php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #52944 fclose: quiet script interruption
Submitted: 2010-09-28 21:40 UTC Modified: 2010-09-29 20:59 UTC
From: svimik at mail dot ru Assigned: cataphract
Status: Closed Package: *Network Functions
PHP Version: 5.3.3 OS: Debian-50-lenny-64
Private report: No CVE-ID:
 [2010-09-28 21:40 UTC] svimik at mail dot ru
Description:
------------
Don't know exactly, is it bug in zlib filter or in streams, but this combination can produce a script crash without any error output.

Lets take some binary data like corrupted compressed data (not every random data produce crash, so try file from my example). Use stream_socket_pair with zlib.inflate filter on the second socket, which is used for reading in my case.
Use non-blocking streams.
Then make exactly following sequence to produce crash:
1. write corrupted data to socket 0
2. call fread for socket 1 (returns nothing as expected, because string cannot be uncompressed)
3. call fclose for socket 0
4. try fread for socket 1 once again
5. call fclose for socket 1 - on this step scrips dies.

Sorry, can't make a backtrace on a production server, because it is necessary to recompile the php. Waiting for someone to confirm the bug.

Test script:
---------------
<?
error_reporting(E_ALL);
$sockets = stream_socket_pair(STREAM_PF_UNIX, STREAM_SOCK_STREAM, STREAM_IPPROTO_IP);
stream_set_blocking($sockets[0], 0);
stream_set_blocking($sockets[1], 0);
stream_filter_append($sockets[1], "zlib.inflate", STREAM_FILTER_READ);

$in=file_get_contents("http://188.40.74.4/corrupted.gz");
$out="";

fwrite($sockets[0], $in);
$out.=fread($sockets[1], 1);
fclose($sockets[0]);
$out.=fread($sockets[1], 1);

echo "closing...";
fclose($sockets[1]);
echo "done\r\n";
?>

Expected result:
----------------
Script should output "closing...done"

Actual result:
--------------
Script prints "closing..." but never "done"

Patches

zlib_filter_segfault_fix (last revision 2010-09-29 01:54 UTC) by cataphract@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-09-28 21:58 UTC] cataphract@php.net
I can confirm some sort of bug in both PHP 5.3.3 and trunk on Debian Lenny x64.

On trunk:

[Tue Sep 28 20:54:06 2010]  Script:  '-'
---------------------------------------
/tmp/trunk/ext/zlib/zlib_filter.c(165) : Block 0x7fba5a6120c0 status:
Beginning:      OK (allocated on /tmp/trunk/ext/zlib/zlib_filter.c:311, 2048 bytes)
    Start:      OK
      End:      Overflown (magic=0x00000018 instead of 0x5289A744)
                At least 4 bytes overflown
---------------------------------------
done
[Tue Sep 28 20:54:06 2010]  Script:  '-'
/tmp/trunk/ext/zlib/zlib_filter.c(311) :  Freeing 0x7FBA5A6120C0 (2048 bytes), script=-
=== Total 1 memory leaks detected ===

On PHP 5.3.3 (sorry, not debug build), there's a segfault:

#0  zend_mm_remove_from_free_list (heap=0x11fc290, mm_block=0x1407380)
    at /opt/php-5.3.3/Zend/zend_alloc.c:841
#1  0x000000000069613e in _zend_mm_free_int (heap=0x11fc290, p=0x1406b80)
    at /opt/php-5.3.3/Zend/zend_alloc.c:2019
#2  0x00007f029fa548c9 in php_zlib_inflate_dtor (
    thisfilter=<value optimized out>)
    at /opt/php-5.3.3/ext/zlib/zlib_filter.c:161
#3  0x0000000000678ae2 in php_stream_filter_free (filter=0x1409950)
    at /opt/php-5.3.3/main/streams/filter.c:312
#4  0x0000000000678b8a in php_stream_filter_remove (filter=0x0, call_dtor=1)
    at /opt/php-5.3.3/main/streams/filter.c:531
#5  0x000000000067559a in _php_stream_free (stream=0x14096a0, close_options=11)
    at /opt/php-5.3.3/main/streams/streams.c:369
#6  0x00000000006757d1 in stream_resource_regular_dtor (
    rsrc=<value optimized out>) at /opt/php-5.3.3/main/streams/streams.c:1426
#7  0x00000000006c34a2 in list_entry_destructor (ptr=0x14097e0)
    at /opt/php-5.3.3/Zend/zend_list.c:184
#8  0x00000000006c2566 in zend_hash_del_key_or_index (ht=0xc6e7b0, arKey=0x0,
    nKeyLength=0, h=2, flag=<value optimized out>)
    at /opt/php-5.3.3/Zend/zend_hash.c:497
#9  0x00000000006c3719 in _zend_list_delete (id=<value optimized out>)
    at /opt/php-5.3.3/Zend/zend_list.c:58
#10 0x00000000005fbd88 in zif_fclose (ht=<value optimized out>,
    return_value=0x1409228, return_value_ptr=<value optimized out>,
    this_ptr=<value optimized out>, return_value_used=<value optimized out>)
    at /opt/php-5.3.3/ext/standard/file.c:928
#11 0x0000000000704cce in zend_do_fcall_common_helper_SPEC (
    execute_data=0x7f029f9ce050) at /opt/php-5.3.3/Zend/zend_vm_execute.h:316
#12 0x00000000006e0589 in execute (op_array=0x14067c8)
    at /opt/php-5.3.3/Zend/zend_vm_execute.h:107
#13 0x00000000006b349b in zend_execute_scripts (type=8, retval=0x0,
    file_count=3) at /opt/php-5.3.3/Zend/zend.c:1194
#14 0x000000000065e5e8 in php_execute_script (primary_file=0x7fff04d51350)
    at /opt/php-5.3.3/main/main.c:2260
#15 0x0000000000740717 in main (argc=1, argv=0x7fff04d515b8)
    at /opt/php-5.3.3/sapi/cli/php_cli.c:1192
 [2010-09-28 21:59 UTC] cataphract@php.net
-Status: Open +Status: Verified
 [2010-09-28 22:10 UTC] cataphract@php.net
Valgrind log for trunk:

http://nebm.ist.utl.pt/~glopes/valgrind-52944.log
 [2010-09-29 03:54 UTC] cataphract@php.net
The following patch has been added/updated:

Patch Name: zlib_filter_segfault_fix
Revision:   1285725279
URL:        http://bugs.php.net/patch-display.php?bug=52944&patch=zlib_filter_segfault_fix&revision=1285725279
 [2010-09-29 03:56 UTC] cataphract@php.net
-Status: Verified +Status: Analyzed
 [2010-09-29 03:56 UTC] cataphract@php.net
Fixed in the attached patch, which also includes a test.
 [2010-09-29 20:59 UTC] cataphract@php.net
Automatic comment from SVN on behalf of cataphract
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=303878
Log: - Fixed bug #52944 (Invalid write on second and subsequent reads with an inflate filter fed invalid data).
 [2010-09-29 20:59 UTC] cataphract@php.net
-Status: Analyzed +Status: Closed -Assigned To: +Assigned To: cataphract
 [2010-09-29 20:59 UTC] cataphract@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 07:02:06 2014 UTC