php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #48774 SIGSEGVs when using curl_copy_handle()
Submitted: 2009-07-02 13:20 UTC Modified: 2009-07-22 14:15 UTC
From: felipe@php.net Assigned: srinatar (profile)
Status: Closed Package: cURL related
PHP Version: 5.3CVS-2009-07-02 (CVS) OS: Linux
Private report: No CVE-ID: None
 [2009-07-02 13:20 UTC] felipe@php.net
Description:
------------
See below.

Reproduce code:
---------------
1?
<?php

$url = "http://localhost/";
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, array("Hello" => "World"));
curl_setopt($ch, CURLOPT_URL, $url);
$copy = curl_copy_handle($ch);
curl_close($ch);

2?
<?php

$url = "http://localhost/";
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, array("Hello" => "World"));
curl_setopt($ch, CURLOPT_URL, $url);
$copy = curl_copy_handle($ch);
curl_close($ch);
curl_exec($copy);
curl_close($copy);

Expected result:
----------------
No SIGSEGV.

Actual result:
--------------
1?
*** glibc detected *** sapi/cli/php: double free or corruption (fasttop): 0x0a663260 ***
======= Backtrace: =========
/lib/i686/cmov/libc.so.6[0xb65a81d4]
/lib/i686/cmov/libc.so.6(cfree+0x96)[0xb65aa186]
/usr/local/lib/libcurl.so.4(curl_formfree+0x8a)[0xb74533ca]
sapi/cli/php[0x819c1af]
sapi/cli/php(zend_llist_destroy+0x33)[0x8612f05]
sapi/cli/php(zend_llist_clean+0x11)[0x8612f71]
sapi/cli/php[0x81a0a40]
sapi/cli/php[0x81a0d81]
sapi/cli/php[0x86321e4]
sapi/cli/php(zend_hash_del_key_or_index+0x192)[0x862f5d9]
sapi/cli/php(_zend_list_delete+0xa0)[0x8631df4]
sapi/cli/php(_zval_dtor_func+0x198)[0x861cb28]
sapi/cli/php[0x860cfcc]
sapi/cli/php(_zval_ptr_dtor+0xb8)[0x860d3b1]
sapi/cli/php(_zval_ptr_dtor_wrapper+0x21)[0x861cf08]
sapi/cli/php[0x862fa96]
sapi/cli/php(zend_hash_graceful_reverse_destroy+0x3e)[0x862fc1a]
sapi/cli/php[0x860c5bb]
sapi/cli/php[0x861f79a]
sapi/cli/php(php_request_shutdown+0x682)[0x8590ac0]
sapi/cli/php[0x87035c7]
/lib/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb654f775]
sapi/cli/php[0x8078a91]


2?
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb631a6f0 (LWP 4050)]
0xb74ef368 in curl_formfree () from /usr/local/lib/libcurl.so.4
Current language:  auto; currently asm
(gdb) bt
#0  0xb74ef368 in curl_formfree () from /usr/local/lib/libcurl.so.4
#1  0xb74ef37c in curl_formfree () from /usr/local/lib/libcurl.so.4
#2  0x0819c1af in curl_free_post (post=0xaa1741c) at /home/felipe/dev/php5/ext/curl/interface.c:1246
#3  0x08612f05 in zend_llist_destroy (l=0xaa17230) at /home/felipe/dev/php5/Zend/zend_llist.c:114
#4  0x08612f71 in zend_llist_clean (l=0xaa17230) at /home/felipe/dev/php5/Zend/zend_llist.c:126
#5  0x081a0a40 in _php_curl_close_ex (ch=0xaa17128, tsrm_ls=0xa7aa4b8) at /home/felipe/dev/php5/ext/curl/interface.c:2302
#6  0x081a0d81 in _php_curl_close (rsrc=0xaa174d8, tsrm_ls=0xa7aa4b8) at /home/felipe/dev/php5/ext/curl/interface.c:2343
#7  0x086321e4 in list_entry_destructor (ptr=0xaa174d8) at /home/felipe/dev/php5/Zend/zend_list.c:184
#8  0x0862f5d9 in zend_hash_del_key_or_index (ht=0xa7ac7d4, arKey=0x0, nKeyLength=0, h=5, flag=1) at /home/felipe/dev/php5/Zend/zend_hash.c:497
#9  0x08631df4 in _zend_list_delete (id=5, tsrm_ls=0xa7aa4b8) at /home/felipe/dev/php5/Zend/zend_list.c:58
#10 0x081a09b5 in zif_curl_close (ht=1, return_value=0xaa16fe8, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0, tsrm_ls=0xa7aa4b8)
    at /home/felipe/dev/php5/ext/curl/interface.c:2279


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-07-09 16:31 UTC] daniel at haxx dot se
I think it would help the devs if you'd also specify what libcurl version you use (preferably with curl -V or similar to give all the details).
 [2009-07-11 10:12 UTC] sriram dot natarajan at gmail dot com
i was able to reproduce this on rhel 5 which ships with curl 7.15.5.

and this below patch seems to fix this problem
--- ext/curl/interface.c.ORIG   2009-07-09 15:24:00.000000000 -0700
+++ ext/curl/interface.c        2009-07-11 03:08:56.000000000 -0700
@@ -1444,9 +1444,13 @@
        zend_llist_copy(&dupch->to_free.str, &ch->to_free.str);
        /* Don't try to free copied strings, they're free'd when the original handle is destroyed */
        dupch->to_free.str.dtor = NULL;
-#endif
+
        zend_llist_copy(&dupch->to_free.slist, &ch->to_free.slist);
+       dupch->to_free.slist.dtor = NULL;
+
        zend_llist_copy(&dupch->to_free.post, &ch->to_free.post);
+       dupch->to_free.post.dtor = NULL;
+#endif
 
        ZEND_REGISTER_RESOURCE(return_value, dupch, le_curl);
        dupch->id = Z_LVAL_P(return_value);


need to investigate and possibly add couple of test cases
 [2009-07-11 10:54 UTC] sriram dot natarajan at gmail dot com
here is a better way to read the patches..
http://pastebin.org/1041
 [2009-07-14 09:40 UTC] sriram dot natarajan at gmail dot com
Hi
 though the above patch does fix the crash reported by the developer, on further investigation this patch is not the right fix. 

the issue that is happening is when the form input data is a array, the constructed form data is not available when executing curl_exec on the cloned handle.
 [2009-07-18 07:10 UTC] srinatar@php.net
while looking into this bug, i also realized that this below test case is also broken

less curl_copy_handle_basic_002.phpt 
...
  curl_setopt($ch, CURLOPT_POSTFIELDS, "Hello=World&Foo=Bar&Person=John%20Doe");
  curl_setopt($ch, CURLOPT_URL, $url); //set the url we want to use
  
  $copy = curl_copy_handle($ch);
  curl_close($ch);
...

(currently, marked as expected failure..) so, i have filed a separate bug : 48965 to track this separately
 [2009-07-20 14:54 UTC] jani@php.net
See also bug #48965
 [2009-07-21 20:32 UTC] svn@php.net
Automatic comment from SVN on behalf of srinatar
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=284557
Log: - Fixed bug #48774 (SIGSEGVs when using curl_copy_handle()).
 [2009-07-21 22:57 UTC] svn@php.net
Automatic comment from SVN on behalf of jani
Revision: http://svn.php.net/viewvc/?view=revision&revision=284567
Log: - Fix badly applied patch (bug #48774)
 [2009-07-22 13:47 UTC] srinatar@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Fri Sep 21 19:01:25 2018 UTC