PHP :: Bug #24301 :: readfile() and fpassthru() die with SEGV on a 64k file

Bug #24301

readfile() and fpassthru() die with SEGV on a 64k file

Submitted:

2003-06-23 14:50 UTC

Modified:

2004-03-09 08:14 UTC

Votes:	7
Avg. Score:	4.7 ± 0.7
Reproduced:	7 of 7 (100.0%)
Same Version:	4 (57.1%)
Same OS:	4 (57.1%)

From:

hessu at hes dot iki dot fi

Assigned:

Status:

Closed

Package:

Apache2 related

PHP Version:

4CVS-2003-06-23 (stable)

OS:

linux 2.4.20

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	hessu at hes dot iki dot fi
New email:
PHP Version:		OS:

New Comment:

[2003-06-23 14:50 UTC] hessu at hes dot iki dot fi

Description:
------------
php-4.3.2 and php4-STABLE-200306231730 on apache-2.0.46, RedHat Linux on i386, vanilla 2.4.20 kernel, gcc version 3.2 20020903 (Red Hat Linux 8.0 3.2-7).

When trying to send a binary or ascii file of exactly 65536 bytes using readfile() or fpassthru(), the httpd process dies with a SIGSEGV. If the file is 65535 or 65537 bytes long, it is sent out just fine. 32768 and 131072 bytes do not seem to crash, either.

The same source file does not crash the command line version of php.


Reproduce code:
---------------
$ cat 64kcrash.php
<? readfile("64k-of-data"); ?>
$
$ dd if=/dev/urandom of=64k-of-data bs=1 count=65536
OR
$ perl -e 'print "a" ? 65536;' > 64k-of-data


Expected result:
----------------
The contents of the file should be sent.

Actual result:
--------------
[Mon Jun 23 22:46:56 2003] [notice] child pid 7805 exit signal Segmentation fault (11)

client gets EOF after sending the request.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-06-23 21:29 UTC] sniper@php.net

I can not reproduce this within Apache 1.3.27. Could you please try that too to make sure it's just apache2 related issue..(FYI: Apache2 with PHP is really not ready for production use)

[2003-06-30 03:32 UTC] wez@php.net

Use apache1; apache2 + php is not a production combination as you have discovered.

[2003-06-30 05:51 UTC] sniper@php.net

Please give the requested feedback or let this report rot..

[2004-03-08 17:01 UTC] joseph at serengeti dot com

FreeBSD 4.9 Release
mod_php4-4.3.4_6
apache 2.0.48

fpassthrough and readfile both cause a segv intermittently with the following file, there may be others this is the only one I tested with. 
-rw-rw-rw-  1 builder  wheel   1802240 Mar  1 16:13 BRTL_STE_4-5-0-7.exe

as you can see this is not 2^x file size but my symptoms are identical and were fixed the same way
(by changing to fopen,fread,print)

I fixed readfile by changing 
#define HAVE_MMAP to #undef HAVE_MMAP
in main/php_config.h
and rebuilding. That may or may not be usefull to you.

[2004-03-09 02:00 UTC] hessu at hes dot iki dot fi

The bug is still present in php 4.3.4 with apache 2.0.48, Linux 2.6.3. The bug does not appear with apache 1.3.

[2004-03-09 07:25 UTC] sniper@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

Also tell us what MPM you're using with Apache2.

[2004-03-09 08:01 UTC] hessu at hes dot iki dot fi

Thank you, php4-STABLE-200403091230 appears to fix this problem for me. I re-tested by doing 'make install' with php-4.3.4, restarting apache, verifying the crash, installing 
php4-STABLE-200403091230, restarting, and verifying it does not crash.

I'm using the prefork MPM, apache 2.0.48, php configured with:

GCC=gcc CFLAGS="-O3 -march=pentium2" ./configure --enable-memory-limit=yes --enable-debug=no --with-gd --with-zlib --enable-sockets --with-openssl=/opt/openssl-0.9.7c --with-apxs2=/opt/apache-2.0.48/bin/apxs --with-jpeg-dir=/usr --with-png-dir=/usr --with-mcrypt --prefix=/opt/apache-2.0.48/php-4.3.4 --with-config-file-path=/opt/apache-2.0.48/php-4.3.4 --with-mysql=/opt/mysql-4.1.1 --with-curl

[2004-03-09 08:14 UTC] sniper@php.net

Fixed -> closed.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Apr 23 07:01:29 2024 UTC