|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #36515 stream_filter_append with zlib inflate filter on http stream crashes
Submitted: 2006-02-24 17:27 UTC Modified: 2006-10-11 23:25 UTC
From: mark at vectrex dot org dot uk Assigned: pollita (profile)
Status: Closed Package: Streams related
PHP Version: 5.1.2 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: mark at vectrex dot org dot uk
New email:
PHP Version: OS:


 [2006-02-24 17:27 UTC] mark at vectrex dot org dot uk
I'm trying to fetch a gzipped item from a web server and inflate it using the zlib inflate filter.

This causes a segfault.

Reproduce code:
	echo "Registered filters: --- \n\n";
	$opts = array(
			'header' => "Accept-Encoding:gzip"
	$ctx = stream_context_create($opts);
	$url = "";
	$f = fopen($url, "r", false, $ctx);
	echo "appending filter...\n";
	stream_filter_append($f, 'zlib.inflate', STREAM_FILTER_READ);
	echo "filter appended, getting data....\n";
	$data = stream_get_contents($f);
	$metadata = stream_get_meta_data($f);
	echo "METADATA: ----- \n\n";
	echo "DATA: ----- \n\n";
	print $data ;

Expected result:
The file will be printed uncompressed. This is intended to use the CLI SAPI.

Actual result:
Registered filters: --- 

    [0] => string.rot13
    [1] => string.toupper
    [2] => string.tolower
    [3] => string.strip_tags
    [4] => convert.*
    [5] => convert.iconv.*
    [6] => zlib.*
appending filter...

Then it crashes with a segfault, stack trace is:

#0  0x0828efb8 in php_stream_bucket_unlink (bucket=0x86bac94, tsrm_ls=0x859b018)
    at /home/mark/unpack/php-5.1.2/main/streams/filter.c:228
#1  0x0828f46d in _php_stream_filter_append (chain=0x86bad74, filter=0x86b9934, 
    tsrm_ls=0x859b018) at /home/mark/unpack/php-5.1.2/main/streams/filter.c:370
#2  0x0826729a in apply_filter_to_stream (append=1, ht=0, return_value=0x86b8894, 
    return_value_ptr=0x0, this_ptr=0x0, return_value_used=0, tsrm_ls=0x859b018)
    at /home/mark/unpack/php-5.1.2/ext/standard/streamsfuncs.c:1085
#3  0x0826739c in zif_stream_filter_append (ht=0, return_value=0x0, return_value_ptr=0x0, 
    this_ptr=0x0, return_value_used=0, tsrm_ls=0x0)
    at /home/mark/unpack/php-5.1.2/ext/standard/streamsfuncs.c:1123
#4  0x082d5fee in zend_do_fcall_common_helper_SPEC (execute_data=0xbfaa9910, tsrm_ls=0x859b018)
    at zend_vm_execute.h:192
#5  0x082d56ec in execute (op_array=0x86b5994, tsrm_ls=0x859b018) at zend_vm_execute.h:92
#6  0x082bb1fc in zend_execute_scripts (type=8, tsrm_ls=0x859b018, retval=0x0, file_count=3)
    at /home/mark/unpack/php-5.1.2/Zend/zend.c:1101
#7  0x0827a064 in php_execute_script (primary_file=0xbfaabd90, tsrm_ls=0x859b018)
    at /home/mark/unpack/php-5.1.2/main/main.c:1720
#8  0x0832cf73 in main (argc=2, argv=0xbfaabe54)
    at /home/mark/unpack/php-5.1.2/sapi/cli/php_cli.c:1077


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2006-02-24 17:49 UTC]
Please try using this CVS snapshot:
For Windows:

 [2006-02-24 20:15 UTC] mark at vectrex dot org dot uk
I've tried this again on snapshot php5.1-200602241730, it crashes in the same place. The gdb stack trace is almost identical so I haven't posted it.

 [2006-02-25 23:06 UTC]
Doesn't happen with the http.inflate filter.
I might have alook at it another day.
 [2006-02-26 01:39 UTC]
zlib.inflate cannot handle gzip data (only *raw* deflated data; note that this is not what a web server would return as deflate encoded content).

If the version requirement for libz would be raised to 1.2.2, 0x2f could be passed to inflateInit2 as window bits, which would cause libz to try to inflate gzip as well as zlib encoded data (AKA Content-Ecnoding: deflate); though a check would be needed for Z_DATA_ERROR and a second try with -MAX_WBITS (for raw deflated data) should be started at the first run.

However this is not the root cause of the SEGV. It seems related to making the incoming bucket writable and freeing the bucket before returning a fatal error to the stream filter layer.

Assigning to Sara, as she's written the zlib filter and should decide what's going to happen.

I suggest you use the http.inflate filter of the PECL http package in the meantime.
 [2006-10-11 23:25 UTC]
Fixed. See 38648
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Apr 23 09:01:27 2024 UTC