.c:671
#17 php_cli_server_do_event_for_each_fd (argc=3, argv=0xbffff394) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/sapi/cli/php_cli_server.c:2036
#18 php_cli_server_do_event_loop (argc=3, argv=0xbffff394) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/sapi/cli/php_cli_server.c:2046
#19 do_cli_server (argc=3, argv=0xbffff394) at /home/nbpoole/Desktop/php/php5.4-
201107201430/sapi/cli/php_cli_server.c:2147
#20 0x08368143 in main (argc=3, argv=0xbffff394) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/sapi/cli/php_cli.c:1359

This was done with the latest 5.4 from snaps.
 [2011-07-20 13:09 UTC] fa@php.net 
I think the culprit lies in php_cli_server_client_populate_request_info
in the line
request_info->content_type = *val;
which doesn't terminate correctly at ; and reads
multipart/form-data; boundary=----------------------------c1e04e412bff
instead of
multipart/form-data;
 [2011-07-20 13:41 UTC] nbpoole@php.net 
A similar segfault on OS X 10.6.7 can be caused using the original steps to 
reproduce:

$ curl --form a=b http://127.0.0.1:8000/file.php
$ curl http://127.0.0.1:8000/does_not_exist


Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x00000002011b0b30
0x000000010024a3b5 in _zend_mm_free_int (heap=0x101000000, p=0x1006651e0) at 
zend_alloc.c:2097
2097		heap->size -= size;
(gdb) bt
#0  0x000000010024a3b5 in _zend_mm_free_int (heap=0x101000000, p=0x1006651e0) at 
zend_alloc.c:2097
#1  0x000000010021e6af in destroy_uploaded_files_hash () at rfc1867.c:199
#2  0x000000010021b252 in sapi_deactivate () at SAPI.c:535
#3  0x00000001002fd61e in php_cli_server_send_error_page (server=0x7fff5fbfa730, 
client=0x100b4e6f0, status=404) at php_cli_server.c:1525
#4  0x00000001002fb31e in php_cli_server_dispatch [inlined] () at 
/Users/nbpoole/php-test/php5.4-201107201630/sapi/cli/php_cli_server.c:1636
#5  0x00000001002fb31e in php_cli_server_recv_event_read_request 
(server=0x7fff5fbfe970, client=0x1006651e0) at php_cli_server.c:1924
#6  0x00000001002fcae5 in php_cli_server_do_event_for_each_fd_callback [inlined] 
() at /Users/nbpoole/php-test/php5.4-201107201630/sapi/cli/php_cli_server.c:2010
#7  0x00000001002fcae5 in php_cli_server_do_event_for_each_fd [inlined] () at 
php_cli_server.c:671
#8  0x00000001002fcae5 in php_cli_server_poller_iter_on_active [inlined] () at 
/Users/nbpoole/php-test/php5.4-201107201630/sapi/cli/php_cli_server.c:2046
#9  0x00000001002fcae5 in php_cli_server_do_event_loop [inlined] () at 
/Users/nbpoole/php-test/php5.4-201107201630/sapi/cli/php_cli_server.c:2036
#10 0x00000001002fcae5 in do_cli_server (argc=4, argv=0x10) at 
php_cli_server.c:2147
#11 0x00000001002f6aa4 in main (argc=1606415328, argv=0x7fff5fbff400) at 
php_cli.c:1359
 [2011-07-25 16:45 UTC] fa@php.net 
Automatic comment from SVN on behalf of fa
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=313677
Log: Fix #55121 Segfault with multipart/form-data POST
 [2011-07-25 16:47 UTC] fa@php.net
-Status: Assigned +Status: Feedback
 [2011-07-25 16:47 UTC] fa@php.net 
Could you please try if this fix works on OS X as well?
Tested on debian stable.
 [2011-07-25 18:11 UTC] nbpoole@php.net 
Tested latest snapshot on OS X. Same backtrace.
 [2011-07-25 20:18 UTC] nbpoole@php.net 
OK. I retested again just now with the latest snapshot on both OS X and Ubuntu. No 
segfaults anymore.
 [2011-07-26 16:12 UTC] fa@php.net
-Status: Feedback +Status: Closed -Assigned To: moriyoshi +Assigned To: fa
 [2011-07-26 16:12 UTC] fa@php.net 
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2011-08-19 08:29 UTC] laruence@php.net
-Status: Closed +Status: Re-Opened
 [2011-08-19 08:29 UTC] laruence@php.net 
This cause #55450, need redone. 
btw: I can't reproduce this in Redhat Linux 64-bit
 [2011-08-19 08:30 UTC] laruence@php.net 
Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=315162
Log: Fixed #55450 (Built in web server not accepting file uploads), which might break #55121 fixing(r313677)
Reopened #55121 to let somebody redone the fixing(as I can't reproduce 55121 in redhat 64-bit).
 [2011-12-09 02:50 UTC] reeze dot xia at gmail dot com 
Hi, the 5.4RC3 and the trunk still have this bug. 
After trace the core.
I found the SG(rfc1867_uploaded_files) did't set to NULL after sapi deactive.
when try to free the HashTable php core dumped on the next form-data post request.
So It's a one-fix.
I have attached a patch for this, patch tested on Mac OS X 10.6.7 & Redhat Linux.
 [2011-12-09 03:07 UTC] reeze dot xia at gmail dot com 
To make it clear, the way to reproduce the core dump is:

