php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60477 Segfault after two multipart/form-data POST requests, one 200 RQ and one 404
Submitted: 2011-12-09 04:05 UTC Modified: 2011-12-09 05:55 UTC
From: reeze dot xia at gmail dot com Assigned: laruence
Status: Closed Package: Built-in web server
PHP Version: trunk-SVN-2011-12-09 (SVN) OS: Mac OS X 10.6.7
Private report: No CVE-ID:
 [2011-12-09 04:05 UTC] reeze dot xia at gmail dot com
Description:
------------
Post two multipart/form-data to the cli-server, one 200 request and one 404 
request will cause the cli-server segfault. if enabled debug, the server exit with 
a message: "in-consist hashtable".

Test script:
---------------
1.Start the cli-server
2.Touch a simple empty php script
3.Make the requestes
  $ curl --form a=b  "http://localhost:8000/file.php"
  $ curl --form a=b  "http://localhost:8000/file-non-exist.php"

Expected result:
----------------
Server response correctly. one 200 and one 404 reponse.

Actual result:
--------------
Correctly response the first request. but segfault after the second 404 request.

(gdb) bt
#0  0x0000000100250da5 in _zend_mm_free_int (heap=0x101000000, p=0x100670b60) at 
zend_alloc.c:2097
#1  0x0000000100224e4f in destroy_uploaded_files_hash () at rfc1867.c:199
#2  0x00000001002219f2 in sapi_deactivate () at SAPI.c:535
#3  0x0000000100306b5e in php_cli_server_send_error_page (server=0x7fff5fbfa560, 
client=0x100b51170, status=404) at php_cli_server.c:1755
#4  0x00000001003046ad in php_cli_server_dispatch [inlined] () at 
/Volumes/Dev/Opensources/php-src-5.4/sapi/cli/php_cli_server.c:1851
#5  0x00000001003046ad in php_cli_server_recv_event_read_request 
(server=0x7fff5fbfe790, client=0x100670b60) at php_cli_server.c:2180
#6  0x0000000100305ef5 in php_cli_server_do_event_for_each_fd_callback [inlined] 
() at /Volumes/Dev/Opensources/php-src-5.4/sapi/cli/php_cli_server.c:2271
#7  php_cli_server_do_event_for_each_fd [inlined] () at php_cli_server.c:767
#8  php_cli_server_poller_iter_on_active [inlined] () at 
/Volumes/Dev/Opensources/php-src-5.4/sapi/cli/php_cli_server.c:2302
#9  php_cli_server_do_event_loop [inlined] () at /Volumes/Dev/Opensources/php-
src-5.4/sapi/cli/php_cli_server.c:2292
#10 0x0000000100305ef5 in do_cli_server (argc=4, argv=0x10) at 
php_cli_server.c:2403
#11 0x00000001002ffb94 in main (argc=1606414960, argv=0x7fff5fbff298) at 
php_cli.c:1359


Patches

Fix-segfault-after-two-multipart-form-data-POST-and-404-request (last revision 2011-12-09 04:08 UTC) by reeze dot xia at gmail dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-12-09 04:18 UTC] reeze dot xia at gmail dot com
Hi, the 5.4RC3 and the trunk have this bug. 
After trace the core.
I found the SG(rfc1867_uploaded_files) did't set to NULL when sapi deactive.
when trying to free the SG(rfc1867_uploaded_files), server will core dumped on 
the next form-data post request.
So It's a simple oneline-fix.
I have attached a patch for this, patch tested on Mac OS X 10.6.7 & Redhat 
Linux.

thx.
 [2011-12-09 04:20 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence
 [2011-12-09 05:37 UTC] laruence@php.net
Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&revision=320716
Log: Fixed bug #60477 (Segfault after two multipart/form-data POST requests)
 [2011-12-09 05:39 UTC] laruence@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

I made a different patch,  since the main/SAPI.c is used by many other sapis, and 
this bug should fixed in built-in server.

thanks for your work .
 [2011-12-09 05:39 UTC] laruence@php.net
-Summary: Segfault after two multipart/form-data POST requestes, one 200 RQ and one 404 +Summary: Segfault after two multipart/form-data POST requestes -Status: Assigned +Status: Open
 [2011-12-09 05:47 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2011-12-09 05:55 UTC] laruence@php.net
-Summary: Segfault after two multipart/form-data POST requestes +Summary: Segfault after two multipart/form-data POST requests, one 200 RQ and one 404
 [2012-04-18 09:47 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3f60731a097f7e0e737c0ac5ff519f4b1d137ee2
Log: Fixed bug #60477 (Segfault after two multipart/form-data POST requests)
 [2012-07-24 23:38 UTC] rasmus@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3f60731a097f7e0e737c0ac5ff519f4b1d137ee2
Log: Fixed bug #60477 (Segfault after two multipart/form-data POST requests)
 [2013-11-17 09:34 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3f60731a097f7e0e737c0ac5ff519f4b1d137ee2
Log: Fixed bug #60477 (Segfault after two multipart/form-data POST requests)
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 00:01:21 2014 UTC