php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #48203 crash when CURLOPT_STDERR is set to regular file
Submitted: 2009-05-09 13:44 UTC Modified: 2011-09-08 14:38 UTC
From: php-bug at paulsohier dot nl Assigned: bjori
Status: Closed Package: cURL related
PHP Version: 5.*, 6CVS (2009-05-09) OS: *
Private report: No CVE-ID:
 [2009-05-09 13:44 UTC] php-bug at paulsohier dot nl
Description:
------------
Discovered during testfest in Utrecht and asked by Piere to report.

When calling curl with a certian url and without closing the curl stream curl will segfault.

Curl version:
paul@dwerg:~/php/php5.3-200905090830$ curl-config --version
libcurl 7.18.2

Used host where it segfault: www.hosthuis.nl
Used host where it NOT segfault: www.example.org

Reproduce code:
---------------
<?php

$host = 'www.hosthuis.nl';

$temp_file = tempnam(sys_get_temp_dir(), '');
$handle = fopen($temp_file, 'w');

$url = "{$host}/";
$ch = curl_init();

ob_start(); // start output buffering
curl_setopt($ch, CURLOPT_VERBOSE, 1);
curl_setopt($ch, CURLOPT_STDERR, $handle);
curl_setopt($ch, CURLOPT_URL, $url); //set the url we want to use

curl_exec($ch);

fclose($handle);
?>

Expected result:
----------------
The contents of the site

Actual result:
--------------
The contents of the site and a segfault

from run test (Bit different script)

*** glibc detected *** /home/paul/php/php5.3-200905090830/sapi/cli/php: free(): invalid pointer: 0x4001f000 ***
======= Backtrace: =========
/lib/i686/cmov/libc.so.6[0x40624624]
/lib/i686/cmov/libc.so.6(cfree+0x96)[0x40626826]
/lib/i686/cmov/libc.so.6(_IO_free_backup_area+0x34)[0x40622b54]
/lib/i686/cmov/libc.so.6(_IO_file_overflow+0x1c2)[0x40620962]
/lib/i686/cmov/libc.so.6(_IO_file_xsputn+0x65)[0x4061f9d5]
/lib/i686/cmov/libc.so.6(fwrite+0x10a)[0x4061586a]
/usr/lib/libcurl.so.4[0x40363428]
/usr/lib/libcurl.so.4[0x40363547]
/usr/lib/libcurl.so.4[0x403640d9]
/usr/lib/libcurl.so.4[0x4036a81a]
/usr/lib/libcurl.so.4[0x4036abdf]
/usr/lib/libcurl.so.4[0x4036ef77]
/usr/lib/libcurl.so.4(curl_easy_cleanup+0x21)[0x4037aec1]
/home/paul/php/php5.3-200905090830/sapi/cli/php[0x80f288b]
/home/paul/php/php5.3-200905090830/sapi/cli/php[0x82f9a22]
/home/paul/php/php5.3-200905090830/sapi/cli/php(zend_hash_del_key_or_index+0xe2)[0x82f8a42]
/home/paul/php/php5.3-200905090830/sapi/cli/php(_zend_list_delete+0x70)[0x82f9c70]
/home/paul/php/php5.3-200905090830/sapi/cli/php(_zval_ptr_dtor+0x3d)[0x82dfd6d]
/home/paul/php/php5.3-200905090830/sapi/cli/php[0x82f65e2]
/home/paul/php/php5.3-200905090830/sapi/cli/php(zend_hash_graceful_reverse_destroy+0x1f)[0x82f686f]
/home/paul/php/php5.3-200905090830/sapi/cli/php[0x82e20e8]
/home/paul/php/php5.3-200905090830/sapi/cli/php[0x82eb843]
/home/paul/php/php5.3-200905090830/sapi/cli/php(php_request_shutdown+0x15f)[0x829b5df]
/home/paul/php/php5.3-200905090830/sapi/cli/php[0x836b079]
/lib/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0x405cc455]
/home/paul/php/php5.3-200905090830/sapi/cli/php(realloc+0x95)[0x8065241]


