php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #35916 stream_socket_append() twice will cause segfault
Submitted: 2006-01-06 06:59 UTC Modified: 2006-01-10 17:14 UTC
From: sqchen at citiz dot net Assigned: pollita
Status: Closed Package: Streams related
PHP Version: 5CVS-2006-01-07 (cvs) OS: *
Private report: No CVE-ID:
 [2006-01-06 06:59 UTC] sqchen at citiz dot net
Description:
------------
stream_socket_append() twice will cause segfault, the same as stream_socket_prepend()

Reproduce code:
---------------
<?php
class strtoupper_filter extends php_user_filter{
        function filter($in, $out, &$consumed, $closing)
        {
         while($bucket=stream_bucket_make_writeable($in)){
        $bucket->data = strtoupper($bucket->data);
                $consumed += $bucket->datalen;
        stream_bucket_append($out, $bucket);
        /*here twice will cause segfault*/
        stream_bucket_append($out, $bucket);

                }
        return PSFS_PASS_ON;
        }
function onCreate(){
echo "fffffffffff\n";
}
function onClose(){
echo "hello\n";
}
}


stream_filter_register("strtoupper", "strtoupper_filter");
$fp=fopen("1.txt", "w");
stream_filter_append($fp,  "strtoupper");
fread($fp, 1024);
fwrite($fp, "Thank you\n");
fclose($fp);
readfile("1.txt");
unlink("1.txt");
?>

Actual result:
--------------
segfault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-01-06 09:03 UTC] sqchen at citiz dot net
sorry, it's stream_bucket_append and stream_bucket_prepend
 [2006-01-06 12:51 UTC] tony2001@php.net
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1085230688 (LWP 21490)]
0x0814f3ae in php_stream_bucket_unlink (bucket=0x8300c3c) at /usr/src/dev/php-src_5_1/main/streams/filter.c:222
222                     bucket->prev->next = bucket->next;
(gdb) p bucket
$1 = (php_stream_bucket *) 0x8300c3c
(gdb) p bucket->prev
$2 = (php_stream_bucket *) 0x5a5a5a5a
(gdb) bt
#0  0x0814f3ae in php_stream_bucket_unlink (bucket=0x8300c3c) at /usr/src/dev/php-src_5_1/main/streams/filter.c:222
#1  0x0814b171 in _php_stream_write_filtered (stream=0x83033a4, buf=0x830519c "Thank you\n", count=10, flags=0) at /usr/src/dev/php-src_5_1/main/streams/streams.c:978
#2  0x0814b22b in _php_stream_write (stream=0x83033a4, buf=0x830519c "Thank you\n", count=10) at /usr/src/dev/php-src_5_1/main/streams/streams.c:1017
#3  0x080de0a7 in zif_fwrite (ht=2, return_value=0x830357c, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0) at /usr/src/dev/php-src_5_1/ext/standard/file.c:1257
#4  0x0819a7c8 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfffca90) at zend_vm_execute.h:192
#5  0x0819d50e in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbfffca90) at zend_vm_execute.h:1587
#6  0x0819a475 in execute (op_array=0x82fe3f4) at zend_vm_execute.h:92
#7  0x0817d890 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/dev/php-src_5_1/Zend/zend.c:1101
#8  0x08139bf0 in php_execute_script (primary_file=0xbfffef30) at /usr/src/dev/php-src_5_1/main/main.c:1720
#9  0x081e0df6 in main (argc=2, argv=0xbffff014) at /usr/src/dev/php-src_5_1/sapi/cli/php_cli.c:1077

 [2006-01-06 14:40 UTC] sniper@php.net
Sara, here's one more..
 [2006-01-10 17:14 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 05:03:19 2014 UTC