|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #35916 stream_socket_append() twice will cause segfault
Submitted: 2006-01-06 06:59 UTC Modified: 2006-01-10 17:14 UTC
From: sqchen at citiz dot net Assigned: pollita
Status: Closed Package: Streams related
PHP Version: 5CVS-2006-01-07 (cvs) OS: *
Private report: No CVE-ID:
 [2006-01-06 06:59 UTC] sqchen at citiz dot net
stream_socket_append() twice will cause segfault, the same as stream_socket_prepend()

Reproduce code:
class strtoupper_filter extends php_user_filter{
        function filter($in, $out, &$consumed, $closing)
        $bucket->data = strtoupper($bucket->data);
                $consumed += $bucket->datalen;
        stream_bucket_append($out, $bucket);
        /*here twice will cause segfault*/
        stream_bucket_append($out, $bucket);

        return PSFS_PASS_ON;
function onCreate(){
echo "fffffffffff\n";
function onClose(){
echo "hello\n";

stream_filter_register("strtoupper", "strtoupper_filter");
$fp=fopen("1.txt", "w");
stream_filter_append($fp,  "strtoupper");
fread($fp, 1024);
fwrite($fp, "Thank you\n");

Actual result:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2006-01-06 09:03 UTC] sqchen at citiz dot net
sorry, it's stream_bucket_append and stream_bucket_prepend
 [2006-01-06 12:51 UTC]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1085230688 (LWP 21490)]
0x0814f3ae in php_stream_bucket_unlink (bucket=0x8300c3c) at /usr/src/dev/php-src_5_1/main/streams/filter.c:222
222                     bucket->prev->next = bucket->next;
(gdb) p bucket
$1 = (php_stream_bucket *) 0x8300c3c
(gdb) p bucket->prev
$2 = (php_stream_bucket *) 0x5a5a5a5a
(gdb) bt
#0  0x0814f3ae in php_stream_bucket_unlink (bucket=0x8300c3c) at /usr/src/dev/php-src_5_1/main/streams/filter.c:222
#1  0x0814b171 in _php_stream_write_filtered (stream=0x83033a4, buf=0x830519c "Thank you\n", count=10, flags=0) at /usr/src/dev/php-src_5_1/main/streams/streams.c:978
#2  0x0814b22b in _php_stream_write (stream=0x83033a4, buf=0x830519c "Thank you\n", count=10) at /usr/src/dev/php-src_5_1/main/streams/streams.c:1017
#3  0x080de0a7 in zif_fwrite (ht=2, return_value=0x830357c, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0) at /usr/src/dev/php-src_5_1/ext/standard/file.c:1257
#4  0x0819a7c8 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffca90) at zend_vm_execute.h:192
#5  0x0819d50e in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbfffca90) at zend_vm_execute.h:1587
#6  0x0819a475 in execute (op_array=0x82fe3f4) at zend_vm_execute.h:92
#7  0x0817d890 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/dev/php-src_5_1/Zend/zend.c:1101
#8  0x08139bf0 in php_execute_script (primary_file=0xbfffef30) at /usr/src/dev/php-src_5_1/main/main.c:1720
#9  0x081e0df6 in main (argc=2, argv=0xbffff014) at /usr/src/dev/php-src_5_1/sapi/cli/php_cli.c:1077

 [2006-01-06 14:40 UTC]
Sara, here's one more..
 [2006-01-10 17:14 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Tue Dec 01 09:01:42 2015 UTC