php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #39551 Segfault with stream_bucket_new in user filter
Submitted: 2006-11-18 15:18 UTC Modified: 2006-11-21 15:47 UTC
From: hairmare at gmail dot com Assigned: pollita (profile)
Status: Closed Package: Streams related
PHP Version: 6CVS-2006-11-18 (snap) OS: Linux
Private report: No CVE-ID: None
 [2006-11-18 15:18 UTC] hairmare at gmail dot com
Description:
------------
Using stream_bucket_new on a php://temp stream in a user filter leads to a segfault.

'./configure' '--disable-cgi' '--enable-cli' '--prefix=/usr/local/php6.0-200611181130' '--with-mysql' '--with-openssl' '--with-pdo-mysql' '--enable-soap' '--with-xsl' '--enable-debug'

Reproduce code:
---------------
<?php
class bucketFilter {
 public function filter($in, $out, &$consumed, $closing ){

  $bucket = stream_bucket_new(fopen('php://temp', 'w+'), '');
  stream_bucket_append($out, $bucket);
  return PSFS_PASS_ON;
 }
}

stream_filter_register('bucketfault', 'bucketFilter');
stream_filter_append($s = fopen('php://temp', 'r+'), 'bucketfault');
stream_get_contents($s);
?>

Expected result:
----------------
this should either output nothing or an error. it shouldn't crash.

Actual result:
--------------
Segmentation fault

Backtrace:
#0  0x08307d36 in php_stream_bucket_unlink (bucket=0xb6be7c78) at /usr/local/src/php-6/php6.0-200611181130/main/streams/filter.c:285
#1  0x083075d8 in php_stream_bucket_make_writeable (bucket=0xb6be7c78) at /usr/local/src/php-6/php6.0-200611181130/main/streams/filter.c:158
#2  0x082c114e in php_stream_bucket_attach (append=1, ht=2, return_value=0xb6be5f9c, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
    at /usr/local/src/php-6/php6.0-200611181130/ext/standard/user_filters.c:430
#3  0x082c158a in zif_stream_bucket_append (ht=2, return_value=0xb6be5f9c, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
    at /usr/local/src/php-6/php6.0-200611181130/ext/standard/user_filters.c:484
#4  0x0836a654 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfa02020) at zend_vm_execute.h:209
#5  0x0836f1ba in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbfa02020) at zend_vm_execute.h:1648
#6  0x0836a21c in execute (op_array=0xb6be7770) at zend_vm_execute.h:92
#7  0x083312e6 in zend_call_function (fci=0xbfa021a0, fci_cache=0x0) at /usr/local/src/php-6/php6.0-200611181130/Zend/zend_execute_API.c:1036
#8  0x0832fd1d in call_user_function_ex (function_table=0x0, object_pp=0xbfa02268, function_name=0xbfa02250, retval_ptr_ptr=0xbfa0224c, param_count=4, 
    params=0xbfa02230, no_separation=0, symbol_table=0x0) at /usr/local/src/php-6/php6.0-200611181130/Zend/zend_execute_API.c:636
#9  0x082c08bf in userfilter_filter (stream=0xb6be7034, thisfilter=0xb6be7320, buckets_in=0xbfa022f0, buckets_out=0xbfa022e8, consumed=0x0, flags=2)
    at /usr/local/src/php-6/php6.0-200611181130/ext/standard/user_filters.c:205
#10 0x0830047e in php_stream_fill_read_buffer (stream=0xb6be7034, size=8192) at /usr/local/src/php-6/php6.0-200611181130/main/streams/streams.c:465
#11 0x08300976 in _php_stream_read (stream=0xb6be7034, buf=0xb6be7f0c "", size=8192) at /usr/local/src/php-6/php6.0-200611181130/main/streams/streams.c:600
#12 0x08302fa4 in _php_stream_copy_to_mem_ex (src=0xb6be7034, rettype=6 '\006', buf=0xbfa02488, maxlen=0, maxchars=4294967295, persistent=0, __php_stream_call_depth=0, 
    __zend_filename=0x844b110 "/usr/local/src/php-6/php6.0-200611181130/ext/standard/streamsfuncs.c", __zend_lineno=422, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /usr/local/src/php-6/php6.0-200611181130/main/streams/streams.c:1705
#13 0x082c9795 in zif_stream_get_contents (ht=1, return_value=0xb6be6d08, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
    at /usr/local/src/php-6/php6.0-200611181130/ext/standard/streamsfuncs.c:422
#14 0x0836a654 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfa02600) at zend_vm_execute.h:209
#15 0x0836f1ba in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbfa02600) at zend_vm_execute.h:1648
#16 0x0836a21c in execute (op_array=0xb6be4af0) at zend_vm_execute.h:92
#17 0x08342a86 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/local/src/php-6/php6.0-200611181130/Zend/zend.c:1587
#18 0x082ec330 in php_execute_script (primary_file=0xbfa04a50) at /usr/local/src/php-6/php6.0-200611181130/main/main.c:1933
#19 0x083b3318 in main (argc=2, argv=0xbfa04ae4) at /usr/local/src/php-6/php6.0-200611181130/sapi/cli/php_cli.c:1119


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-11-20 09:35 UTC] tony2001@php.net
Sara, I can confirm this.
 [2006-11-21 15:47 UTC] tony2001@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 14 02:01:27 2024 UTC