php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #59457 zlib.output_compression segmentation fault
Submitted: 2010-10-12 12:20 UTC Modified: 2010-11-21 09:25 UTC
From: martynas at venck dot us Assigned: martynas (profile)
Status: Closed Package: htscanner (PECL)
PHP Version: 5.2.14 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: martynas at venck dot us
New email:
PHP Version: OS:

 

 [2010-10-12 12:20 UTC] martynas at venck dot us
Description:
------------
Setting zlib.output_compression to On in .htaccess leads to 
frequent Segmentation faults.

I've managed to get full backtraces:

Program terminated with signal 11, Segmentation fault.
#0  0x000000000084c7a1 in zend_hash_copy (target=0x19562138, 
    source=0x19566258, pCopyConstructor=0x83d7b7 
<zval_add_ref>, 
    tmp=0x7fffaabe9ee0, size=8)
    at /usr/local/src/php-5.2.14/Zend/zend_hash.c:785
785                     if (p->nKeyLength) {
(gdb) bt
#0  0x000000000084c7a1 in zend_hash_copy (target=0x19562138, 
    source=0x19566258, pCopyConstructor=0x83d7b7 
<zval_add_ref>, 
    tmp=0x7fffaabe9ee0, size=8)
    at /usr/local/src/php-5.2.14/Zend/zend_hash.c:785
#1  0x000000000083d8ad in _zval_copy_ctor_func 
(zvalue=0x19562110)
    at /usr/local/src/php-5.2.14/Zend/zend_variables.c:133
#2  0x00000000008be28f in _zval_copy_ctor 
(zvalue=0x19562110)
    at /usr/local/src/php-5.2.14/Zend/zend_variables.h:45
#3  0x00000000008be07e in 
cgi_php_import_environment_variables (
    array_ptr=0x19562110) at /usr/local/src/php-
5.2.14/sapi/cgi/cgi_main.c:586
#4  0x00000000008be2aa in sapi_cgi_register_variables (
    track_vars_array=0x19562110)
    at /usr/local/src/php-5.2.14/sapi/cgi/cgi_main.c:635
#5  0x00000000007fd40e in php_register_server_variables ()
    at /usr/local/src/php-5.2.14/main/php_variables.c:577
#6  0x00000000007fd4ef in php_auto_globals_create_server (
    name=0x19213ba0 "_SERVER", name_len=7)
    at /usr/local/src/php-5.2.14/main/php_variables.c:768
#7  0x000000000082d414 in zend_is_auto_global (name=0x92f475 
"_SERVER", 
    name_len=7) at /usr/local/src/php-
5.2.14/Zend/zend_compile.c:4162
#8  0x00000000004cee64 in php_enable_output_compression 
(buffer_size=16386)
    at /usr/local/src/php-5.2.14/ext/zlib/zlib.c:1029
#9  0x00000000004cf089 in php_zlib_output_compression_start 
()
---Type <return> to continue, or q <return> to quit---
    at /usr/local/src/php-5.2.14/ext/zlib/zlib.c:1068
#10 0x00000000004ccb20 in OnUpdate_zlib_output_compression 
(entry=0x192aa4b0, 
    new_value=0x195620f0 "16386", new_value_length=5, 
mh_arg1=0x88, 
    mh_arg2=0xe30380, mh_arg3=0x0, stage=16)
    at /usr/local/src/php-5.2.14/ext/zlib/zlib.c:210
#11 0x0000000000855367 in zend_alter_ini_entry_ex (
    name=0x1976aac0 "zlib.output_compression", 
name_length=24, 
    new_value=0x195921f0 "16386", new_value_length=5, 
modify_type=2, stage=16, 
    force_change=0) at /usr/local/src/php-
5.2.14/Zend/zend_ini.c:293
#12 0x00000000008551b8 in zend_alter_ini_entry (
    name=0x1976aac0 "zlib.output_compression", 
name_length=24, 
    new_value=0x195921f0 "16386", new_value_length=5, 
modify_type=2, stage=16)
    at /usr/local/src/php-5.2.14/Zend/zend_ini.c:248
#13 0x00002b2e4c125029 in sapi_cgi_activate ()
   from /usr/local/lib/php/extensions/htscanner.so
#14 0x00000000007f5ebd in sapi_activate ()
    at /usr/local/src/php-5.2.14/main/SAPI.c:389
#15 0x00000000007ebb00 in php_request_startup ()
    at /usr/local/src/php-5.2.14/main/main.c:1284
#16 0x00000000008c05b6 in main (argc=3, argv=0x7fffaabef1a8)
    at /usr/local/src/php-5.2.14/sapi/cgi/cgi_main.c:1910

Perhaps htscanner should call zend_alter_ini_entry w/ 
PHP_INI_STAGE_HTACCESS, since _SERVER appears not to be 
setup during php_enable_output_compression call?

Reproduce code:
---------------
php_flag zlib.output_compression on

Expected result:
----------------
Pages being served.

Actual result:
--------------
Segmentation fault.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-10-12 18:32 UTC] martynas at venck dot us
I'm attaching a working patch below.

At the point where zend_alter_ini_entry calls are made, Zend 
engine is not initialized yet;  therefore--we have to do the 
calls in PHP_INI_STAGE_HTACCESS stage.

See main/main.c--sapi_activate call comes before 
zend_startup and environment calls.

Segmentation faults are now gone.

Index: htscanner.c
============================================================
=======
--- htscanner.c	(revision 303747)
+++ htscanner.c	(working copy)
@@ -162,7 +162,7 @@
 		}
 	}
 #endif
-	if (zend_alter_ini_entry(name, name_len + 1, value, 
value_len, mode, PHP_INI_STAGE_RUNTIME) == FAILURE) {
+	if (zend_alter_ini_entry(name, name_len + 1, value, 
value_len, mode, PHP_INI_STAGE_HTACCESS) == FAILURE) {
 		if (HTG(verbose)) {
 			zend_error(E_WARNING, "Adding option 
(Name: %s Value: %s) (%i, %i) failed!\n", name, value, 
name_len, value_len);
 		}
@@ -427,7 +427,7 @@
 
 			while (SUCCESS == 
zend_hash_get_current_data_ex(entry_fetched->ini_entries, 
(void**)&value, &pos)) {
 				
zend_hash_get_current_key_ex(entry_fetched->ini_entries, 
&name, &len, &num, 0, &pos);
-				if 
(zend_alter_ini_entry(name, len, value, strlen(value), 
PHP_INI_PERDIR, PHP_INI_STAGE_RUNTIME) == FAILURE) {
+				if 
(zend_alter_ini_entry(name, len, value, strlen(value), 
PHP_INI_PERDIR, PHP_INI_STAGE_HTACCESS) == FAILURE) {
 					char msg[1024];
 					
htscannerMutexUnlock(ini_entries_cache_mutex);
 					snprintf(msg, sizeof 
(msg), "Adding option from cache (Name: '%s' Value: '%s') 
failed!\n", name, value);
 [2010-10-13 14:53 UTC] martynas at venck dot us
Actually, this also gains us security;  since PHP_INI_STAGE_HTACCESS also checks for mail.force_extra_parameters, in main/main.c -- OnChangeMailForceExtra.  Please see the vulnerability report:

http://securityreason.com/securityalert/3389
 [2010-11-21 09:25 UTC] martynas at venck dot us
This bug has been fixed in SVN.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Oct 11 03:01:27 2024 UTC