php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #36515 stream_filter_append with zlib inflate filter on http stream crashes
Submitted: 2006-02-24 17:27 UTC Modified: 2006-10-11 23:25 UTC
From: mark at vectrex dot org dot uk Assigned: pollita
Status: Closed Package: Streams related
PHP Version: 5.1.2 OS: Linux
Private report: No CVE-ID:
 [2006-02-24 17:27 UTC] mark at vectrex dot org dot uk
Description:
------------
I'm trying to fetch a gzipped item from a web server and inflate it using the zlib inflate filter.

This causes a segfault.

Reproduce code:
---------------
<?php
	echo "Registered filters: --- \n\n";
	print_r(stream_get_filters());
	
	$opts = array(
		'http'=>array(
			'method'=>"GET",
			'header' => "Accept-Encoding:gzip"
		)
  	);
	$ctx = stream_context_create($opts);
	$url = "http://www.vectrex.org.uk/mark/web/test.txt.gz";
	
	$f = fopen($url, "r", false, $ctx);
	echo "appending filter...\n";
	stream_filter_append($f, 'zlib.inflate', STREAM_FILTER_READ);
	echo "filter appended, getting data....\n";
	$data = stream_get_contents($f);
	$metadata = stream_get_meta_data($f);
	fclose($f);
	
	echo "METADATA: ----- \n\n";
	print_r($metadata);
	
	echo "DATA: ----- \n\n";
	print $data ;
?>

Expected result:
----------------
The file will be printed uncompressed. This is intended to use the CLI SAPI.

Actual result:
--------------
Registered filters: --- 

Array
(
    [0] => string.rot13
    [1] => string.toupper
    [2] => string.tolower
    [3] => string.strip_tags
    [4] => convert.*
    [5] => convert.iconv.*
    [6] => zlib.*
)
appending filter...

Then it crashes with a segfault, stack trace is:

#0  0x0828efb8 in php_stream_bucket_unlink (bucket=0x86bac94, tsrm_ls=0x859b018)
    at /home/mark/unpack/php-5.1.2/main/streams/filter.c:228
#1  0x0828f46d in _php_stream_filter_append (chain=0x86bad74, filter=0x86b9934, 
    tsrm_ls=0x859b018) at /home/mark/unpack/php-5.1.2/main/streams/filter.c:370
#2  0x0826729a in apply_filter_to_stream (append=1, ht=0, return_value=0x86b8894, 
    return_value_ptr=0x0, this_ptr=0x0, return_value_used=0, tsrm_ls=0x859b018)
    at /home/mark/unpack/php-5.1.2/ext/standard/streamsfuncs.c:1085
#3  0x0826739c in zif_stream_filter_append (ht=0, return_value=0x0, return_value_ptr=0x0, 
    this_ptr=0x0, return_value_used=0, tsrm_ls=0x0)
    at /home/mark/unpack/php-5.1.2/ext/standard/streamsfuncs.c:1123
#4  0x082d5fee in zend_do_fcall_common_helper_SPEC (execute_data=0xbfaa9910, tsrm_ls=0x859b018)
    at zend_vm_execute.h:192
#5  0x082d56ec in execute (op_array=0x86b5994, tsrm_ls=0x859b018) at zend_vm_execute.h:92
#6  0x082bb1fc in zend_execute_scripts (type=8, tsrm_ls=0x859b018, retval=0x0, file_count=3)
    at /home/mark/unpack/php-5.1.2/Zend/zend.c:1101
#7  0x0827a064 in php_execute_script (primary_file=0xbfaabd90, tsrm_ls=0x859b018)
    at /home/mark/unpack/php-5.1.2/main/main.c:1720
#8  0x0832cf73 in main (argc=2, argv=0xbfaabe54)
    at /home/mark/unpack/php-5.1.2/sapi/cli/php_cli.c:1077


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-02-24 17:49 UTC] tony2001@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5.1-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.1-win32-latest.zip


 [2006-02-24 20:15 UTC] mark at vectrex dot org dot uk
I've tried this again on snapshot php5.1-200602241730, it crashes in the same place. The gdb stack trace is almost identical so I haven't posted it.

Mark
 [2006-02-25 23:06 UTC] mike@php.net
Doesn't happen with the http.inflate filter.
I might have alook at it another day.
 [2006-02-26 01:39 UTC] mike@php.net
zlib.inflate cannot handle gzip data (only *raw* deflated data; note that this is not what a web server would return as deflate encoded content).

If the version requirement for libz would be raised to 1.2.2, 0x2f could be passed to inflateInit2 as window bits, which would cause libz to try to inflate gzip as well as zlib encoded data (AKA Content-Ecnoding: deflate); though a check would be needed for Z_DATA_ERROR and a second try with -MAX_WBITS (for raw deflated data) should be started at the first run.

However this is not the root cause of the SEGV. It seems related to making the incoming bucket writable and freeing the bucket before returning a fatal error to the stream filter layer.

Assigning to Sara, as she's written the zlib filter and should decide what's going to happen.

I suggest you use the http.inflate filter of the PECL http package in the meantime.
 [2006-10-11 23:25 UTC] pollita@php.net
Fixed. See 38648
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 13:01:59 2014 UTC