php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68937 Segfault in curl_multi_exec
Submitted: 2015-01-28 20:23 UTC Modified: 2015-01-30 04:01 UTC
From: danack@php.net Assigned:
Status: Closed Package: cURL related
PHP Version: master-Git-2015-01-28 (Git) OS: Centos 64bit
Private report: No CVE-ID:
 [2015-01-28 20:23 UTC] danack@php.net
Description:
------------
Segfault occurs in curl_multi_exec when testing simple script.

Test script:
---------------
Test script here:

https://gist.github.com/Danack/ce6be556842d645ab0ce

It uses the Amazon PHP sdk.

Expected result:
----------------
Code should not segfault

Actual result:
--------------
==8799== Invalid read of size 4
==8799==    at 0x56BF53: curl_read (zend_types.h:696)
==8799==    by 0x5C29F26: Curl_fillreadbuffer (in /usr/lib64/libcurl.so.4.1.1)
==8799==    by 0x5C2B04B: Curl_readwrite (in /usr/lib64/libcurl.so.4.1.1)
==8799==    by 0x5C31745: ??? (in /usr/lib64/libcurl.so.4.1.1)
==8799==    by 0x5C31DB2: curl_multi_perform (in /usr/lib64/libcurl.so.4.1.1)
==8799==    by 0x573369: zif_curl_multi_exec (multi.c:222)
==8799==    by 0x8C600B: ZEND_DO_FCALL_SPEC_HANDLER (zend_vm_execute.h:596)
==8799==    by 0x86F39F: execute_ex (zend_vm_execute.h:352)
==8799==    by 0x824F0B: zend_call_function (zend_execute_API.c:835)
==8799==    by 0x853E7C: zend_call_method (zend_interfaces.c:101)
==8799==    by 0x86741F: zend_std_call_user_call (zend_object_handlers.c:912)
==8799==    by 0x8C600B: ZEND_DO_FCALL_SPEC_HANDLER (zend_vm_execute.h:596)
==8799==  Address 0x0 is not stack'd, malloc'd or (recently) free'd

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-01-29 09:24 UTC] mbeccati@php.net
It looks like ch->handlers->read->res is NULL inside curl_read

Also, with 5.6 curl_read is called with:
"PUT /rpm.example.com/LICENSE.md HTTP/1.1\r\nHost: s3-eu-..."

whereas master's curl_read gets "PUT / HTTP/1.1\r\nHost: s3-eu-..."
 [2015-01-29 11:38 UTC] laruence@php.net
are you able to refine it to a simple script? 

I can not find the "autoload.php" in your example

thanks
 [2015-01-29 12:49 UTC] danack@php.net
Hi Laruence,

No, I'm not able to reduce it to a simple script. This is testing the Amazon AWS SDK, which is massive and I don't think it would be trivial to reproduce this bug outside of that SDK.

However there are instructions on how to setup the example in the test script:

// Download https://github.com/aws/aws-sdk-php and stick this file
// in the root directory and do a composer update.
 [2015-01-29 12:55 UTC] danack@php.net
mbeccati,

> Also, with 5.6 curl_read is called with:
> "PUT /rpm.example.com/LICENSE.md HTTP/1.1\r\nHost: s3-eu-..."
>
> whereas master's curl_read gets "PUT / HTTP/1.1\r\nHost: s3-eu-..."

That would explain the large number of errors related to URLs that occur when running the test suite for the AWS sdk. The test suite for the AWS sdk is in that repo, but is only available if you 'git clone' it, as the zip archive has the test suite excluded, and is run with 'make test'. It has no errors on 5.6 and lots of seemingly related ones in 7.
 [2015-01-30 04:01 UTC] laruence@php.net
damned, composer is blocked  in china....
 [2015-01-30 05:13 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=73288bbea498351a3123bb60d1ebafe477bd12a3
Log: Fixed bug #68937 (Segfault in curl_multi_exec)
 [2015-01-30 05:13 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2016-07-20 11:39 UTC] davey@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=73288bbea498351a3123bb60d1ebafe477bd12a3
Log: Fixed bug #68937 (Segfault in curl_multi_exec)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Mon May 29 04:01:35 2017 UTC