$ curl --form a=b  "http://localhost:8000/file.php"
$ curl --form a=b  "http://localhost:8000/file-non-exist.php"

if the --enable-debug flag is enabled, cli-server will exit with a message "in 
consist hashtable", normally it simply core dumped.
 [2011-12-09 03:29 UTC] laruence@php.net
-Status: Re-Opened +Status: Closed
 [2011-12-09 03:29 UTC] laruence@php.net 
Hi, this is a closed bug, and your problem is another issue, could you please open 
a new bug instead of reopening a closed one? 

thanks
 [2011-12-09 03:31 UTC] laruence@php.net
-Status: Closed +Status: Re-Opened
 [2011-12-09 03:31 UTC] laruence@php.net 
ah, sorry, my mis-take, assumed the wrong one :)
 [2011-12-09 03:50 UTC] reeze dot xia at gmail dot com 
haha, got you idea, I will open a new one.
This bug's is indeed differ from the one I updated:-)
 [2011-12-09 04:02 UTC] laruence@php.net
-Assigned To: fa +Assigned To: laruence
 [2011-12-09 05:40 UTC] laruence@php.net 
Please try using this snapshot:

  http://snaps.php.net/php5.4-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/
 [2011-12-09 05:40 UTC] laruence@php.net
-Status: Re-Opened +Status: Feedback
 [2011-12-23 06:22 UTC] laruence@php.net
-Status: Feedback +Status: Closed
 [2011-12-23 06:22 UTC] laruence@php.net 
fixed
 [2012-04-18 09:49 UTC] laruence@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7790c4d975084cf99a6cbd0cc6308caf8c2232b7
Log: Fixed #55450 (Built in web server not accepting file uploads), which might break #55121 fixing(r313677) Reopened #55121 to let somebody redone the fixing(as I can't reproduce 55121 in redhat 64-bit).
 [2012-04-18 09:49 UTC] laruence@php.net 
Automatic comment on behalf of fa
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a06539a10d1ca6f83804115ce34b27b25ea77b8a
Log: Fix #55121 Segfault with multipart/form-data POST
 [2012-07-24 23:40 UTC] rasmus@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7790c4d975084cf99a6cbd0cc6308caf8c2232b7
Log: Fixed #55450 (Built in web server not accepting file uploads), which might break #55121 fixing(r313677) Reopened #55121 to let somebody redone the fixing(as I can't reproduce 55121 in redhat 64-bit).
 [2012-07-24 23:40 UTC] rasmus@php.net 
Automatic comment on behalf of fa
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a06539a10d1ca6f83804115ce34b27b25ea77b8a
Log: Fix #55121 Segfault with multipart/form-data POST
 [2013-11-17 09:36 UTC] laruence@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7790c4d975084cf99a6cbd0cc6308caf8c2232b7
Log: Fixed #55450 (Built in web server not accepting file uploads), which might break #55121 fixing(r313677) Reopened #55121 to let somebody redone the fixing(as I can't reproduce 55121 in redhat 64-bit).
 [2013-11-17 09:37 UTC] laruence@php.net 
Automatic comment on behalf of fa
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a06539a10d1ca6f83804115ce34b27b25ea77b8a
Log: Fix #55121 Segfault with multipart/form-data POST
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Apr 29 11:01:28 2025 UTC