php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #81294 Segfault when removing a filter
Submitted: 2021-07-25 19:13 UTC Modified: 2021-07-26 11:59 UTC
From: ivo dot andonov at gmail dot com Assigned: cmb (profile)
Status: Closed Package: Streams related
PHP Version: 7.4 OS: Linux / Windows
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: ivo dot andonov at gmail dot com
New email:
PHP Version: OS:

 

 [2021-07-25 19:13 UTC] ivo dot andonov at gmail dot com 
Description:
------------
This one seems to be sourced back since quite some time (at least from 5.6.30 till 8.0.8). Right now I do not have the time for posting too many details but it should be pretty clear to understand by looking at streams/filter.c, function _php_stream_filter_flush, then the loop with current = filter and then referencing filter->fops->filter() instead of current->fops->filter().



Test script:
---------------
class some_user_filter {
...
}
stream_filter_register("some.filter", "some_user_filter");
$f = fopen("test", "wb");
$flt1 = stream_filter_append($f, "zlib.deflate", STREAM_FILTER_WRITE);
$flt2 = stream_filter_append($f, "some.filter", STREAM_FILTER_WRITE);
fwrite($f, "test");
stream_filter_remove($flt1); // this line will fail and at the end of the script a segfault / or MS Don't send / access violation
fwrite($f, "test"1);

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-07-25 20:21 UTC] requinix@php.net
-Status: Open +Status: Verified
 [2021-07-25 20:21 UTC] requinix@php.net 
https://github.com/php/php-src/blob/PHP-8.0.8/main/streams/filter.c#L419

Given that the definition of fops->filter is

php_stream_filter_status_t (*filter)(
  php_stream *stream,
  php_stream_filter *thisfilter,
  php_stream_bucket_brigade *buckets_in,
  php_stream_bucket_brigade *buckets_out,
  size_t *bytes_consumed,
  int flags
 );

it does seem odd to call with "thisfilter" as something different.
 [2021-07-26 11:58 UTC] cmb@php.net
-PHP Version: 8.0.8 +PHP Version: 7.4 -Assigned To: +Assigned To: cmb
 [2021-07-26 11:59 UTC] cmb@php.net
-Package: Filter related +Package: Streams related
 [2021-07-26 11:59 UTC] cmb@php.net 
Changing to "Streams related", since "Filter related" is often
misused for ext/filter.
 [2021-07-26 12:13 UTC] cmb@php.net 
The following pull request has been associated:

Patch Name: Fix #81294: Segfault when removing a filter
On GitHub:  https://github.com/php/php-src/pull/7308
Patch:      https://github.com/php/php-src/pull/7308.patch
 [2021-07-27 10:17 UTC] git@php.net 
Automatic comment on behalf of cmb69
Revision: https://github.com/php/php-src/commit/1fa26eccbaec3dc6ce645db144f08f46b63c1d59
Log: Fix #81294: Segfault when removing a filter
 [2021-07-27 10:17 UTC] git@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Dec 21 18:01:29 2024 UTC