PHP :: Bug #59671 :: Use of apc file upload progress causes segfault when used with ssl pages

Bug #59671	Use of apc file upload progress causes segfault when used with ssl pages
Submitted:	2011-03-16 11:57 UTC	Modified:	2011-03-18 09:05 UTC
From:	j dot ewing at talk21 dot com	Assigned:
Status:	Closed	Package:	APC (PECL)
PHP Version:	5.3.5	OS:	Cent OS 5.5
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	j dot ewing at talk21 dot com
New email:
PHP Version:		OS:

New Comment:

[2011-03-16 11:57 UTC] j dot ewing at talk21 dot com

Description:
------------
Apache 2.2.16
"./configure" \
"--enable-ssl" \
"--enable-so" \
"--enable-rewrite=shared" \
"--enable-expires=shared" \
"--enable-deflate=shared" \
"--enable-vhost-alias=shared" \
"$@"

PHP 5.3.5
'./configure' \
'--with-mysql' \
'--with-mysqli=mysqlnd' \
'--with-apxs2=/usr/local/apache2/bin/apxs' \
'--with-curl' \
'--enable-mbstring' \
'--with-mcrypt' \
'--with-zlib' \
'--with-gd' \
'--with-jpeg-dir=/usr/lib/' \
'--with-png-dir=/usr/lib' \
'--with-imap' \
'--with-imap-ssl' \
'--with-kerberos' \

APC version 3.1.6 via pecl

php.ini
apc.enabled=1
apc.shm_segments=1
apc.optimization=0
apc.shm_size=32M
apc.ttl=7200
apc.user_ttl=7200
apc.num_files_hint=1024
apc.mmap_file_mask=/tmp/apc.XXXXXX
apc.enable_cli=1
apc.rfc1867=1
apc.rfc1867_freq=50%





Reproduce code:
---------------
Submitting the following form works correctly as a http request. sending the same page via https results in a segfault. 
Removing the APC_UPLOAD_PROGRESS input   allows the upload to succeed.

<?php

$up_id = uniqid(); 

?>
<html>
<head><title></title></head>
<body>
<form method="post" action="upload.php" enctype="multipart/form-data" name="form1" id="form1">

<input type="hidden" name="MAX_FILE_SIZE" VALUE="3000000">
   <input type="hidden" name="APC_UPLOAD_PROGRESS" id="progress_key" value="<?php echo $up_id; ?>"> 

<input name="file" type="file" id="file" size="30">
<input type="submit" value="upload">
</form>
</body>
</html>

Expected result:
----------------
File is uploaded.

Actual result:
--------------
Request results in apache segfault


[Wed Mar 16 15:48:43 2011] [notice] child pid 10104 exit 
signal Segmentation fault (11)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2011-03-16 11:59 UTC] pierre dot php at gmail dot com

Please try using either 3.1.7 or a svn version (trunk)

[2011-03-18 09:04 UTC] j dot ewing at talk21 dot com

The 3.1.7 version appears to have fixed this issue.
Any news on when 3.1.7 will become the stable release ?

In testing I have found that this bug doesn't affect php 
5.3.3 and apc 3.1.6 , but will crash on 5.3.5 and 3.1.6

backtrace from 3.1.6

Program received signal SIGSEGV, Segmentation fault.
0x0125a7d3 in add_assoc_string_ex (arg=0x8a74890, 
key=0x362e0d "temp_filename", key_len=14, str=0x0, 
duplicate=1)
    at /home/files/software/php-5.3.5-
debug/Zend/zend_API.c:1173
1173            ZVAL_STRING(tmp, str, duplicate);
(gdb) bt
#0  0x0125a7d3 in add_assoc_string_ex (arg=0x8a74890, 
key=0x362e0d "temp_filename", key_len=14, str=0x0, 
duplicate=1)
    at /home/files/software/php-5.3.5-
debug/Zend/zend_API.c:1173
#1  0x0035a7e1 in apc_rfc1867_progress (event=4, 
event_data=0xbfffc330, extra=0xbfffc3ac) at 
/tmp/pear/temp/APC/apc_rfc1867.c:189
#2  0x011f7fa2 in rfc1867_post_handler 
(content_type_dup=0x8a7059c "multipart/form-data; boundary=-
---WebKitFormBoundaryQloNt4gdBPNXesVa", arg=0x8a7235c)
    at /home/files/software/php-5.3.5-
debug/main/rfc1867.c:1137
#3  0x011f335c in sapi_handle_post (arg=0x8a7235c) at 
/home/files/software/php-5.3.5-debug/main/SAPI.c:121
#4  0x011fad54 in php_default_treat_data (arg=0, str=0x0, 
destArray=0x0) at /home/files/software/php-5.3.5-
debug/main/php_variables.c:334
#5  0x0102c03e in mbstr_treat_data (arg=0, str=0x0, 
destArray=0x0) at /home/files/software/php-5.3.5-
debug/ext/mbstring/mb_gpc.c:68
#6  0x011fbec5 in php_hash_environment () at 
/home/files/software/php-5.3.5-
debug/main/php_variables.c:684
#7  0x011e9f42 in php_request_startup () at 
/home/files/software/php-5.3.5-debug/main/main.c:1440
#8  0x0131f905 in php_apache_request_ctor (r=0x8ac8730, 
ctx=0x8ab6f50) at /home/files/software/php-5.3.5-
debug/sapi/apache2handler/sapi_apache2.c:504
#9  0x0131fec6 in php_handler (r=0x8ac8730) at 
/home/files/software/php-5.3.5-
debug/sapi/apache2handler/sapi_apache2.c:620
#10 0x0807c3f9 in ap_run_handler (r=0x8ac8730) at 
config.c:157
#11 0x0807f57e in ap_invoke_handler (r=0x8ac8730) at 
config.c:376
#12 0x080aa8d8 in ap_process_request (r=0x8ac8730) at 
http_request.c:282
#13 0x080a7abb in ap_process_http_connection (c=0x8aa7a20) 
at http_core.c:190
#14 0x08083539 in ap_run_process_connection (c=0x8aa7a20) at 
connection.c:43
#15 0x080be38d in child_main (child_num_arg=<value optimized 
out>) at prefork.c:662
#16 0x080be5d3 in make_child (s=0x80f7e58, slot=0) at 
prefork.c:702
#17 0x080bf3ac in ap_mpm_run (_pconf=0x80f0550, 
plog=0x812e648, s=0x80f7e58) at prefork.c:978
#18 0x08069cb5 in main (argc=135193928, argv=0x8aa5840) at 
main.c:740

[2011-03-18 09:05 UTC] pierre dot php at gmail dot com

3.1.8 should be released soonish

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Nov 05 11:00:02 2025 UTC