Patches

reset_to_default_with_multi.patch.txt (last revision 2011-06-09 07:31 UTC) by shein@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-05-09 20:51 UTC] jani@php.net
<?php

$url = 'www.hosthuis.nl';
$ch = curl_init();

$handle = fopen('/tmp/tt.tmp', 'w');
// $handle = STDERR; // This works

curl_setopt($ch, CURLOPT_VERBOSE, 1);
curl_setopt($ch, CURLOPT_STDERR, $handle);
curl_setopt($ch, CURLOPT_URL, $url);

curl_exec($ch);

?>

 [2009-05-09 20:51 UTC] jani@php.net
Verified with all branches using cURL 7.15.5
 [2009-05-09 20:58 UTC] php-bug at paulsohier dot nl
Its also related somehow to the url thats used to fetch, as when you try it with example.org the script works okay.
 [2009-05-09 21:23 UTC] mark at dynom dot nl
I can reproduce it on cURL 7.19.4 on PHP 5.2.9, but only when not using the verbose option. 
When CURLOPT_VERBOSE is false, or not set at all, I get no segfaults. When true, it segfaults.
 [2009-05-09 21:30 UTC] jani@php.net
Adding this as last line also fixes the problem (ie. reset to default..)

curl_setopt($ch, CURLOPT_STDERR, STDERR);

I don't know why the other hosts work and other don't. Propably there's 
some traffic / error and the file handle gets destroyed or otherwise 
mangled during shutdown and curl then tries to use it..
 [2009-05-09 21:30 UTC] jani@php.net
Mark:

CURLOPT_STDERR

Pass a FILE * as parameter. Tell libcurl to use this stream instead of 
stderr when showing the progress meter and displaying CURLOPT_VERBOSE 
data.
 [2009-05-09 21:35 UTC] php-bug at paulsohier dot nl
We just tried it with some more different hosts, and it happens at at least google.nl and nu.nl as well.

Also, adding the curl_close() to the end fixs the problem. But should php's GC not do the same call internally?
 [2009-05-10 16:27 UTC] jani@php.net
It's about the order in which stuff is freed/destroyed. Common problem 
with some other extensions as well.
 [2009-05-26 06:09 UTC] jani@php.net
It's also the bad implementation for CURLOPT_STDERR which causes such problems. It should be handled using the debugging facilities in cURL.
 [2009-05-26 12:34 UTC] jani@php.net
This fixes all the test cases I could come up with:

  http://pecl.php.net/~jani/patches/bug48203.patch

Even the quite insane ones too. It falls back to using STDERR which is the default anyway if the file pointer is closed prematurely.
 [2009-05-26 17:16 UTC] jani@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2011-06-09 09:16 UTC] shein@php.net
Automatic comment from SVN on behalf of shein
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=311959
Log: Updated (currently failing) test for bug48203 with curl_stderr and added also curl_multi_exec variant of this test.
 [2011-06-09 09:30 UTC] shein@php.net
-Status: Closed +Status: Re-Opened
 [2011-06-09 09:30 UTC] shein@php.net
Added patch for updated tests (tests were commited here 
http://news.php.net/php.cvs/65161). See also discussion here: 
http://markmail.org/message/dfjgty27qfhj4ulf
 [2011-06-09 09:31 UTC] shein@php.net
The following patch has been added/updated:

Patch Name: reset_to_default_with_multi.patch.txt
Revision:   1307604675
URL:        http://bugs.php.net/patch-display.php?bug=48203&patch=reset_to_default_with_multi.patch.txt&revision=1307604675
 [2011-06-12 00:55 UTC] felipe@php.net
-Status: Re-Opened +Status: Assigned -Assigned To: jani +Assigned To: iliaa
 [2011-09-08 11:53 UTC] bjori@php.net
-Assigned To: iliaa +Assigned To: bjori
 [2011-09-08 14:38 UTC] bjori@php.net
-Status: Assigned +Status: Closed
 [2011-09-08 14:38 UTC] bjori@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

Fixed with bug#54798
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 03:02:48 2014 UTC