PHP :: Bug #51977 :: thttpd segfault on X86

Bug #51977

thttpd segfault on X86_64?

Submitted:

2010-06-02 17:18 UTC

Modified:

2013-12-18 00:29 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

znfwhy at 163 dot com

Assigned:

sas (profile)

Status:

Closed

Package:

Other web server

PHP Version:

5.2.13

OS:

Debian Squeeze

Private report:

CVE-ID:

None

View Add Comment Developer Edit

[2010-06-02 17:18 UTC] znfwhy at 163 dot com

Description:
------------
HTTP POST with 16KB more content will cause thttpd segfault on X86_64.

here is the back trace result:
...
Program received signal SIGSEGV, Segmentation fault.
0x0000003d7d278d80 in strlen () from /lib/libc.so.6
(gdb) bt
#0  0x0000003d7d278d80 in strlen () from /lib/libc.so.6
#1  0x0000003d7d278ab6 in strdup () from /lib/libc.so.6
#2  0x0000000000432cf0 in thttpd_php_request ()
#3  0x000000000042d7bb in httpd_start_request ()
#4  0x0000000000423a84 in _start ()

Test script:
---------------
<html>
  <head>
    PHP5 test page
  </head>
  <body>

    <div id=main style="width: 130px; height: 130px;">
      <form  method="POST"  enctype="text/html" action="/test.php">
        <textarea name=test>
        </textarea>
        <input type="submit" value="submit">
      </form>
    </div>
  </body>
</html>

Expected result:
----------------
info of PHP5 printed by test.php.

Actual result:
--------------
nothing, but thttpd exit with segfault.

Patches

php5_thttpd_upload_large_content_segfault.patch (last revision 2010-06-02 15:19 UTC by znfwhy at 163 dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2010-06-02 17:26 UTC] johannes@php.net

-Status: Open +Status: Feedback

[2010-06-02 17:26 UTC] johannes@php.net

The thttpd code isn't really maintained since 2005. I looked throught code but couldn't find the relevant strdup call. Could you please recompile PHP using --enable-debug and then generate a "bt full", maybe the issue can be found then.

[2010-06-03 05:08 UTC] znfwhy at 163 dot com

-Status: Feedback +Status: Open

[2010-06-03 05:08 UTC] znfwhy at 163 dot com

Recompiled php5 with --enable-debug, and backtrace info listed below.
But this issue is cased by line 1770, file sapi/thttpd/thttpd_patch of php5.
Type miss match whiling convert pointer to int on X86_64.

(gdb) bt
#0  0x0000003d7d278d80 in strlen () from /lib/libc.so.6
#1  0x0000003d7d278ab6 in strdup () from /lib/libc.so.6
#2  0x000000000043b693 in thttpd_request_ctor () at php_thttpd.c:458
#3  0x000000000043b848 in thttpd_real_php_request (hc=0xa1f300, show_source=0)
    at php_thttpd.c:671
#4  0x000000000043b938 in thttpd_php_request (hc=0xa1f300, show_source=0)
    at php_thttpd.c:704
#5  0x0000000000432c44 in really_start_request (hc=0xa1f300,
    nowP=0x7fff4b0bba20) at libhttpd.c:3708
#6  0x0000000000433077 in httpd_start_request (hc=0xa1f300,
    nowP=0x7fff4b0bba20) at libhttpd.c:3801
#7  0x000000000042707c in boot_request (c=0x9fb880, tvP=0x7fff4b0bba20)
    at thttpd.c:1548
#8  0x00000000004277a3 in handle_read_body (c=0x9fb880, tvP=0x7fff4b0bba20)
    at thttpd.c:1774
#9  0x0000000000424a7d in main (argc=3, argv=0x7fff4b0bcc68) at thttpd.c:617

[2010-06-20 19:54 UTC] felipe@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: sas

[2013-12-18 00:28 UTC] sas@php.net

Hi,

please reopen ticket if this particular issue reoccurs.

Preferrably try another web server..

Thank you for using PHP.

Best
Sascha

[2013-12-18 00:29 UTC] sas@php.net

-Status: Assigned +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu May 02 11:01:31 2024 UTC