php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69831 Segmentation fault in curl_getinfo
Submitted: 2015-06-14 14:56 UTC Modified: -
From: im dot denisenko at yahoo dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: master-Git-2015-06-14 (Git) OS: Ubuntu 14.10
Private report: No CVE-ID:
 [2015-06-14 14:56 UTC] im dot denisenko at yahoo dot com
Description:
------------
We trying to get green build for Elastica library and php 7. 
Our tests are failed due to segmentation fault from curl extension. 
Full issue description in context of our library can be found here: https://github.com/ruflin/Elastica/issues/861#issuecomment-107101112

Basically, when curl_getinfo is called on curl handler with enabled CURLINFO_HEADER_OUT option and without second argument, it causes segfault in certain conditions.

Probably it was broken in https://github.com/php/php-src/commit/763cee63abbb316132de40082eb151fce7bd504d, but I'm not sure about it. 

Test script:
---------------
https://gist.github.com/im-denisenko/7ad6c84353c2acc807bf 

This gist looks like kind of magic, but every line there is required to demonstrate error.

Expected result:
----------------
No segfault.

Actual result:
--------------
#0  0x00000000008de7ad in zend_assign_to_variable (variable_ptr=0x7f5fbec74c88, value=0x7f5fbec141a0, value_type=16 '\020') at /opt/php-src/Zend/zend_execute.h:78
#1  0x00000000008e1a4d in zend_assign_to_object (retval=0x0, object=0x7f5fbec14150, object_op_type=8, property_name=0x7f5fbec7f130, property_op_type=1, value_type=16, 
    value_op=..., execute_data=0x7f5fbec14130, cache_slot=0x7f5fbec036b0) at /opt/php-src/Zend/zend_execute.c:1045
#2  0x000000000091d742 in ZEND_ASSIGN_OBJ_SPEC_UNUSED_CONST_HANDLER () at /opt/php-src/Zend/zend_vm_execute.h:24020
#3  0x00000000008e5da2 in execute_ex (ex=0x7f5fbec14030) at /opt/php-src/Zend/zend_vm_execute.h:394
#4  0x00000000008e5eb8 in zend_execute (op_array=0x7f5fbec8a000, return_value=0x0) at /opt/php-src/Zend/zend_vm_execute.h:434
#5  0x000000000088a6c1 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /opt/php-src/Zend/zend.c:1389
#6  0x00000000007f4ddb in php_execute_script (primary_file=0x7fff56101650) at /opt/php-src/main/main.c:2475
#7  0x000000000095136c in do_cli (argc=2, argv=0x2a21ac0) at /opt/php-src/sapi/cli/php_cli.c:967
#8  0x0000000000952524 in main (argc=2, argv=0x2a21ac0) at /opt/php-src/sapi/cli/php_cli.c:1334

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-14 15:01 UTC] im dot denisenko at yahoo dot com
Described problem disappears with this patch:

diff --git a/ext/curl/interface.c b/ext/curl/interface.c
index 6e76ba8..cae8c46 100644
--- a/ext/curl/interface.c
+++ b/ext/curl/interface.c
@@ -3008,7 +3008,7 @@ PHP_FUNCTION(curl_getinfo)
        }
 #endif
        if (ch->header.str) {
-           CAASTR("request_header", ch->header.str);
+           CAASTR("request_header", zend_string_copy(ch->header.str));
        }
    } else {
        switch (option) {
 [2015-06-14 15:13 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b7e477a8f9096d35360e23224849e70947eaefec
Log: Fixed bug #69831 (Segmentation fault in curl_getinfo)
 [2015-06-14 15:13 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2015-06-23 18:04 UTC] ab@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b7e477a8f9096d35360e23224849e70947eaefec
Log: Fixed bug #69831 (Segmentation fault in curl_getinfo)
 [2016-07-20 11:38 UTC] davey@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b7e477a8f9096d35360e23224849e70947eaefec
Log: Fixed bug #69831 (Segmentation fault in curl_getinfo)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Jul 21 08:01:41 2017 UTC