|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #53579 stream_get_contents() segfaults on ziparchive streams
Submitted: 2010-12-20 06:58 UTC Modified: 2010-12-20 12:00 UTC
From: paulgao at yeah dot net Assigned: bjori
Status: Closed Package: Zip Related
PHP Version: 5.3.4 OS: irrelevant
Private report: No CVE-ID:
 [2010-12-20 06:58 UTC] paulgao at yeah dot net
Segmentation fault


(gdb) bt
#0  0x0000003510e79320 in strchr () from /lib64/
#1  0x000000000065a23c in php_zip_ops_stat (stream=<value optimized out>, ssb=0x7fff6bb223e0) at /root/php-5.3.4/ext/zip/zip_stream.c:111
#2  0x00000000006c22c5 in _php_stream_copy_to_mem (src=0xd2d6038, buf=0x7fff6bb224c8, maxlen=35, persistent=0) at /root/php-5.3.4/main/streams/streams.c:1275
#3  0x000000000063019e in zif_stream_get_contents (ht=<value optimized out>, return_value=0xd2d5f08, return_value_ptr=<value optimized out>, this_ptr=<value optimized out>, return_value_used=<value optimized out>)
    at /root/php-5.3.4/ext/standard/streamsfuncs.c:443
#4  0x000000000064506c in suhosin_execute_internal (execute_data_ptr=0x2ac667a0b050, return_value_used=1) at /root/php-5.3.4/ext/suhosin/execute.c:1673
#5  0x0000000000746475 in zend_do_fcall_common_helper_SPEC (execute_data=0x2ac667a0b050) at /root/php-5.3.4/Zend/zend_vm_execute.h:318
#6  0x000000000071e15c in execute (op_array=0xd2d43c8) at /root/php-5.3.4/Zend/zend_vm_execute.h:107
#7  0x00000000006455b9 in suhosin_execute_ex (op_array=0xd2d43c8, zo=0, dummy=0) at /root/php-5.3.4/ext/suhosin/execute.c:585
#8  0x00000000006fb95d in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/php-5.3.4/Zend/zend.c:1194
#9  0x00000000006ab9cd in php_execute_script (primary_file=0x7fff6bb24d70) at /root/php-5.3.4/main/main.c:2265
#10 0x00000000007803ac in main (argc=2, argv=0x7fff6bb24fe8) at /root/php-5.3.4/sapi/cli/php_cli.c:1193

Test script:

$target_file = 'META-INF/MANIFEST.MF';

$za = new ZipArchive();
if ($za->open('test.jar') !== TRUE)
    return FALSE;

if ($za->statName($target_file) !== FALSE)
    $fd = $za->getStream($target_file);
    $fd = FALSE;

if (is_resource($fd))
    echo strlen(stream_get_contents($fd));


Expected result:

Actual result:
Segmentation fault


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2010-12-20 07:05 UTC] paulgao at yeah dot net
trunk code is same.
 [2010-12-20 10:23 UTC]
-Status: Open +Status: Assigned -Assigned To: +Assigned To: bjori
 [2010-12-20 12:00 UTC]
Automatic comment from SVN on behalf of bjori
Log: Fixed bug#53579 (stream_get_contents() segfaults on ziparchive streams)
Also added the filename being access to the stream_get_meta_data() array
 [2010-12-20 12:00 UTC]
-Summary: stream_get_contents failed +Summary: stream_get_contents() segfaults on ziparchive streams -Status: Assigned +Status: Closed
 [2010-12-20 12:00 UTC]
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Tue Dec 01 14:01:33 2015 UTC