PHP :: Bug #59671 :: Use of apc file upload progress causes segfault when used with ssl pages

Bug #59671	Use of apc file upload progress causes segfault when used with ssl pages
Submitted:	2011-03-16 11:57 UTC	Modified:	2011-03-18 09:05 UTC
From:	j dot ewing at talk21 dot com	Assigned:
Status:	Closed	Package:	APC (PECL)
PHP Version:	5.3.5	OS:	Cent OS 5.5
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2011-03-16 11:57 UTC] j dot ewing at talk21 dot com

Description:
------------
Apache 2.2.16
"./configure" \
"--enable-ssl" \
"--enable-so" \
"--enable-rewrite=shared" \
"--enable-expires=shared" \
"--enable-deflate=shared" \
"--enable-vhost-alias=shared" \
"$@"

PHP 5.3.5
'./configure' \
'--with-mysql' \
'--with-mysqli=mysqlnd' \
'--with-apxs2=/usr/local/apache2/bin/apxs' \
'--with-curl' \
'--enable-mbstring' \
'--with-mcrypt' \
'--with-zlib' \
'--with-gd' \
'--with-jpeg-dir=/usr/lib/' \
'--with-png-dir=/usr/lib' \
'--with-imap' \
'--with-imap-ssl' \
'--with-kerberos' \

APC version 3.1.6 via pecl

php.ini
apc.enabled=1
apc.shm_segments=1
apc.optimization=0
apc.shm_size=32M
apc.ttl=7200
apc.user_ttl=7200
apc.num_files_hint=1024
apc.mmap_file_mask=/tmp/apc.XXXXXX
apc.enable_cli=1
apc.rfc1867=1
apc.rfc1867_freq=50%





Reproduce code:
---------------
Submitting the following form works correctly as a http request. sending the same page via https results in a segfault. 
Removing the APC_UPLOAD_PROGRESS input   allows the upload to succeed.

<?php

$up_id = uniqid(); 

?>
<html>
<head><title></title></head>
<body>
<form method="post" action="upload.php" enctype="multipart/form-data" name="form1" id="form1">

<input type="hidden" name="MAX_FILE_SIZE" VALUE="3000000">
   <input type="hidden" name="APC_UPLOAD_PROGRESS" id="progress_key" value="<?php echo $up_id; ?>"> 

<input name="file" type="file" id="file" size="30">
<input type="submit" value="upload">
</form>
</body>
</html>

Expected result:
----------------
File is uploaded.

Actual result:
--------------
Request results in apache segfault


[Wed Mar 16 15:48:43 2011] [notice] child pid 10104 exit 
signal Segmentation fault (11)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2011-03-16 11:59 UTC] pierre dot php at gmail dot com

Please try using either 3.1.7 or a svn version (trunk)

[2011-03-18 09:04 UTC] j dot ewing at talk21 dot com

The 3.1.7 version appears to have fixed this issue.
Any news on when 3.1.7 will become the stable release ?

In testing I have found that this bug doesn't affect php 
5.3.3 and apc 3.1.6 , but will crash on 5.3.5 and 3.1.6

backtrace from 3.1.6

Program received signal SIGSEGV, Segmentation fault.
0x0125a7d3 in add_assoc_string_ex (arg=0x8a74890, 
key=0x362e0d "temp_filename", key_len=14, str=0x0, 
duplicate=1)
    at /home/files/software/php-5.3.5-
debug/Zend/zend_API.c:1173
1173            ZVAL_STRING(tmp, str, duplicate);
(gdb) bt
#0  0x0125a7d3 in add_assoc_string_ex (arg=0x8a74890, 
key=0x362e0d "temp_filename", key_len=14, str=0x0, 
duplicate=1)
    at /home/files/software/php-5.3.5-
debug/Zend/zend_API.c:1173
#1  0x0035a7e1 in apc_rfc1867_progress (event=4, 
event_data=0xbfffc330, extra=0xbfffc3ac) at 
/tmp/pear/temp/APC/apc_rfc1867.c:189
#2  0x011f7fa2 in rfc1867_post_handler 
(content_type_dup=0x8a7059c "multipart/form-data; boundary=-
---WebKitFormBoundaryQloNt4gdBPNXesVa", arg=0x8a7235c)
    at /home/files/software/php-5.3.5-
debug/main/rfc1867.c:1137
#3  0x011f335c in sapi_handle_post (arg=0x8a7235c) at 
/home/files/software/php-5.3.5-debug/main/SAPI.c:121
#4  0x011fad54 in php_default_treat_data (arg=0, str=0x0, 
destArray=0x0) at /home/files/software/php-5.3.5-
debug/main/php_variables.c:334
#5  0x0102c03e in mbstr_treat_data (arg=0, str=0x0, 
destArray=0x0) at /home/files/software/php-5.3.5-
debug/ext/mbstring/mb_gpc.c:68
#6  0x011fbec5 in php_hash_environment () at 
/home/files/software/php-5.3.5-
debug/main/php_variables.c:684
#7  0x011e9f42 in php_request_startup () at 
/home/files/software/php-5.3.5-debug/main/main.c:1440
#8  0x0131f905 in php_apache_request_ctor (r=0x8ac8730, 
ctx=0x8ab6f50) at /home/files/software/php-5.3.5-
debug/sapi/apache2handler/sapi_apache2.c:504
#9  0x0131fec6 in php_handler (r=0x8ac8730) at 
/home/files/software/php-5.3.5-
debug/sapi/apache2handler/sapi_apache2.c:620
#10 0x0807c3f9 in ap_run_handler (r=0x8ac8730) at 
config.c:157
#11 0x0807f57e in ap_invoke_handler (r=0x8ac8730) at 
config.c:376
#12 0x080aa8d8 in ap_process_request (r=0x8ac8730) at 
http_request.c:282
#13 0x080a7abb in ap_process_http_connection (c=0x8aa7a20) 
at http_core.c:190
#14 0x08083539 in ap_run_process_connection (c=0x8aa7a20) at 
connection.c:43
#15 0x080be38d in child_main (child_num_arg=<value optimized 
out>) at prefork.c:662
#16 0x080be5d3 in make_child (s=0x80f7e58, slot=0) at 
prefork.c:702
#17 0x080bf3ac in ap_mpm_run (_pconf=0x80f0550, 
plog=0x812e648, s=0x80f7e58) at prefork.c:978
#18 0x08069cb5 in main (argc=135193928, argv=0x8aa5840) at 
main.c:740

[2011-03-18 09:05 UTC] pierre dot php at gmail dot com

3.1.8 should be released soonish

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Apr 27 22:01:28 2024 UTC