php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #58054 Segmentation Fault when using id3_get_tag()
Submitted: 2008-02-22 04:38 UTC Modified: 2017-07-24 21:48 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: charno at charno dot ch Assigned:
Status: Duplicate Package: id3 (PECL)
PHP Version: 5.1.4 OS: Debian Linux Sarge (3.1)
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: charno at charno dot ch
New email:
PHP Version: OS:

 

 [2008-02-22 04:38 UTC] charno at charno dot ch 
Description:
------------
Hi,

I get a SegFault everytime I read Tags from MP3 Files. It's definitively this function, have a look at the example script!

First I tought, that it maybe could be because of the memory_limit when parsing the mp3's, but the error raises with a memory limit and just one parsed file, too.



Reproduce code:
---------------
<?php
        $id3 = id3_get_tag("./mp3/test.mp3");
?>

Expected result:
----------------
The $id3-Variable should be an array of id3-tags
(I'm not the Developer of the PHP-Application, just the Server Admin. So it's possible that I'm wrong with this!)

Actual result:
--------------
Here I have a backtrace, without Debugging Symbols. Is it sufficient to recompile just the Module with debugging-symbols to get them in the backtrace?

#2832 0x7273752f in ?? ()
#2833 0x6e69622f in ?? ()
#2834 0x7068702f in ?? ()
#2835 0x00312e35 in ?? ()
#2836 0x00000000 in ?? ()

Patches

id3_segfault (last revision 2012-05-10 17:13 UTC by mls at o2 dot pl)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-02-22 04:43 UTC] charno at charno dot ch 
Just forgot to specify the New Memory Limit: It's at 64M
 [2012-12-29 16:33 UTC] matt at majenko dot co dot uk 
Still getting the problem even with the patch.  Backtrace shows "len" of _php_strnoffcpy is garbled:

Program received signal SIGSEGV, Segmentation fault.
_php_strnoffcpy (dest=0xb6f70024 "", src=0xb76f1024 "UFID", offset=480, len=7667827) at /home/matt/id3/id3-0.2/id3.c:974
974			dest[i] = src[offset + i];
(gdb) bt
#0  _php_strnoffcpy (dest=0xb6f70024 "", src=0xb76f1024 "UFID", offset=480, len=7667827) at /home/matt/id3/id3-0.2/id3.c:974
#1  0x00ff1f12 in _php_id3v2_get_tag (stream=0x89a7c00, return_value=0x89a0ef4, version=28) at /home/matt/id3/id3-0.2/id3.c:694
#2  0x00ff21fd in zif_id3_get_tag (ht=1, return_value=0x89a0ef4, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at /home/matt/id3/id3-0.2/id3.c:345
#3  0x0839866a in ?? ()
#4  0x083434ee in execute ()
#5  0x0831c239 in zend_execute_scripts ()
#6  0x082c2e1e in php_execute_script ()
#7  0x0806b47f in ?? ()
#8  0x0070f113 in __libc_start_main (main=0x8069c00, argc=2, ubp_av=0xbffff984, init=0x83b9850 <__libc_csu_init>, fini=0x83b98c0 <__libc_csu_fini>, 
    rtld_fini=0x11eba0, stack_end=0xbffff97c) at libc-start.c:226
#9  0x0806b521 in _start ()
 [2012-12-29 17:21 UTC] matt at majenko dot co dot uk 
_php_bigEndian_to_Int takes a signed char * as the first parameter.  This causes problems when the MSB of a byte is set (and not synchsafe, as in 2.3) as it causes the values to be miscalculated and huge sizes to be returned.

This is bad.

Changing the "char *" to "unsigned char *" fixes that part of the problem.  However, values don't seem to be being returned quite right (rogue characters or missing characters in strings).
 [2012-12-29 20:05 UTC] matt at majenko dot co dot uk 
The rogue characters were just the UTF-16 BOM, so not a problem.  However, the UFID frame of 2.3 is decoded incorrectly and the first character of the content is lost.  _php_strnoffcpy in _php_id3v2_parseUFIDFrame copies from offset 1 - it should (for 2.3 at least) be offset 0 - it may need a special case for different versions.
 [2015-07-26 18:12 UTC] cmb@php.net
-Status: Open +Status: Suspended
 [2015-07-26 18:12 UTC] cmb@php.net 
This may be a duplicate of bug #56848.

Anyhow, the id3 extension is unmaintained (no release for more
than 10 years). I'm suspending this report until a new maintainer
is found.
 [2017-07-24 21:48 UTC] kalle@php.net
-Status: Suspended +Status: Duplicate
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Nov 04 04:00:01 2025 UTC