|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #48256 Crash due to double-linking of history.o
Submitted: 2009-05-13 06:11 UTC Modified: 2009-05-14 13:44 UTC
From: tstarling at wikimedia dot org Assigned: jani
Status: Closed Package: Readline related
PHP Version: 5.*, 6CVS (2009-05-14) OS: Linux
Private report: No CVE-ID:
 [2009-05-13 06:11 UTC] tstarling at wikimedia dot org
The readline extension links both libreadline and libhistory. This is unnecessary, and inspection of the readline example programs since version 2.0 implies that it has always been unnecessary. Both libraries include history.o, so linking to both gives you two copies of that module.

The bug occurs when, due to operating system vagaries, libhistory loads before libreadline. This causes PHP's readline_add_history() to add history entries to libhistory's copy of the_history. Then when readline() is called, libreadline attempts to read the other copy of the_history. The result is a null pointer dereference in libreadline's previous_history() function. 

The libraries are loaded in the problematic order in Ubuntu 9.04, previous versions of Ubuntu appeared to work. 

The solution is to remove all references to libhistory in ext/readline/config.m4. I have patched this in and tested it.

Reproduce code:

readline( '> ' );

Note that you can reproduce the problematic link order using:

LD_PRELOAD=/lib/ php bug-demo.php 

It demonstrates the bug, but it will not give a successful resolution after the patch is applied. 

Expected result:
Press the up arrow, it shows "test". 

Actual result:
After pressing the up arrow:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb741a6e0 (LWP 27236)]
0xb7e87c18 in previous_history ()
    at /home/tstarling/src/readline/readline5-5.2/history.c:186
186	  return history_offset ? the_history[--history_offset] : (HIST_ENTRY *)NULL;
(gdb) bt
#0  0xb7e87c18 in previous_history ()
    at /home/tstarling/src/readline/readline5-5.2/history.c:186
#1  0xb7e8727d in rl_get_previous_history (count=1, key=65)
    at /home/tstarling/src/readline/readline5-5.2/misc.c:526
#2  0xb7e6e057 in _rl_dispatch_subseq (key=65, map=0x90ff478, got_subseq=0)
    at /home/tstarling/src/readline/readline5-5.2/readline.c:742
#3  0xb7e6e2d8 in _rl_dispatch_subseq (key=91, map=0xb7e909e0, got_subseq=0)
    at /home/tstarling/src/readline/readline5-5.2/readline.c:831
#4  0xb7e6e2d8 in _rl_dispatch_subseq (key=27, map=0xb7e901c0, got_subseq=0)
    at /home/tstarling/src/readline/readline5-5.2/readline.c:831
#5  0xb7e6e484 in _rl_dispatch (key=27, map=0xb7e901c0)
    at /home/tstarling/src/readline/readline5-5.2/readline.c:692
#6  0xb7e6e8bd in readline_internal_char ()
    at /home/tstarling/src/readline/readline5-5.2/readline.c:519
#7  0xb7e6ed3d in readline (prompt=0x8bc02b0 "> ")
    at /home/tstarling/src/readline/readline5-5.2/readline.c:545
#8  0x082bcd6d in zif_readline (ht=1, return_value=0xb71b5488, 
    return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2009-05-13 18:31 UTC]
Linux distro problems are not PHP bugs.
 [2009-05-14 13:19 UTC]
Reopened, I shouldn't read bug reports while doing drugs. ;)
 [2009-05-14 13:44 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Wed Nov 25 20:01:36 2015 UTC