PHP :: Bug #44683 :: popen with modes such as "e" or "er" cause php.exe to crash

Bug #44683	popen with modes such as "e" or "er" cause php.exe to crash
Submitted:	2008-04-10 11:43 UTC	Modified:	2010-09-21 17:05 UTC
From:	d_kelsey at uk dot ibm dot com	Assigned:	pajoye (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	5.2.8	OS:	win32 only - Windows XP
Private report:	No	CVE-ID:	None

View Developer Edit

[2008-04-10 11:43 UTC] d_kelsey at uk dot ibm dot com

Description:
------------
trying different modes on php.exe on windows. I tried "e" and "er". Both cause php to crash. a mode of "re" works.
This is also different from linux where it seems that only "r" or "w" are valid modes. Anything else or more than 1 character result in a php warning of invalid argument.

Reproduce code:
---------------
<?php
$t1 = popen("echo hello", "e");
pclose($t1);
$t2 = popen("echo hello", "re");
pclose($t2);
$t3 = popen("echo hello", "er");
pclose($t3);
?>

Expected result:
----------------
Expected output would be the same as linux.
Warning: popen(echo hello,e): Invalid argument in /data/workspace/phpcode/popen/badpopen.php on line 2

Warning: popen(echo hello,re): Invalid argument in /data/workspace/phpcode/popen/badpopen.php on line 4

Warning: popen(echo hello,er): Invalid argument in /data/workspace/phpcode/popen/badpopen.php on line 6


Actual result:
--------------
Windows crashes on "e" and "er" but allows "re"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-04-10 11:51 UTC] d_kelsey at uk dot ibm dot com

One thing I missed, on windows you should be able to specify b or t as a supplement to r and w, ie rb, rt, wb, wt, so modes of 2 characters should be allowed on windows.

[2008-04-10 11:58 UTC] d_kelsey at uk dot ibm dot com

opps, looks like modes supplemented with b should also work on linux.

[2008-04-18 12:51 UTC] d_kelsey at uk dot ibm dot com

fails on latest snapshot. Backtrace is

>	ntdll.dll!7c9010f3() 	
 	[Frames below may be incorrect and/or missing, no symbols loaded for ntdll.dll]	
 	msvcrt.dll!77c3b974() 	
 	msvcrt.dll!77c3eb23() 	
 	msvcrt.dll!77c3eb13() 	
 	msvcrt.dll!77c2e556() 	
 	php5ts.dll!popen_ex(const char * command=0x0122c9c0, const char * type=0x0122db18, const char * cwd=0x00301cc0, char * env=0x00000000)  Line 239	C
 	php5ts.dll!virtual_popen(const char * command=0x0122c9c0, const char * type=0x0122db18, void * * * tsrm_ls=0x00301c80)  Line 1172 + 0x24 bytes	C
 	php5ts.dll!zif_popen(int ht=19015924, _zval_struct * return_value=0x0122c9f0, _zval_struct * * return_value_ptr=0x00000000, _zval_struct * this_ptr=0x00000000, int return_value_used=1, void * * * tsrm_ls=0x00301c80)  Line 986 + 0x10 bytes	C
 	php5ts.dll!zend_do_fcall_common_helper_SPEC(_zend_execute_data * execute_data=0x00c0fbd0, void * * * tsrm_ls=0x00301c80)  Line 200 + 0x3d bytes	C
 	php5ts.dll!ZEND_DO_FCALL_SPEC_CONST_HANDLER(_zend_execute_data * execute_data=0x00000000, void * * * tsrm_ls=0x00301c80)  Line 1679 + 0xe bytes	C
 	php5ts.dll!execute(_zend_op_array * op_array=0x00000008, void * * * tsrm_ls=0x00301c80)  Line 92 + 0xc bytes	C
 	php5ts.dll!php_execute_script(_zend_file_handle * primary_file=0x00c0fec8, void * * * tsrm_ls=0x00301c80)  Line 2005 + 0x12 bytes	C
 	php.exe!main(int argc=2, char * * argv=0x00301cf0)  Line 1141	C
 	php.exe!_mainCRTStartup()  + 0xe3 bytes	
 	kernel32.dll!7c816fd7()

[2009-01-19 17:51 UTC] d_kelsey at uk dot ibm dot com

This is still a problem in php528. The crash looks like it is due to a bug in the Microsoft C runtime library when calling _fdopen and the type being passed to it is "e".

I think popen_ex in tsrm_win32.c should check that the first byte is either "w" or "r" and if not raise a php warning "invalid argument". Then it should check if the 2nd byte is present and if so it should only allow "b" or "t" anything else should also raise a php warning "invalid argument". This should then bring php.net on windows in line with what happens on php.net for linux.

[2009-08-26 19:57 UTC] svn@php.net

Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=287779
Log: - fix #44683, popen crashes when an invalid mode is passed (works on 2k8/vista/win7)

[2009-08-26 20:05 UTC] pajoye@php.net

Fixed in 5.2, 5.3 and HEAD. It was bug in the Windows VC6 CRT, the same code works well on any recent windows (vista, 2008, win7).

fdopen crashes when an invalid mode is given.

[2010-09-21 16:08 UTC] tony dot dziedzic at oracle dot com

If a caller specifies an invalid mode argument (e.g., "w+"), this change results in the message "PHP Warning: popen(...) No error in <script> on line <number>".  It would be helpful if the message displayed was something more indicative of the user's error than "No error".

[2010-09-21 17:05 UTC] pajoye@php.net

There is another report about the error message. It is due to a mix usage of Win32 APIs and ansi/posix-like API, but only the error system for the latter is used.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Oct 29 19:00:01 2025 UTC