|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #40635 segfault in curl extension
Submitted: 2007-02-26 05:36 UTC Modified: 2007-02-26 09:14 UTC
From: shar at cflash dot com Assigned:
Status: Closed Package: cURL related
PHP Version: 4.4.6RC1 OS: FreeBSD 4.11, 6.2
Private report: No CVE-ID:
 [2007-02-26 05:36 UTC] shar at cflash dot com
php segfaults on curl_exec, 2nd call in the sample code. Crashes with 4.4.5 and STABLE-200702260130 snapshot.

Reproduce code:

$l = curl_init ();

curl_setopt ($l, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($l, CURLOPT_URL, "{$url}/index.php");
curl_exec ($l);

curl_setopt ($l, CURLOPT_URL, $url);
$r = curl_exec ($l);

Expected result:
run w/o segfault

Actual result:
#0  0x80eb7fc in _erealloc (ptr=0x81be024, size=28520, allow_failure=0, 
    __zend_filename=0x28289ba0 "/usr/local/include/php/ext/standard/php_smart_str.h", __zend_lineno=83, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /usr/ports-current/ports/lang/php4/work/php4-STABLE-200702260130/Zend/zend_alloc.c:350
350             REMOVE_POINTER_FROM_LIST(p);

#1  0x28286bc2 in curl_write (
    data=0x81b55b4 "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\"\n
", ' ' <repeats 22 times>, "\"\
">\n<html xmlns=\"\" xml:lang=\"en\" lang=\"en\">\n"..., size=1, nmemb=1076, ctx=0x81a8a24)
    at /usr/local/include/php/ext/standard/php_smart_str.h:83
83              smart_str_alloc(dest, len, what);

#2  0x2829cb6c in Curl_client_write () from /usr/local/lib/
#3  0x282b05b9 in Curl_httpchunk_read () from /usr/local/lib/
#4  0x282ae389 in Curl_readwrite () from /usr/local/lib/
#5  0x282aefda in Transfer () from /usr/local/lib/
#6  0x282af90f in Curl_perform () from /usr/local/lib/
#7  0x282afea5 in curl_easy_perform () from /usr/local/lib/
#8  0x28288fbf in zif_curl_exec (ht=1, return_value=0x81b3724, this_ptr=0x0, 
    at /usr/ports-current/ports/ftp/php4-curl/work/php4-STABLE-200702260130/ext/curl/curl.c:1294


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2007-02-26 09:14 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Tue Oct 13 21:01:29 2015 UTC