PHP :: Bug #69320 :: libmagic crash when running laravel tests

Bug #69320	libmagic crash when running laravel tests
Submitted:	2015-03-28 18:29 UTC	Modified:	2015-03-29 16:37 UTC
From:	nikic@php.net	Assigned:	ab (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	master-Git-2015-03-28 (Git)	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

[2015-03-28 18:29 UTC] nikic@php.net

Description:
------------
Running phpunit --filter FilesystemTest::testMimeTypeOutputsMimeType on https://github.com/laravel/framework results in a libmagic crash:

#0  __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:116
#1  0x0000000000928a4a in _estrndup (s=0x7fffef91350a "", length=18446744073709551615, 
    __zend_filename=0xdb5028 "/home/nikic/php-src/ext/fileinfo/libmagic/softmagic.c", 
    __zend_lineno=2017, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /home/nikic/php-src/Zend/zend_alloc.c:2328
#2  0x000000000062cbdd in magiccheck (ms=0x7fffef8c5700, m=0xd4cae0 <php_magic_database+2639712>)
    at /home/nikic/php-src/ext/fileinfo/libmagic/softmagic.c:2017
#3  0x000000000062818d in match (ms=0x7fffef8c5700, magic=0xac8478 <php_magic_database+248>, 
    nmagic=10786, s=0x7fffef913508 "", nbytes=3, offset=0, mode=64, text=1, flip=0, indir_level=0, 
    name_count=0x7fffffff9b9a, printed_something=0x7fffffff9b9c, need_separator=0x7fffffff9ba0, 
    returnval=0x7fffffff9adc) at /home/nikic/php-src/ext/fileinfo/libmagic/softmagic.c:202
#4  0x0000000000627ed0 in file_softmagic (ms=0x7fffef8c5700, buf=0x7fffef913508 "", nbytes=3, 
    indir_level=0, name_count=0x7fffffff9b9a, mode=64, text=1)
    at /home/nikic/php-src/ext/fileinfo/libmagic/softmagic.c:94
#5  0x000000000061e77c in file_ascmagic_with_encoding (ms=0x7fffef8c5700, 
    buf=0x7fffef601000 "foo", nbytes=3, ubuf=0x13e88e0, ulen=3, code=0xdb4354 "ASCII", 
    type=0xdb4340 "text", text=1) at /home/nikic/php-src/ext/fileinfo/libmagic/ascmagic.c:149
#6  0x000000000061e592 in file_ascmagic (ms=0x7fffef8c5700, buf=0x7fffef601000 "foo", nbytes=3, 
    text=1) at /home/nikic/php-src/ext/fileinfo/libmagic/ascmagic.c:92
#7  0x0000000000624e99 in file_buffer (ms=0x7fffef8c5700, stream=0x7fffef880100, inname=0x0, 
    buf=0x7fffef601000, nb=3) at /home/nikic/php-src/ext/fileinfo/libmagic/funcs.c:264
#8  0x0000000000625fe1 in file_or_stream (ms=0x7fffef8c5700, inname=0x0, stream=0x7fffef880100)
    at /home/nikic/php-src/ext/fileinfo/libmagic/magic.c:410
#9  0x0000000000625d94 in magic_stream (ms=0x7fffef8c5700, stream=0x7fffef880100)
    at /home/nikic/php-src/ext/fileinfo/libmagic/magic.c:347
#10 0x000000000061749b in _php_finfo_get_type (execute_data=0x7ffff181a890, 
    return_value=0x7ffff181a880, mode=2, mimetype_emu=0)
    at /home/nikic/php-src/ext/fileinfo/fileinfo.c:549
#11 0x000000000061768d in zif_finfo_file (execute_data=0x7ffff181a890, return_value=0x7ffff181a880)
    at /home/nikic/php-src/ext/fileinfo/fileinfo.c:587
#12 0x00000000009c21f2 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER ()
    at /home/nikic/php-src/Zend/zend_vm_execute.h:691
#13 0x00000000009c1232 in execute_ex (ex=0x7ffff181a5d0)
    at /home/nikic/php-src/Zend/zend_vm_execute.h:394
#14 0x0000000000949fbe in zend_call_function (fci=0x7fffffffa3c0, fci_cache=0x7fffffffa390)
    at /home/nikic/php-src/Zend/zend_execute_API.c:875
#15 0x000000000073b765 in zim_reflection_method_invokeArgs (execute_data=0x7ffff181a550, 
    return_value=0x7ffff181a250) at /home/nikic/php-src/ext/reflection/php_reflection.c:3044
#16 0x00000000009c2915 in ZEND_DO_FCALL_SPEC_HANDLER ()
    at /home/nikic/php-src/Zend/zend_vm_execute.h:827
#17 0x00000000009c1232 in execute_ex (ex=0x7ffff1816030)
    at /home/nikic/php-src/Zend/zend_vm_execute.h:394
#18 0x00000000009c14a5 in zend_execute (op_array=0x7ffff1885000, return_value=0x0)
    at /home/nikic/php-src/Zend/zend_vm_execute.h:434
#19 0x00000000009637c3 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/nikic/php-src/Zend/zend.c:1355

