php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #11998 Crash on multipart file form upload
Submitted: 2001-07-10 02:21 UTC Modified: 2001-10-02 09:32 UTC
From: me at philth dot net dot nz Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 4.0CVS-2001-07-10 OS: FreeBSD 4.2-STABLE
Private report: No CVE-ID: None
 [2001-07-10 02:21 UTC] me at philth dot net dot nz
Crashes (signal 11) on file upload using multipart form data.

Worked with 4.0.4pl1, haven't tried 4.0.5, crashed with 4.0.6 and latest CVS since.

Compiled with:
./configure \
--enable-inline-optimization \
--enable-sysvsem \
--enable-sysvshm \
--with-mysql=/usr/local \
--with-pdflib=/usr/local \
--with-jpeg=/usr/local \
--with-jpeg-dir=/usr/local \
--with-png-dir=/usr/local \
--with-png=/usr/local \
--with-zlib-dir=/usr \
--with-pgsql=/usr/local \
--with-imap=/usr/local \
--with-gd=/usr/local \
--with-freetype=/usr/local \
--with-apxs=/usr/local/apache_test/bin/apxs

Backtrace:
(gdb) bt
#0  0x1822c8f3 in php_mime_split (
    buf=0x81bf00c '-' <repeats 29 times>, "7d1bb1e111070e\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n3319", cnt=80256, 
    boundary=0x818e02a '-' <repeats 27 times>, "7d1bb1e111070e", array_ptr=0x81389cc) at rfc1867.c:174
#1  0x1822d56f in rfc1867_post_handler (
    content_type_dup=0x818e00c "multipart/form-data; boundary=", '-' <repeats 27 times>, "7d1bb1e111070e", arg=0x81389cc)
    at rfc1867.c:472
#2  0x1822b675 in sapi_handle_post (arg=0x81389cc) at SAPI.c:110
#3  0x1822e52d in php_treat_data (arg=0, str=0x0, destArray=0x0) at php_variables.c:251
#4  0x18229486 in php_hash_environment () at main.c:1080
#5  0x18228b98 in php_request_startup () at main.c:650
#6  0x18226321 in apache_php_module_main (r=0x818406c, display_source_mode=0) at sapi_apache.c:67
#7  0x18226d6a in send_php (r=0x818406c, display_source_mode=0, filename=0x0) at mod_php4.c:581
#8  0x18226da6 in send_parsed_php (r=0x818406c) at mod_php4.c:594
#9  0x80758a1 in ap_invoke_handler ()
#10 0x8089fa8 in process_request_internal ()
#11 0x808a402 in ap_internal_redirect ()
#12 0x184e68d2 in mod_gzip_redir1_handler () from /usr/local/apache_test/libexec/mod_gzip.so
#13 0x184e4fa0 in mod_gzip_handler () from /usr/local/apache_test/libexec/mod_gzip.so
#14 0x80758a1 in ap_invoke_handler ()
#15 0x8089fa8 in process_request_internal ()
#16 0x808a402 in ap_internal_redirect ()
#17 0x80602b2 in handle_dir ()
#18 0x80758a1 in ap_invoke_handler ()
#19 0x8089fa8 in process_request_internal ()
#20 0x808a012 in ap_process_request ()
#21 0x8080fdf in child_main ()
#22 0x808119d in make_child ()
#23 0x8081316 in startup_children ()
#24 0x8081924 in standalone_main ()
#25 0x808213c in main ()
#26 0x804f429 in _start ()

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-08-19 04:46 UTC] sniper@php.net
Please include the shortest possible example
script into this report.

 [2001-08-19 07:21 UTC] me at philth dot net dot nz
Simply a form containing more than 26 <input type="file"> tag's.

So,
<form action="/prop/" method="post" id="editForm" enctype="multipart/form-data">
	
	Image 1:<input type="file" name="img[1]" size="24" onclick="" onchange="">
	Image 2:<input type="file" name="img[2]" size="24" onclick="" onchange="">
		
		... [Lots more here] ...
	
