|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #21406 Appending same filter twice causes segfault
Submitted: 2003-01-03 22:30 UTC Modified: 2011-04-11 01:01 UTC
From: Assigned: cataphract (profile)
Status: Closed Package: Filesystem function related
PHP Version: 4CVS-2003-01-03 (dev) OS: linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
New email:
PHP Version: OS:


 [2003-01-03 22:30 UTC]
The following code works fine when "stream_filter_append()" is called only once.  Adding the second call causes a segfault when fclose() is called.


class rot13_filter extends php_user_filter {
  function read($length) {
    $tempstr = parent::read($length);
    for($i = 0; $i < strlen($tempstr); $i++)
      if (($tempstr[$i] >= 'A' AND $tempstr[$i] <= 'M') OR
          ($tempstr[$i] >= 'a' AND $tempstr[$i] <= 'm')) $tempstr[$i] = chr(ord($tempstr[$i]) + 13);
      else if (($tempstr[$i] >= 'N' AND $tempstr[$i] <= 'Z') OR
               ($tempstr[$i] >= 'n' AND $tempstr[$i] <= 'z')) $tempstr[$i] = chr(ord($tempstr[$i]) - 13);
    return $tempstr;

  function write($data) {
    for($i = 0; $i < strlen($data); $i++)
      if (($data[$i] >= 'A' AND $data[$i] <= 'M') OR
          ($data[$i] >= 'a' AND $data[$i] <= 'm')) $data[$i] = chr(ord($data[$i]) + 13);
      else if (($data[$i] >= 'N' AND $data[$i] <= 'Z') OR
               ($data[$i] >= 'n' AND $data[$i] <= 'z')) $data[$i] = chr(ord($data[$i]) - 13);
    return parent::write($data);

stream_register_filter("rot13", "rot13_filter")
    or die("Failed to register filter");

$fp = fopen("foo-bar.txt", "r");

stream_filter_append($fp, "rot13");
stream_filter_append($fp, "rot13");

fwrite($fp, "Line1\n");
fwrite($fp, "Word - 2\n");
fwrite($fp, "Easy As 123\n");




Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2003-01-03 22:37 UTC]
Correction... Any two filters:

stream_filter_append($fp, "rot13");
stream_filter_append($fp, "rot13");


stream_filter_append($fp, "rot13");
stream_filter_append($fp, "default");


stream_filter_append($fp, "default");
stream_filter_append($fp, "default");

all produce the same segfault when fclose()ing (presumably during the calls to write() or flush() in the filters).

Note: "default" was previously registered using:
stream_register_filter("default", "php_user_filter");
 [2003-01-04 04:41 UTC]
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

Always include a backtrace in reports of segfaults or bus errors (it saves a good 15 minutes or more of my time!)
 [2003-01-04 13:54 UTC]
The backtrace tottalled up to over 11MB so I've put it on a webserver for you to grab.  I also made a gzip -9 version to save downloading time.      (~11.8MB)   (~530KB)

I can save you even that much downloading though by telling you that it seems the execution just goes into an infinite loop calling:

#1122 0x080b403a in userfilter_flush (stream=0x817ace4, thisfilter=0x817adb4, closing=1) at /home/sarag/cvs/php4/ext/standard/user_filters.c:255
#1123 0x080b3cce in zif_user_filter_flush (ht=1, return_value=0x82aeaf4, this_ptr=0x817ae34, return_value_used=1) at /home/sarag/cvs/php4/ext/standard/user_filters.c:107
#1124 0x080ed80c in call_user_function_ex (function_table=0x817a850, object_pp=0xbf826890, function_name=0xbf8268a0, retval_ptr_ptr=0xbf826894, param_count=1,
    params=0xbf826898, no_separation=0, symbol_table=0x0) at /home/sarag/cvs/php4/Zend/zend_execute_API.c:584

The pointers change, but the commands and the their sequence remain the same...over...and over...and over...and over...

An early morning guess would say that the filterhead chain isn't being setup properly.

Though as a slight aside, why does the fops structure show eof/dtor methods when user_filter.c calls them oncreate/onclose ?  When are oncreate/onclose called?
 [2003-01-06 17:41 UTC]
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at
In case this was a documentation problem, the fix will show up soon at

In case this was a website problem, the change will show
up on the site and on the mirror sites in short time.
Thank you for the report, and for helping us make PHP better.

 [2011-04-11 01:01 UTC]
-Assigned To: +Assigned To: cataphract
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 01 04:01:34 2024 UTC