php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #44683 popen with modes such as "e" or "er" cause php.exe to crash
Submitted: 2008-04-10 11:43 UTC Modified: 2010-09-21 17:05 UTC
From: d_kelsey at uk dot ibm dot com Assigned: pajoye
Status: Closed Package: Reproducible crash
PHP Version: 5.2.8 OS: win32 only - Windows XP
Private report: No CVE-ID:
 [2008-04-10 11:43 UTC] d_kelsey at uk dot ibm dot com
Description:
------------
trying different modes on php.exe on windows. I tried "e" and "er". Both cause php to crash. a mode of "re" works.
This is also different from linux where it seems that only "r" or "w" are valid modes. Anything else or more than 1 character result in a php warning of invalid argument.

Reproduce code:
---------------
<?php
$t1 = popen("echo hello", "e");
pclose($t1);
$t2 = popen("echo hello", "re");
pclose($t2);
$t3 = popen("echo hello", "er");
pclose($t3);
?>

Expected result:
----------------
Expected output would be the same as linux.
Warning: popen(echo hello,e): Invalid argument in /data/workspace/phpcode/popen/badpopen.php on line 2

Warning: popen(echo hello,re): Invalid argument in /data/workspace/phpcode/popen/badpopen.php on line 4

Warning: popen(echo hello,er): Invalid argument in /data/workspace/phpcode/popen/badpopen.php on line 6


Actual result:
--------------
Windows crashes on "e" and "er" but allows "re"

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-04-10 11:51 UTC] d_kelsey at uk dot ibm dot com
One thing I missed, on windows you should be able to specify b or t as a supplement to r and w, ie rb, rt, wb, wt, so modes of 2 characters should be allowed on windows.
 [2008-04-10 11:58 UTC] d_kelsey at uk dot ibm dot com
opps, looks like modes supplemented with b should also work on linux.
 [2008-04-18 12:51 UTC] d_kelsey at uk dot ibm dot com
fails on latest snapshot. Backtrace is

>	ntdll.dll!7c9010f3() 	
 	[Frames below may be incorrect and/or missing, no symbols loaded for ntdll.dll]	
 	msvcrt.dll!77c3b974() 	
 	msvcrt.dll!77c3eb23() 	
 	msvcrt.dll!77c3eb13() 	
 	msvcrt.dll!77c2e556() 	
 	php5ts.dll!popen_ex(const char * command=0x0122c9c0, const char * type=0x0122db18, const char * cwd=0x00301cc0, char * env=0x00000000)  Line 239	C
 	php5ts.dll!virtual_popen(const char * command=0x0122c9c0, const char * type=0x0122db18, void * * * tsrm_ls=0x00301c80)  Line 1172 + 0x24 bytes	C
 	php5ts.dll!zif_popen(int ht=19015924, _zval_struct * return_value=0x0122c9f0, _zval_struct * * return_value_ptr=0x00000000, _zval_struct * this_ptr=0x00000000, int return_value_used=1, void * * * tsrm_ls=0x00301c80)  Line 986 + 0x10 bytes	C
 	php5ts.dll!zend_do_fcall_common_helper_SPEC(_zend_execute_data * execute_data=0x00c0fbd0, void * * * tsrm_ls=0x00301c80)  Line 200 + 0x3d bytes	C
 	php5ts.dll!ZEND_DO_FCALL_SPEC_CONST_HANDLER(_zend_execute_data * execute_data=0x00000000, void * * * tsrm_ls=0x00301c80)  Line 1679 + 0xe bytes	C
 	php5ts.dll!execute(_zend_op_array * op_array=0x00000008, void * * * tsrm_ls=0x00301c80)  Line 92 + 0xc bytes	C
 	php5ts.dll!php_execute_script(_zend_file_handle * primary_file=0x00c0fec8, void * * * tsrm_ls=0x00301c80)  Line 2005 + 0x12 bytes	C
 	php.exe!main(int argc=2, char * * argv=0x00301cf0)  Line 1141	C
 	php.exe!_mainCRTStartup()  + 0xe3 bytes	
 	kernel32.dll!7c816fd7()
 [2009-01-19 17:51 UTC] d_kelsey at uk dot ibm dot com
This is still a problem in php528. The crash looks like it is due to a bug in the Microsoft C runtime library when calling _fdopen and the type being passed to it is "e".

I think popen_ex in tsrm_win32.c should check that the first byte is either "w" or "r" and if not raise a php warning "invalid argument". Then it should check if the 2nd byte is present and if so it should only allow "b" or "t" anything else should also raise a php warning "invalid argument". This should then bring php.net on windows in line with what happens on php.net for linux.
 [2009-08-26 19:57 UTC] svn@php.net
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=287779
Log: - fix #44683, popen crashes when an invalid mode is passed (works on 2k8/vista/win7)
 [2009-08-26 20:05 UTC] pajoye@php.net
Fixed in 5.2, 5.3 and HEAD. It was bug in the Windows VC6 CRT, the same code works well on any recent windows (vista, 2008, win7).

fdopen crashes when an invalid mode is given.
 [2010-09-21 16:08 UTC] tony dot dziedzic at oracle dot com
If a caller specifies an invalid mode argument (e.g., "w+"), this change results in the message "PHP Warning: popen(...) No error in <script> on line <number>".  It would be helpful if the message displayed was something more indicative of the user's error than "No error".
 [2010-09-21 17:05 UTC] pajoye@php.net
There is another report about the error message. It is due to a mix usage of Win32 APIs and ansi/posix-like API, but only the error system for the latter is used.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 25 07:02:14 2014 UTC