	Image 18:<input type="file" name="img[18]" size="24" onclick="" onchange="">
	Image 19:<input type="file" name="img[19]" size="24" onclick="" onchange="">
		
		
	Virtual Image 1:<input type="file" name="virtimg[1]" size="24" onclick="" onchange="">
	Image IVR 1:<input type="file" name="virtivr[1]" size="24" onclick="" onchange="">
		
		... [Lots more here] ...
        
	Virtual Image 6:<input type="file" name="virtimg[6]" size="24" onclick="" onchange="">
	Image IVR 6:<input type="file" name="virtivr[6]" size="24" onclick="" onchange="">
	
	<input type="submit" value="  Submit  " id="submitButton">
</form>


It doesn't matter what's in the page it POST's too.

 [2001-08-19 16:26 UTC] sniper@php.net
I can not reproduce this. I have a form with 30 indexed
file fields plus 50 with no preset indexes.
ie.

30 of these: <input type="file" name="test1[1]">
50 of these: <input type="file" name="test2[]">

And I can't get it to crash..do I have to upload ove 26
file or?

--Jani

 [2001-08-19 17:22 UTC] me at philth dot net dot nz
Hmmm, maybe I missed something.

This form here crashes it:

http://philth.net.nz/upload.php

and the file it's posting to has 

<?
echo "foobar";
?>

in it.
 [2001-08-20 19:48 UTC] sniper@php.net
I can not reproduce it with your form and with latest CVS.
Please provide a GDB backtrace of the crash (using latest CVS of PHP)

--Jani

 [2001-08-21 00:11 UTC] me at philth dot net dot nz
From CVS as at 21/08/2001 16:15 NZDT using same form and uploading 2 images in the fields supplied.

(gdb) bt
#0  0x1823fdbf in php_mime_split (
    buf=0x820000c '-' <repeats 29 times>, "7d12252130332\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n3319", cnt=33534, 
    boundary=0x819762a '-' <repeats 27 times>, "7d12252130332", array_ptr=0x817eaec) at rfc1867.c:174
#1  0x18240a3b in rfc1867_post_handler (
    content_type_dup=0x819760c "multipart/form-data; boundary=", '-' <repeats 27 times>, "7d12252130332", arg=0x817eaec)
    at rfc1867.c:472
#2  0x1823eb25 in sapi_handle_post (arg=0x817eaec) at SAPI.c:107
#3  0x18241a01 in php_treat_data (arg=0, str=0x0, destArray=0x0) at php_variables.c:250
#4  0x1823c2ce in php_hash_environment () at main.c:1097
#5  0x1823b6f0 in php_request_startup () at main.c:684
#6  0x18238cd6 in apache_php_module_main (r=0x819e71c, display_source_mode=0) at sapi_apache.c:67
#7  0x18239822 in send_php (r=0x819e71c, display_source_mode=0, filename=0x0) at mod_php4.c:575
#8  0x18239882 in send_parsed_php (r=0x819e71c) at mod_php4.c:590
#9  0x80758a1 in ap_invoke_handler ()
#10 0x8089fa8 in process_request_internal ()
#11 0x808a402 in ap_internal_redirect ()
#12 0x181d48d2 in mod_gzip_redir1_handler () from /usr/local/apache_test/libexec/mod_gzip.so
#13 0x181d2fa0 in mod_gzip_handler () from /usr/local/apache_test/libexec/mod_gzip.so
#14 0x80758a1 in ap_invoke_handler ()
#15 0x8089fa8 in process_request_internal ()
#16 0x808a402 in ap_internal_redirect ()
#17 0x80602b2 in handle_dir ()
#18 0x80758a1 in ap_invoke_handler ()
#19 0x8089fa8 in process_request_internal ()
#20 0x808a012 in ap_process_request ()
#21 0x8080fdf in child_main ()
#22 0x808119d in make_child ()
#23 0x8081316 in startup_children ()
#24 0x8081924 in standalone_main ()
#25 0x808213c in main ()
#26 0x804f429 in _start ()
(gdb) 
 [2001-08-21 05:28 UTC] sniper@php.net
Just one more thing: What version of Apache? 
And does this happen with any browser? IE / NS / Mozilla ?

