PHP :: Bug #35781 :: stream_filter_append will cause segfault

Bug #35781

stream_filter_append will cause segfault

Submitted:

2005-12-23 03:00 UTC

Modified:

2005-12-23 15:46 UTC

Votes:	1
Avg. Score:	4.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

sqchen at citiz dot net

Assigned:

tony2001 (profile)

Status:

Closed

Package:

Filesystem function related

PHP Version:

5.1.2RC1

OS:

redhat 7.3

Private report:

CVE-ID:

None

View Developer Edit

[2005-12-23 03:00 UTC] sqchen at citiz dot net

Description:
------------
stream_filter_append($fp, "string.rot13", -49)
will cause Segmentation fault

Reproduce code:
---------------
<?php
$fp = fopen("test.txt", "w");
stream_filter_append($fp, "string.rot13", -49);
fwrite($fp, "This is a test\n");
rewind($fp);
fpassthru($fp);
fclose($fp);
?>

Actual result:
--------------
Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-12-23 04:17 UTC] judas dot iscariote at gmail dot com

==308== Process terminating with default action of signal 11 (SIGSEGV)
==308==  Bad permissions for mapped region at address 0x1669DFFF
==308==    at 0x11B1CEC7: memcpy (in /usr/lib64/valgrind/vgpreload_memcheck.so)
==308==    by 0x508DDA: php_stream_bucket_make_writeable (string3.h:52)
==308==    by 0x4E48C4: ??? (filters.c:46)
==308==    by 0x506424: ??? (streams.c:458)
==308==    by 0x50689A: _php_stream_read (streams.c:584)
==308==    by 0x506E9F: _php_stream_passthru (streams.c:1183)
==308==    by 0x49F60E: zif_fpassthru (file.c:1487)
==308==    by 0x54F5E4: ??? (zend_vm_execute.h:192)
==308==    by 0x54ECD2: execute (zend_vm_execute.h:92)
==308==    by 0x526ADA: zend_eval_string (zend_execute_API.c:1085)
==308==    by 0x526C27: zend_eval_string_ex (zend_execute_API.c:1119)
==308==    by 0x5C2FBD: main (php_cli.c:1116)
 
php -v
PHP 5.1.2RC1 (cli) (built: Dec 22 2005 19:34:24)
Copyright (c) 1997-2005 The PHP Group
Zend Engine v2.1.0, Copyright (c) 1998-2005 Zend Technologies

[2005-12-23 04:36 UTC] judas dot iscariote at gmail dot com

(gdb) bt
#0  0x00002aaaab5433f0 in memcpy () from /lib64/tls/libc.so.6
#1  0x0000000000000003 in ?? ()
#2  0x000000000071ca50 in php_register_internal_extensions ()
#3  0x000000000062acfa in strfilter_rot13_filter (stream=0xaa6fc0, thisfilter=0xaa7360, buckets_in=0x7fffffc21d60,
    buckets_out=0x7fffffc21d50, bytes_consumed=0x0, flags=0) at /local/local/bodegon/php-debug/ext/standard/filters.c:46
#4  0x000000000065e69d in php_stream_fill_read_buffer (stream=0xaa6fc0, size=8192)
    at /local/local/bodegon/php-debug/main/streams/streams.c:458
#5  0x000000000065ecfa in _php_stream_read (stream=0xaa6fc0, buf=0x7fffffc21e70 "", size=8192)
    at /local/local/bodegon/php-debug/main/streams/streams.c:584
#6  0x00000000006602d2 in _php_stream_passthru (stream=0xaa6fc0, __php_stream_call_depth=0,
    __zend_filename=0x762ae0 "/local/local/bodegon/php-debug/ext/standard/file.c", __zend_lineno=1487,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /local/local/bodegon/php-debug/main/streams/streams.c:1183
#7  0x00000000005ca9ff in zif_fpassthru (ht=1, return_value=0xaa4f90, return_value_ptr=0x0, this_ptr=0x0,
    return_value_used=0) at /local/local/bodegon/php-debug/ext/standard/file.c:1487
#8  0x00000000006c2ef2 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fffffc241a0) at zend_vm_execute.h:192
#9  0x00000000006c8e57 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7fffffc241a0) at zend_vm_execute.h:1587
#10 0x00000000006c2a66 in execute (op_array=0xaa5e70) at zend_vm_execute.h:92
#11 0x000000000069ce03 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /local/local/bodegon/php-debug/Zend/zend.c:1101
#12 0x0000000000649cd3 in php_execute_script (primary_file=0x7fffffc26830)
    at /local/local/bodegon/php-debug/main/main.c:1720
#13 0x000000000071bd3d in main (argc=2, argv=0x7fffffc26a28) at /local/local/bodegon/php-debug/sapi/cli/php_cli.c:1077

[2005-12-23 15:12 UTC] sniper@php.net

Assigned to the streams author.

[2005-12-23 15:17 UTC] tony2001@php.net

I'll commit a patch shortly.

[2005-12-23 15:46 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 24 18:00:01 2025 UTC