php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #38944 ZipArchive exits with SEGV
Submitted: 2006-09-25 00:27 UTC Modified: 2006-09-25 09:42 UTC
From: judas dot iscariote at gmail dot com Assigned: pajoye (profile)
Status: Closed Package: Zip Related
PHP Version: 5CVS-2006-09-25 (CVS) OS: linux
Private report: No CVE-ID: None
 [2006-09-25 00:27 UTC] judas dot iscariote at gmail dot com
Description:
------------
the following code segfaults.

Reproduce code:
---------------
<?php

class zipper {

    public $zip_handler;

    public function __construct( )
    {
        $this->zip_handler = new ZipArchive;
    }

    public function Myopen($filename)
    {
        return $this->zip_handler->open($filename, ZIPARCHIVE::CREATE);
    }
}

$foo = new zipper();
$foo->Myopen('/tmp/foo.zip');

var_dump($foo);
?>

Expected result:
----------------
$foo var_dump'ed

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x0000000000623d88 in zip_get_archive_comment (za=0xa74b50, lenp=0x7fffaeae4534, flags=0)
    at /home/cristian/php-src/ext/zip/lib/zip_get_archive_comment.c:49
49                  *lenp = za->cdir->comment_len;
(gdb) bt full
#0  0x0000000000623d88 in zip_get_archive_comment (za=0xa74b50, lenp=0x7fffaeae4534, flags=0)
    at /home/cristian/php-src/ext/zip/lib/zip_get_archive_comment.c:49
No locals.
#1  0x00000000006181a5 in php_zipobj_get_zip_comment (za=0xa74b50, len=0x7fffaeae4534)
    at /home/cristian/php-src/ext/zip/php_zip.c:255
No locals.
#2  0x00000000006182c3 in php_zip_property_reader (obj=0x2b0afc0a57b0, hnd=0x99b000, retval=0x7fffaeae45c8, newzval=0)
    at /home/cristian/php-src/ext/zip/php_zip.c:322
        retchar = 0x0
        retint = 0
        len = 0
#3  0x00000000006187f6 in php_zip_get_properties (object=0x2b0afc0a5638) at /home/cristian/php-src/ext/zip/php_zip.c:467
        obj = (ze_zip_object *) 0x2b0afc0a57b0
        hnd = (zip_prop_handler *) 0x99b000
        props = (HashTable *) 0x2b0afc0a5840
        val = (zval *) 0x2b0afc0a5ee8
        ret = 0
        key = 0x99afe0 "comment"
        key_len = 8
        pos = (HashPosition) 0x99afa0
        num_key = 5
#4  0x00000000005e082e in php_var_dump (struc=0x2b0afc0a5498, level=3) at /home/cristian/php-src/ext/standard/var.c:140
        myht = (HashTable *) 0x0
        class_name = 0x7fffaeae4700 " G\177"
        class_name_len = 5
        php_element_dump_func = (int (*)(zval **, int, struct __va_list_tag *, zend_hash_key *)) 0x5aeae4770
#5  0x00000000005e04bf in php_object_property_dump (zv=0x2b0afc0a5498, num_args=1, args=0x7fffaeae47d0,
    hash_key=0x7fffaeae47b0) at /home/cristian/php-src/ext/standard/var.c:96
        level = 1
        prop_name = 0x2b0afc0a54c0 "zip_handler"
        class_name = 0x0
#6  0x000000000068f27e in zend_hash_apply_with_arguments (ht=0x2b0afc0a5368, destruct=0x5e034b <php_object_property_dump>,
    num_args=1) at /home/cristian/php-src/Zend/zend_hash.c:710
        p = (Bucket *) 0x2b0afc0a5480
        args = {{gp_offset = 32, fp_offset = 48, overflow_arg_area = 0x7fffaeae48b0, reg_save_area = 0x7fffaeae47f0}}
        hash_key = {arKey = 0x2b0afc0a54c0 "zip_handler", nKeyLength = 12, h = 16128149184387123093}
#7  0x00000000005e099b in php_var_dump (struc=0x2b0afc0803b8, level=1) at /home/cristian/php-src/ext/standard/var.c:152
        myht = (HashTable *) 0x2b0afc0a5368
        class_name = 0x2b0afc0a5318 ""
        class_name_len = 6
        php_element_dump_func = (int (*)(zval **, int, struct __va_list_tag *,
   zend_hash_key *)) 0x5e034b <php_object_property_dump>
#8  0x00000000005e0b5f in zif_var_dump (ht=1, return_value=0x2b0afc0a5958, return_value_ptr=0x0, this_ptr=0x0,
    return_value_used=0) at /home/cristian/php-src/ext/standard/var.c:193
        args = (zval ***) 0x2b0afc0a51c0
        argc = 1
        i = 0
#9  0x00000000006a7cf6 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fffaeae4cd0)
    at /home/cristian/php-src/Zend/zend_vm_execute.h:200
        return_reference = 0 '\0'
        opline = (zend_op *) 0x2b0afc0a2058
        original_return_value = (zval **) 0x2b0afc0a52c0
        current_scope = (zend_class_entry *) 0x0
        current_this = (zval *) 0x0
        return_value_used = 0
        should_change_scope = 0 '\0'
        ctor_opline = (zend_op *) 0x9006e8ddf
#10 0x00000000006add96 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7fffaeae4cd0)
    at /home/cristian/php-src/Zend/zend_vm_execute.h:1681