--Jani

 [2001-08-21 05:42 UTC] me at philth dot net dot nz
Crashes with 1.3.14, 1.3.17 and 1.3.20.

I've tried it with IE5, IE5.5, Mozilla 0.9.3 and Netscape 6.1.

Whoa, just found it _doesn't_ crash with Netscape 4.08 or Opera 5.11.

I can't test it in Linux, as I'm currently sans-external-DSL-modem and therefore stuck in windows until a new one arrives.
 [2001-08-23 05:54 UTC] sniper@php.net
Reproduced with IE 5.5. The rfc1867.c has some bugs
in it after all..

Marked as fix before release. (4.0.7)

--Jani

 [2001-08-30 13:32 UTC] troels@php.net
The bug also exists when running PHP on Linux. And it may be reproduced with Mozilla, too. Please don't forget this one before 4.0.7 is released.
 [2001-08-30 14:22 UTC] troels@php.net
Some follow-up.

PHP 4.0.5 does _not_ have the bug.
Current CVS (August 30 2001) does have the bug.

The bug doesn't seem to show up unless around 30 files are uploaded.

Here's a back-trace from PHP current CVS.

#0  php_mime_split (
    buf=0x80fbaf4 '-' <repeats 29 times>, "172461271845611381008674657\r\nContent-Disposition: form-data; name=\"date_debut\"\r\n\r\n2001-08-25", cnt=28292, boundary=0x80c387a '-' <repeats 27 times>, "172461271845611381008674657", array_ptr=0x80fb0e4) at rfc1867.c:177
#1  0x4042a55f in rfc1867_post_handler (
    content_type_dup=0x80c385c "multipart/form-data; boundary=", '-' <repeats 27 times>, "172461271845611381008674657", arg=0x80fb0e4)
    at rfc1867.c:472
#2  0x40427c83 in sapi_handle_post (arg=0x80fb0e4) at SAPI.c:107
#3  0x4042b768 in php_treat_data (arg=0, str=0x0, destArray=0x0) at php_variables.c:250
#4  0x40425036 in php_hash_environment () at main.c:1097
#5  0x404244d0 in php_request_startup () at main.c:684
#6  0x404216c0 in apache_php_module_main (r=0x80e5218, display_source_mode=0) at sapi_apache.c:67
#7  0x40422324 in send_php (r=0x80e5218, display_source_mode=0, filename=0x0) at mod_php4.c:575
#8  0x40422383 in send_parsed_php (r=0x80e5218) at mod_php4.c:590
#9  0x080551cd in ap_invoke_handler () at eval.c:41
#10 0x0806732c in ap_some_auth_required () at eval.c:41
#11 0x080673a3 in ap_process_request () at eval.c:41
#12 0x0805fa47 in ap_child_terminate () at eval.c:41
#13 0x0805fbea in ap_child_terminate () at eval.c:41
#14 0x0805fd2d in ap_child_terminate () at eval.c:41
#15 0x08060350 in ap_child_terminate () at eval.c:41
#16 0x08060c13 in main () at eval.c:41
#17 0x4015c4b7 in __libc_start_main (main=0x8060790 <main>, argc=2, ubp_av=0xbffff9c4, init=0x804fb20 <_init>, fini=0x80894d0 <_fini>, 
    rtld_fini=0x4000dbb4 <_dl_fini>, stack_end=0xbffff9bc) at ../sysdeps/generic/libc-start.c:129
 [2001-10-02 09:32 UTC] sniper@php.net
This is fixed now.

--Jani
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 11:01:27 2024 UTC