PHP :: Bug #75391 :: Crash / segmentation fault after fetching 4 files

Bug #75391	Crash / segmentation fault after fetching 4 files
Submitted:	2017-10-16 20:54 UTC	Modified:	2017-10-17 18:53 UTC
From:	cweiske@php.net	Assigned:	cweiske (profile)
Status:	Closed	Package:	Built-in web server
PHP Version:	7.1.10	OS:	Ubuntu 14.04
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	cweiske@php.net
New email:
PHP Version:		OS:

New Comment:

[2017-10-16 20:54 UTC] cweiske@php.net

Description:
------------
I reproducibly get a segmentation fault after fetching 4 URLs from the built-in webserver.

This is with PHP 7.1.10-1+ubuntu14.04.1+deb.sury.org+1 (cli) (built: Sep 29 2017 17:33:22) ( NTS )

Test script:
---------------
The files and the script to fetch them are here: https://github.com/cweiske/php-crash

Fetch files:
$ curl localhost:8002/randomizer.php
$ curl localhost:8002/links.html
$ curl -L localhost:8002/redirector.php
$ curl localhost:8002/links.html

- links.html is an empty file
- randomizer contains: <?php echo rand() ?>
- redirector.php contains: <?php header('location: links.html'); ?>

Expected result:
----------------
No crash.

Actual result:
--------------
[Mon Oct 16 22:50:14 2017] ::1:52228 [200]: /randomizer.php
[Mon Oct 16 22:50:14 2017] ::1:52229 [200]: /links.html
[Mon Oct 16 22:50:14 2017] ::1:52230 [302]: /redirector.php
[Mon Oct 16 22:50:14 2017] ::1:52231 [200]: /links.html

Program received signal SIGSEGV, Segmentation fault.
0x00005555557ca80b in zend_hash_str_find_bucket (h=10942615419019873312, len=13, str=0x55555585ce29 "Europe/Berlin", ht=0x7ffff5c041f8)
    at /build/php7.1-qveBs0/php7.1-7.1.10/Zend/zend_hash.c:504
504	/build/php7.1-qveBs0/php7.1-7.1.10/Zend/zend_hash.c: Datei oder Verzeichnis nicht gefunden.

(gdb) bt full
#0  0x00005555557ca80b in zend_hash_str_find_bucket (h=10942615419019873312, len=13, str=0x55555585ce29 "Europe/Berlin", ht=0x7ffff5c041f8)
    at /build/php7.1-qveBs0/php7.1-7.1.10/Zend/zend_hash.c:504
        nIndex = 1147437055
        idx = <optimized out>
        p = <optimized out>
        arData = 0x7ffff5c0e520
#1  zend_hash_str_find (ht=ht@entry=0x7ffff5c041f8, str=str@entry=0x55555585ce29 "Europe/Berlin", len=13) at /build/php7.1-qveBs0/php7.1-7.1.10/Zend/zend_hash.c:1970
No locals.
#2  0x0000555555642c67 in zend_hash_str_find_ptr (len=<optimized out>, str=0x55555585ce29 "Europe/Berlin", ht=0x7ffff5c041f8)
    at /build/php7.1-qveBs0/php7.1-7.1.10/Zend/zend_hash.h:748
        zv = <optimized out>
#3  php_date_parse_tzfile (formal_tzname=0x55555585ce29 "Europe/Berlin", tzdb=0x555555e80150) at /build/php7.1-qveBs0/php7.1-7.1.10/ext/date/php_date.c:944
No locals.
#4  0x0000555555644bf4 in get_timezone_info () at /build/php7.1-qveBs0/php7.1-7.1.10/ext/date/php_date.c:1040
        tzi = <optimized out>
#5  0x0000555555646c1d in php_format_date (format=format@entry=0x5555558b2d27 "r", format_len=format_len@entry=1, ts=1508187014, localtime=localtime@entry=1)
    at /build/php7.1-qveBs0/php7.1-7.1.10/ext/date/php_date.c:1293
        t = 0x7ffff5c01100
        tzi = <optimized out>
        string = <optimized out>
#6  0x000055555585552b in append_essential_headers (buffer=buffer@entry=0x7fffffffcf60, client=client@entry=0x555555e016e0, persistent=persistent@entry=1)
    at /build/php7.1-qveBs0/php7.1-7.1.10/sapi/cli/php_cli_server.c:357
        dt = <optimized out>
        tv = {tv_sec = 1508187014, tv_usec = 128072}
#7  0x000055555585813f in php_cli_server_begin_send_static (client=0x555555e016e0, server=0x555555bab840 <server>)
    at /build/php7.1-qveBs0/php7.1-7.1.10/sapi/cli/php_cli_server.c:2070
        chunk = 0x44647fff
        buffer = {s = 0x555555e83af0, a = 231}
        mime_type = 0x555555893b27 "text/html"
        fd = <optimized out>
        status = 200
#8  php_cli_server_dispatch (client=0x555555e016e0, server=0x555555bab840 <server>) at /build/php7.1-qveBs0/php7.1-7.1.10/sapi/cli/php_cli_server.c:2211
        is_static_file = <optimized out>
#9  php_cli_server_recv_event_read_request (server=0x555555bab840 <server>, client=0x555555e016e0) at /build/php7.1-qveBs0/php7.1-7.1.10/sapi/cli/php_cli_server.c:2400
        errstr = 0x0
        status = <optimized out>
#10 0x0000555555858829 in php_cli_server_do_event_for_each_fd_callback (_params=_params@entry=0x7fffffffd0a0, fd=fd@entry=6, event=event@entry=1)
    at /build/php7.1-qveBs0/php7.1-7.1.10/sapi/cli/php_cli_server.c:2485
        params = 0x7fffffffd0a0
        server = 0x555555bab840 <server>
#11 0x00005555558597f7 in php_cli_server_poller_iter_on_active (poller=0x555555bab848 <server+8>, callback=0x555555858750 <php_cli_server_do_event_for_each_fd_callback>, 
    opaque=0x7fffffffd0a0) at /build/php7.1-qveBs0/php7.1-7.1.10/sapi/cli/php_cli_server.c:844
        fd = 6
        max_fd = 6
#12 php_cli_server_do_event_for_each_fd (whandler=0x5555558567a0 <php_cli_server_send_event>, rhandler=0x555555857e40 <php_cli_server_recv_event_read_request>, 
    server=0x555555bab840 <server>) at /build/php7.1-qveBs0/php7.1-7.1.10/sapi/cli/php_cli_server.c:2503
        params = {server = 0x555555bab840 <server>, rhandler = 0x555555857e40 <php_cli_server_recv_event_read_request>, whandler = 0x5555558567a0 <php_cli_server_send_event>}
#13 php_cli_server_do_event_loop (server=0x555555bab840 <server>) at /build/php7.1-qveBs0/php7.1-7.1.10/sapi/cli/php_cli_server.c:2513
        tv = {tv_sec = 0, tv_usec = 999978}
#14 do_cli_server (argc=<optimized out>, argv=<optimized out>) at /build/php7.1-qveBs0/php7.1-7.1.10/sapi/cli/php_cli_server.c:2615
        php_optarg = 0x555555bb5050 "/home/cweiske/Dev/php.net/php-webserver-crash"
        php_optind = 5
        c = <optimized out>
        server_bind_address = <optimized out>
        document_root = <optimized out>
        router = 0x0
        document_root_buf = "/home/cweiske/Dev/php.net/php-webserver-crash", '\000' <repeats 667 times>...
#15 0x000055555563df64 in main (argc=5, argv=0x555555bb4f90) at /build/php7.1-qveBs0/php7.1-7.1.10/sapi/cli/php_cli.c:1384
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {0, -8053096010305461771, 140737488347700, 0, 0, 93824998793504, -8053096010293927435, -4221857602584403467}, __mask_was_saved = 0, 
            __saved_mask = {__val = {140737322714016, 140737324882848, 140737354125408, 140737354127720, 140737333497888, 0, 140737488348248, 140737354129864, 0, 5, 
                140737351948023, 1, 0, 140737354129864, 140737324951216, 1}}}}
        c = <optimized out>
        exit_status = 0
        module_started = 1
        sapi_started = 1
        php_optarg = 0x555555bb5050 "/home/cweiske/Dev/php.net/php-webserver-crash"
        php_optind = 5
        use_extended_info = 0
        ini_path_override = 0x0
        ini_entries = 0x0
        ini_entries_len = 0
        ini_ignore = 0
        sapi_module = <optimized out>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-10-17 04:10 UTC] laruence@php.net

I can not reproduce this, you may try with latest src in github repo,

and you could also try to run with valgrind...

[2017-10-17 18:53 UTC] cweiske@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: cweiske

[2017-10-17 18:53 UTC] cweiske@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Jul 05 04:01:35 2025 UTC