(gdb) f 2
(gdb) p *ms
$2 = {mlist = {0x7fffef8b5d70, 0x7fffef8b5d20}, c = {len = 10, li = 0x7fffef8dd9c0}, o = {
    buf = 0x0, pbuf = 0x0}, offset = 2, error = -1, flags = 16, event_flags = 0, 
  file = 0xdb2545 "unknown", line = 250, search = {s = 0x7fffef91350a "", 
    s_len = 18446744073709551615, offset = 2, rm_len = 0}, ms_value = {b = 102 'f', h = 28518, 
    l = 7303014, q = 7303014, hs = "fo", hl = "foo", hq = "foo\000\000\000\000", 
    s = "foo", '\000' <repeats 60 times>, us = "foo", '\000' <repeats 60 times>, 
    f = 1,02337023e-38, d = 3,6081683284976653e-317}, indir_max = 15, name_max = 30, 
  elf_shnum_max = 32768, elf_phnum_max = 128, elf_notes_max = 256}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-03-28 18:29 UTC] nikic@php.net

-Assigned To: +Assigned To: ab

[2015-03-28 18:29 UTC] nikic@php.net

@ab Maybe related to recent libmagic update?

[2015-03-28 19:22 UTC] ab@php.net

Of course there could be some bugs after upgrade. Looking at the test https://github.com/laravel/framework/blob/5.0/tests/Filesystem/FilesystemTest.php#L228 and at the https://github.com/laravel/framework/blob/5.0/src/Illuminate/Filesystem/Filesystem.php#L186 - the reproduce snippet is as simple as

file_put_contents("foo.txt", "foo");
echo finfo_file(finfo_open(FILEINFO_MIME_TYPE), "foo.txt");

However it doesn't crash for me (and is actually present in the phpt suite, like finfo_file_002.phpt and several others). This part looks not correct

s = 0x7fffef91350a "", 
    s_len = 18446744073709551615

I'll be able to go directly with lavarel tomorrow and also to check the patch again. Though i just have to ask you to ensure you've a clean rebuild. In general, looks really weird as it should be failing all the way on travis if such a simple piece is buggy :)

Thanks.

[2015-03-28 19:37 UTC] nikic@php.net

Just did a clean build and still seeing the segfault. It also segfaults on Laravel's travis build, see https://travis-ci.org/laravel/framework/jobs/56238603.

And yeah, your two-line reproduce script segfaults for me as well. But ext/fileinfo tests all run clean.

[2015-03-29 16:00 UTC] ab@php.net

Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=aeabea4aa91af64db1fa1a592b92496fb5e293ba
Log: Fixed bug #69320 libmagic crash when running laravel tests

[2015-03-29 16:00 UTC] ab@php.net

-Status: Assigned +Status: Closed

[2015-03-29 16:37 UTC] ab@php.net

Should be fixed now. I guess we have one sec patch to go then. I wanted to pack it into the upgraded patch at once, but seems better to wait it's out with the next 5.x so one can do it cleaner in master.

Thanks.

[2015-03-30 09:53 UTC] ab@php.net

Related To: Bug #69329

[2016-07-20 11:39 UTC] davey@php.net

Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=aeabea4aa91af64db1fa1a592b92496fb5e293ba
Log: Fixed bug #69320 libmagic crash when running laravel tests

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 14:01:32 2024 UTC