        opline = (zend_op *) 0x2b0afc0a2058
        fname = (zval *) 0x2b0afc0a2088
#11 0x00000000006a7797 in execute (op_array=0x2b0afc0a18d8) at /home/cristian/php-src/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0x2b0afc0a2058, function_state = {function_symbol_table = 0x2b0afc0a5520,
    function = 0x96e050, reserved = {0x2b0afc0a1a08, 0x7fffaeae4d30, 0x67505e, 0x0}}, fbc = 0x0, op_array = 0x2b0afc0a18d8,
  object = 0x0, Ts = 0x7fffaeae4b60, CVs = 0x7fffaeae4b40, original_in_execution = 0 '\0', symbol_table = 0x93e168,
  prev_execute_data = 0x0, old_error_reporting = 0x0}
#12 0x00000000006817b2 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/cristian/php-src/Zend/zend.c:1096
        files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fffaeae4f60, reg_save_area = 0x7fffaeae4ea0}}
        i = 1
        file_handle = (zend_file_handle *) 0x7fffaeae7360
        orig_op_array = (zend_op_array *) 0x0
        local_retval = (zval *) 0x0
#13 0x0000000000629426 in php_execute_script (primary_file=0x7fffaeae7360) at /home/cristian/php-src/main/main.c:1759
        realfile = "/srv/www/htdocs/class.zipper.php\000\006\000\000\177\000\000-\210h\000\000\000\000\000&#65533;203\237\n+\000\000&#65533;216\n+\000\000\006\000\000\177\000\000&#65533;\220", '\0' <repeats 13 times>, "\200u\177", '\0' <repeats 26 times>, "&#65533;\n+\000\000\001\000\000\000\177\000\000\000\000\000\000\000\000\000\000str_pad\000HY{\000\000\000\000\000&#65533;203\237\n+\000\000\000\r\n+\000\000&#65533;\177\000\000B\005\n+\000\000&#65533;o\000\000\000\000\000\000\177y\000\000\000\000\000\224\000\000\000\000\000&#65533;h"...
        __orig_bailout = (jmp_buf *) 0x7fffaeae71e0
        __bailout = {{__jmpbuf = {47326178421760, -69763556646008843, 0, 140736124056960, 0, 0, -69763556645996091,
      -69707295103899789}, __mask_was_saved = 0, __saved_mask = {__val = {6749112, 140736124055616, 6693656,
        47321949667651, 2930667632, 0, 2186138353664, 8135640, 47326178184376, 140736124055888, 7341490, 8135640, 474, 0,
       0, 3}}}}
        prepend_file_p = (zend_file_handle *) 0x0
        append_file_p = (zend_file_handle *) 0x0
        prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {
      handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'}
        append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {
      handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'}
        old_cwd = 0x7fffaeae4f80 ""
        retval = 0
#14 0x00000000007015ec in main (argc=2, argv=0x7fffaeae7588) at /home/cristian/php-src/sapi/cli/php_cli.c:1108
        __orig_bailout = (jmp_buf *) 0x0
        __bailout = {{__jmpbuf = {47326178421760, -69763556646010363, 0, 140736124056960, 0, 0, -69763556646008891,
      -69707295104778918}, __mask_was_saved = 0, __saved_mask = {__val = {0, 0, 0, 0, 0, 140736124056288, 0, 0, 0, 0,
        2641803917, 47326178424384, 47326178426208, 281474976710656, 0, 0}}}}
        exit_status = 0
        c = -1
        file_handle = {type = 2 '\002', filename = 0x7fffaeae8ef1 "class.zipper.php",
  opened_path = 0x2b0afc0a1868 'Z' <repeats 33 times>, "\204&#65533;217*", handle = {fd = 10963600, fp = 0xa74a90, stream = {
      handle = 0xa74a90, reader = 0x69a350 <zend_stream_stdio_reader>, closer = 0x69a37c <zend_stream_stdio_closer>,
      fteller = 0x69a3a3 <zend_stream_stdio_fteller>, interactive = 0}}, free_filename = 0 '\0'}
        behavior = 1
        reflection_what = 0x0
        orig_optind = 1
        orig_optarg = 0x0
        arg_free = 0x7fffaeae8ef1 "class.zipper.php"
        arg_excp = (char **) 0x7fffaeae7590
        script_file = 0x7fffaeae8ef1 "class.zipper.php"
        interactive = 0
        module_started = 1
        request_started = 1
        lineno = 1
        exec_direct = 0x0
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
        param_error = 0x0
        hide_argv = 0
        ini_entries_len = 110


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-09-25 08:30 UTC] tony2001@php.net
Pierre, it looks like a problem in the underlying library:
(gdb) p za->cdir
$3 = (struct zip_cdir *) 0x0

Shouldn't it check for NULL before dereferencing the pointer?
 [2006-09-25 09:42 UTC] pajoye@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Yes, it was this problem, too bad that nttp lags. It would have save 30mins of tests ;)

Thanks for the head up and the test!
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 06 22:01:27 2024 UTC