PHP :: Bug #29886 :: segment fault when processing curl output with "wrapper-registered" stream

Bug #29886

segment fault when processing curl output with "wrapper-registered" stream

Submitted:

2004-08-30 02:08 UTC

Modified:

2005-05-18 16:16 UTC

Votes:	2
Avg. Score:	4.5 ± 0.5
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

public at grik dot net

Assigned:

Status:

Closed

Package:

cURL related

PHP Version:

5CVS-2004-08-30 (dev)

OS:

Linux (not FreeBSD)

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	public at grik dot net
New email:
PHP Version:		OS:

New/Additional Comment:

[2004-08-30 02:08 UTC] public at grik dot net

Description:
------------
I register a wrapper, create a stream and pass the pointer to the curl_setopt to process CURL output.
When amount of data returned by CURL exeeds 8192 bytes (size of the CURL buffer), PHP ends with Segmentation fault.

I could not reach the crash using fwrite().

Similar problem was in PHP 4.3.3, in 4.3.7 everything works fine.
I detected this problem again in 5.0.0 and replicated it in the latest stable CSV.

I do not know if it happens upon shutdown and if it is relevant to bug #29358. This happens with CURL only.

Reproduce code:
---------------
The sample code can be found at:
http://www.grik.net/sample.phps

Can be run form command line:
php -f sample.php

Expected result:
----------------
In PHP 4.3.7 this script would output the amount of bytes obtained from CURL:

8192
8192
...

Actual result:
--------------
In PHP 5.0.0:

8192
8192
Segmentation fault

Backtrace (I am not enough good with gdb, could not locate):

(gdb) bt
#0  0x081f714a in _zval_copy_ctor (zvalue=0x8344684,
    __zend_filename=0x8273780 "/usr/src/web/php5-STABLE-200408292230/Zend/zend_execute.c",
    __zend_lineno=3001) at /usr/src/web/php5-STABLE-200408292230/Zend/zend_variables.c:136
#1  0x08227ab6 in zend_send_by_var_helper (execute_data=0xbfffb210, opline=0x8349e38, op_array=0x834b0e4)
    at /usr/src/web/php5-STABLE-200408292230/Zend/zend_execute.c:3001
#2  0x08221824 in zend_send_var_handler (execute_data=0xbfffb210, opline=0x8349e38, op_array=0x834b0e4)
    at /usr/src/web/php5-STABLE-200408292230/Zend/zend_execute.c:3061
#3  0x0821cb76 in execute (op_array=0x834b0e4)
    at /usr/src/web/php5-STABLE-200408292230/Zend/zend_execute.c:1400
#4  0x081ed157 in zend_call_function (fci=0xbfffb370, fci_cache=0x0)
    at /usr/src/web/php5-STABLE-200408292230/Zend/zend_execute_API.c:835
#5  0x081ec1a9 in call_user_function_ex (function_table=0x0, object_pp=0x82e5f00,
    function_name=0xbfffb400, retval_ptr_ptr=0xbfffb3fc, param_count=1, params=0xbfffb3f0,
    no_separation=0, symbol_table=0x0)
    at /usr/src/web/php5-STABLE-200408292230/Zend/zend_execute_API.c:550
#6  0x081cd58c in php_userstreamop_write (stream=0x83446c4,
    buf=0x40030000 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">\n<html>\n<head>\n <title>PHP: Hypertext Preprocessor</title>\n <link rel=\"stylesheet\" href=\"http://static.php.net/www.php.net/style.css\" />\n"..., count=8192)
    at /usr/src/web/php5-STABLE-200408292230/main/streams/userspace.c:459
#7  0x081c539d in _php_stream_write_buffer (stream=0x83446c4,
    buf=0x40030000 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">\n<html>\n<head>\n <title>PHP: Hypertext Preprocessor</title>\n <link rel=\"stylesheet\" href=\"http://static.php.net/www.php.net/style.css\" />\n"..., count=8192) at /usr/src/web/php5-STABLE-200408292230/main/streams/streams.c:889
#8  0x081c561f in _php_stream_write (stream=0x83446c4,
    buf=0x40030000 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">\n<html>\n<head>\n <title>PHP: Hypertext Preprocessor</title>\n <link rel=\"stylesheet\" href=\"http://static.php.net/www.php.net/style.css\" />\n"..., count=8192) at /usr/src/web/php5-STABLE-200408292230/main/streams/streams.c:1000
#9  0x081c7c66 in stream_cookie_writer (cookie=0x83446c4,
    buffer=0x40030000 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">\n<html>\n<head>\n <title>PHP: Hypertext Preprocessor</title>\n <link rel=\"stylesheet\" href=\"http://static.php.net/www.php.net/style.css\" />\n"..., size=8192) at /usr/src/web/php5-STABLE-200408292230/main/streams/cast.c:96
#10 0x42062019 in _IO_cookie_write () from /lib/tls/libc.so.6
#11 0x4206d09e in new_do_write () from /lib/tls/libc.so.6
#12 0x4206d036 in _IO_new_do_write () from /lib/tls/libc.so.6
#13 0x4206d7b8 in _IO_new_file_overflow () from /lib/tls/libc.so.6
#14 0x4206e220 in _IO_new_file_xsputn () from /lib/tls/libc.so.6
#15 0x42062a62 in fwrite () from /lib/tls/libc.so.6
#16 0x40027de3 in last_use () from /usr/lib/20040412/curl.so
#17 0x4064c139 in Curl_client_write (data=0x834c50c, type=1,
    ptr=0x834c7b8 ">\n The PHP Development Team would like to announce the immediate availability of <a href=\"/downloads.php\">PHP 5.0.1</a>.\n This is a maintenance release that in addition to many non-critical bug fixes "..., len=1448) at sendf.c:337
#18 0x40663fcf in Curl_httpchunk_read (conn=0x8344f3c,
    datap=0x834c7b8 ">\n The PHP Development Team would like to announce the immediate availability of <a href=\"/downloads.php\">PHP 5.0.1</a>.\n This is a maintenance release that in addition to many non-critical bug fixes "..., datalen=1448, wrotep=0xbfffb880) at http_chunks.c:186
#19 0x40660fd7 in Curl_readwrite (conn=0x8344f3c, done=0xbfffb8df "") at transfer.c:980
#20 0x40661f56 in Transfer (conn=0x8344f3c) at transfer.c:1480
#21 0x4066294a in Curl_perform (data=0x834c50c) at transfer.c:1985
#22 0x40663175 in curl_easy_perform (curl=0x834c50c) at easy.c:378
#23 0x4002ab43 in last_use () from /usr/lib/20040412/curl.so
#24 0x0822053b in zend_do_fcall_common_helper (execute_data=0xbfffbc20, opline=0x8348d90,
    op_array=0x834423c) at /usr/src/web/php5-STABLE-200408292230/Zend/zend_execute.c:2708
#25 0x08220caf in zend_do_fcall_handler (execute_data=0xbfffbc20, opline=0x8348d90, op_array=0x834423c)
    at /usr/src/web/php5-STABLE-200408292230/Zend/zend_execute.c:2840
#26 0x0821cb76 in execute (op_array=0x834423c)
    at /usr/src/web/php5-STABLE-200408292230/Zend/zend_execute.c:1400
#27 0x081f9331 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /usr/src/web/php5-STABLE-200408292230/Zend/zend.c:1061
#28 0x081b3c77 in php_execute_script (primary_file=0xbfffe020)
    at /usr/src/web/php5-STABLE-200408292230/main/main.c:1629
#29 0x08229f73 in main (argc=3, argv=0xbfffe0b4)
    at /usr/src/web/php5-STABLE-200408292230/sapi/cli/php_cli.c:943
#30 0x42015574 in __libc_start_main () from /lib/tls/libc.so.6



(gdb) frame 0
#0  0x081f714a in _zval_copy_ctor (zvalue=0x8344684,
    __zend_filename=0x8273780 "/usr/src/web/php5-STABLE-200408292230/Zend/zend_execute.c",
    __zend_lineno=3001) at /usr/src/web/php5-STABLE-200408292230/Zend/zend_variables.c:136
136                             CHECK_ZVAL_STRING_REL(zvalue);

