php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #38648 NULL pointer leads to core dump in "php_stream_bucket_unlink()"
Submitted: 2006-08-30 05:49 UTC Modified: 2006-10-11 23:27 UTC
From: songmaqd at hotmail dot com Assigned: pollita (profile)
Status: Not a bug Package: Streams related
PHP Version: 5CVS-2006-08-30 (CVS) OS: UNIX
Private report: No CVE-ID: None
 [2006-08-30 05:49 UTC] songmaqd at hotmail dot com
Description:
------------
In source file "main/streams/filter.c", function "PHPAPI void php_stream_bucket_unlink(php_stream_bucket *bucket TSRMLS_DC)
" needs some additional sanity check for NULL pointer of "brigade". Otherwise it leads to core dump if "brigade" is NULL.

A possible example for this fix is:
PHPAPI void php_stream_bucket_unlink(php_stream_bucket *bucket TSRMLS_DC)
{
	if (bucket->prev) {
		bucket->prev->next = bucket->next;
	} else if (bucket->brigade) /*newly added*/{
		bucket->brigade->head = bucket->next;
	}
	if (bucket->next) {
		bucket->next->prev = bucket->prev;
	} else if (bucket->brigade) /*newly added*/{
		bucket->brigade->tail = bucket->prev;
	}
	bucket->brigade = NULL;
	bucket->next = bucket->prev = NULL;
}



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-08-30 08:48 UTC] tony2001@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.


 [2006-08-31 10:07 UTC] songmaqd at hotmail dot com
Here is the reproduce script:
<?php
class strtoupper_filter extends php_user_filter {
  function filter($in, $out, &$consumed, $closing)
    {
      while ($bucket = stream_bucket_make_writeable($in)) {}
    }
}
stream_filter_register("strtoupper", "strtoupper_filter");
$fp = fopen("foo-bar.txt", "w");
stream_filter_append($fp, "strtoupper");
fwrite($fp, "Line1\n");

Note:
1. This bug can not be reproduced on Linux platform. My distro is SuSE 10.1. I can reproduce the bug on one certain UNIX platform.

2.The above script is for testing purpose and is deliberated written like that. It is not following the stream filter coding way.

3. Here is some debugger info. "php_stream_bucket_unlink" was called twice I guess the second call is to clean the system resource and "brigade" is "0x0" at this moment.
**** ****
[1] stopped in php_stream_bucket_unlink at line 235 in file "filter.c"  ($t2)
  235           if (bucket->prev) {
(/tmp/dbx) print *bucket
(next = 0x0, prev = 0x0, brigade = 0x220C70E8, buf = "Line1.", buflen = 6, own_buf = 0, is_persistent = 0, refcount = 1)
(/tmp/dbx) print *bucket->brigade
(head = 0x2223D000, tail = 0x2223D000)
(/tmp/dbx) print *bucket->brigade->head
(next = 0x0, prev = 0x0, brigade = 0x220C70E8, buf = "Line1.", buflen = 6, own_buf = 0, is_persistent = 0, refcount = 1)
(/tmp/dbx) next
stopped in php_stream_bucket_unlink.$b156 at line 238 in file "filter.c"  ($t2)
  238                   bucket->brigade->head = bucket->next;
(/tmp/dbx) list
  239           }
  240           if (bucket->next) {
  241                   bucket->next->prev = bucket->prev;
  242           } else if (bucket->brigade) {
  243                   bucket->brigade->tail = bucket->prev;
  244           }
  245           bucket->brigade = NULL;
  246           bucket->next = bucket->prev = NULL;
  247   }
(/tmp/dbx) cont
[1] stopped in php_stream_bucket_unlink at line 235 in file "filter.c"  ($t2)
  235           if (bucket->prev) {
(/tmp/dbx) print *bucket
(next = 0x0, prev = 0x0, brigade = 0x0, buf = "", buflen = 0, own_buf = 0, is_persistent = 0, refcount = 0)
(/tmp/dbx) next
stopped in php_stream_bucket_unlink at line 240 in file "filter.c"  ($t2)
  240           if (bucket->next) {
(/tmp/dbx) next
stopped in php_stream_bucket_unlink at line 245 in file "filter.c"  ($t2)
  245           bucket->brigade = NULL;
(/tmp/dbx) next
stopped in php_stream_bucket_unlink at line 246 in file "filter.c"  ($t2)
  246           bucket->next = bucket->prev = NULL;
(/tmp/dbx) next
stopped in php_stream_bucket_unlink at line 247 in file "filter.c"  ($t2)
  247   }
(/tmp/dbx) cont
program exited
**** ****
 [2006-09-01 12:57 UTC] tony2001@php.net
Assigned to the maintainer.
 [2006-10-11 23:12 UTC] pollita@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Fix will appear in 5.2.0RC6
 [2006-10-11 23:27 UTC] pollita@php.net
Changing status for record keeping purposes.

Not actually bogus, but it is a duplicate of Bug#36515 which wins because it was reported first.

For the record though, your report and analysis was much better :)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC