php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #48256 Crash due to double-linking of history.o
Submitted: 2009-05-13 06:11 UTC Modified: 2009-05-14 13:44 UTC
From: tstarling at wikimedia dot org Assigned: jani
Status: Closed Package: Readline related
PHP Version: 5.*, 6CVS (2009-05-14) OS: Linux
Private report: No CVE-ID:
 [2009-05-13 06:11 UTC] tstarling at wikimedia dot org
Description:
------------
The readline extension links both libreadline and libhistory. This is unnecessary, and inspection of the readline example programs since version 2.0 implies that it has always been unnecessary. Both libraries include history.o, so linking to both gives you two copies of that module.

The bug occurs when, due to operating system vagaries, libhistory loads before libreadline. This causes PHP's readline_add_history() to add history entries to libhistory's copy of the_history. Then when readline() is called, libreadline attempts to read the other copy of the_history. The result is a null pointer dereference in libreadline's previous_history() function. 

The libraries are loaded in the problematic order in Ubuntu 9.04, previous versions of Ubuntu appeared to work. 

The solution is to remove all references to libhistory in ext/readline/config.m4. I have patched this in and tested it. 

http://tstarling.com/stuff/fix-php-readline.patch

Reproduce code:
---------------
<?php

readline_add_history('test');
readline( '> ' );
?>

Note that you can reproduce the problematic link order using:

LD_PRELOAD=/lib/libhistory.so.5 php bug-demo.php 

It demonstrates the bug, but it will not give a successful resolution after the patch is applied. 

Expected result:
----------------
Press the up arrow, it shows "test". 

Actual result:
--------------
After pressing the up arrow:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb741a6e0 (LWP 27236)]
0xb7e87c18 in previous_history ()
    at /home/tstarling/src/readline/readline5-5.2/history.c:186
186	  return history_offset ? the_history[--history_offset] : (HIST_ENTRY *)NULL;
(gdb) bt
#0  0xb7e87c18 in previous_history ()
    at /home/tstarling/src/readline/readline5-5.2/history.c:186
#1  0xb7e8727d in rl_get_previous_history (count=1, key=65)
    at /home/tstarling/src/readline/readline5-5.2/misc.c:526
#2  0xb7e6e057 in _rl_dispatch_subseq (key=65, map=0x90ff478, got_subseq=0)
    at /home/tstarling/src/readline/readline5-5.2/readline.c:742
#3  0xb7e6e2d8 in _rl_dispatch_subseq (key=91, map=0xb7e909e0, got_subseq=0)
    at /home/tstarling/src/readline/readline5-5.2/readline.c:831
#4  0xb7e6e2d8 in _rl_dispatch_subseq (key=27, map=0xb7e901c0, got_subseq=0)
    at /home/tstarling/src/readline/readline5-5.2/readline.c:831
#5  0xb7e6e484 in _rl_dispatch (key=27, map=0xb7e901c0)
    at /home/tstarling/src/readline/readline5-5.2/readline.c:692
#6  0xb7e6e8bd in readline_internal_char ()
    at /home/tstarling/src/readline/readline5-5.2/readline.c:519
#7  0xb7e6ed3d in readline (prompt=0x8bc02b0 "> ")
    at /home/tstarling/src/readline/readline5-5.2/readline.c:545
#8  0x082bcd6d in zif_readline (ht=1, return_value=0xb71b5488, 
    return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
...


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-05-13 18:31 UTC] jani@php.net
Linux distro problems are not PHP bugs.
 [2009-05-14 13:19 UTC] jani@php.net
Reopened, I shouldn't read bug reports while doing drugs. ;)
 [2009-05-14 13:44 UTC] jani@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 01:01:59 2014 UTC