(gdb) frame 1
#1  0x08227ab6 in zend_send_by_var_helper (execute_data=0xbfffb210, opline=0x8349e38, op_array=0x834b0e4)
    at /usr/src/web/php5-STABLE-200408292230/Zend/zend_execute.c:3001
3001                    zval_copy_ctor(varptr);
(gdb) frame 2
#2  0x08221824 in zend_send_var_handler (execute_data=0xbfffb210, opline=0x8349e38, op_array=0x834b0e4)
    at /usr/src/web/php5-STABLE-200408292230/Zend/zend_execute.c:3061
3061            return zend_send_by_var_helper(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
(gdb) frame 3
#3  0x0821cb76 in execute (op_array=0x834b0e4)
    at /usr/src/web/php5-STABLE-200408292230/Zend/zend_execute.c:1400
1400                    if (EX(opline)->handler(&execute_data, EX(opline), op_array TSRMLS_CC)) {
(gdb) frame 4
#4  0x081ed157 in zend_call_function (fci=0xbfffb370, fci_cache=0x0)
    at /usr/src/web/php5-STABLE-200408292230/Zend/zend_execute_API.c:835
835                     zend_execute(EG(active_op_array) TSRMLS_CC);
(gdb) frame 5
#5  0x081ec1a9 in call_user_function_ex (function_table=0x0, object_pp=0x82e5f00,
    function_name=0xbfffb400, retval_ptr_ptr=0xbfffb3fc, param_count=1, params=0xbfffb3f0,
    no_separation=0, symbol_table=0x0)
    at /usr/src/web/php5-STABLE-200408292230/Zend/zend_execute_API.c:550
550             return zend_call_function(&fci, NULL TSRMLS_CC);
(gdb) frame 6
#6  0x081cd58c in php_userstreamop_write (stream=0x83446c4,
    buf=0x40030000 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">\n<html>\n<head>\n <title>PHP: Hypertext Preprocessor</title>\n <link rel=\"stylesheet\" href=\"http://static.php.net/www.php.net/style.css\" />\n"..., count=8192)
    at /usr/src/web/php5-STABLE-200408292230/main/streams/userspace.c:459
459             call_result = call_user_function_ex(NULL,
(gdb) frame 7
#7  0x081c539d in _php_stream_write_buffer (stream=0x83446c4,
    buf=0x40030000 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">\n<html>\n<head>\n <title>PHP: Hypertext Preprocessor</title>\n <link rel=\"stylesheet\" href=\"http://static.php.net/www.php.net/style.css\" />\n"..., count=8192) at /usr/src/web/php5-STABLE-200408292230/main/streams/streams.c:889
889                     justwrote = stream->ops->write(stream, buf, towrite TSRMLS_CC);
(gdb) frame 8
#8  0x081c561f in _php_stream_write (stream=0x83446c4,
    buf=0x40030000 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">\n<html>\n<head>\n <title>PHP: Hypertext Preprocessor</title>\n <link rel=\"stylesheet\" href=\"http://static.php.net/www.php.net/style.css\" />\n"..., count=8192) at /usr/src/web/php5-STABLE-200408292230/main/streams/streams.c:1000
1000                    return _php_stream_write_buffer(stream, buf, count TSRMLS_CC);
(gdb)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-03-07 21:33 UTC] sniper@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip

I can't get it to crash..

[2005-03-08 09:35 UTC] public at grik dot net

Thank you, I'll try with the new version today.

[2005-03-08 10:44 UTC] derick@php.net

Set to feedback until real feedback has been provided.

[2005-03-16 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

[2005-05-18 16:08 UTC] joel at joelstrellner dot com

I am having the exact same problem in version 5.0.4.  I have narrowed it down to curl, but I can't narrow it down any further.

I tried using CURLOPT_BUFFERSIZE to overcome it but I am not sure that it is even working.

I am pretty sure that it has to do with curl_multi_init and the related multi functions.

The exact same code using one connection at a time does not cause an error of any kind.

the options I am giving it are:
$conn[$i] = curl_init($url);
curl_setopt ($conn[$i], CURLOPT_BUFFERSIZE, 8192000);
curl_setopt ($conn[$i], CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($conn[$i], CURLOPT_URL, "$url");
curl_setopt ($conn[$i], CURLOPT_USERAGENT, $user_agent);
if (($referer!=NULL) AND ($referer!='')) curl_setopt ($conn[$i], CURLOPT_REFERER, $referer);
curl_setopt ($conn[$i], CURLOPT_CONNECTTIMEOUT, $connecttimeout);
curl_setopt ($conn[$i], CURLOPT_TIMEOUT, $timeout);
curl_setopt ($conn[$i], CURLOPT_HEADER, 0);
curl_setopt ($conn[$i], CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($conn[$i], CURLOPT_MAXREDIRS, 3);
curl_setopt ($conn[$i], CURLOPT_FAILONERROR, 1);
curl_setopt ($conn[$i], CURLOPT_ENCODING, '');
curl_setopt ($conn[$i], CURLOPT_COOKIEJAR,"cookie.txt");
curl_setopt ($conn[$i], CURLOPT_COOKIEFILE,"cookie.txt");
curl_setopt ($conn[$i], CURLOPT_FOLLOWLOCATION,TRUE);
curl_setopt ($conn[$i], CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt ($conn[$i], CURLOPT_SSL_VERIFYHOST, 1);
curl_multi_add_handle ($mh,$conn[$i]);

the error I am getting is a seg fault (11) then the script stops executing.

[2005-05-18 16:16 UTC] public at grik dot net

I found out that the bug was in the PHP stream wrapper - the segmentation fault arized on Linux platform.
That bug was recently fixed (thanx, Tony):
http://bugs.php.net/?id=32742

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue May 07 01:01:30 2024 UTC