php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71523 Copied handle with new option CURLOPT_HTTPHEADER crashes while curl_multi_exec.
Submitted: 2016-02-04 16:19 UTC Modified: -
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: ryosuke_i_628 at yahoo dot co dot jp Assigned:
Status: Closed Package: cURL related
PHP Version: 7.0.3 OS: Irrelevant
Private report: No CVE-ID:
 [2016-02-04 16:19 UTC] ryosuke_i_628 at yahoo dot co dot jp
Description:
------------
Copied handle yielded by curl_copy_handle() with new option CURLOPT_HTTPHEADER crashes while curl_multi_exec() running. The test script causes segmentation fault in libcurl.

However, there are no problems with the following native C code. I suppose this is a PHP bug.

#include <stdio.h>
#include <curl/curl.h>

void set_header(CURL *ch) {
    struct curl_slist *headers = NULL;
    headers = curl_slist_append(headers, "Foo: Bar");
    curl_easy_setopt(ch, CURLOPT_HTTPHEADER, headers);
}

int main(void) {

    CURL *ch_base, *ch_x, *ch_y;

    CURLM *mh;
    int active;

    mh = curl_multi_init();

    ch_base = curl_easy_init();
    curl_easy_setopt(ch_base, CURLOPT_URL, "http://example.com/");

    ch_x = curl_easy_duphandle(ch_base);
    set_header(ch_x);
    curl_multi_add_handle(mh, ch_x);

    ch_y = curl_easy_duphandle(ch_base);
    set_header(ch_y);
    curl_multi_add_handle(mh, ch_y);

    do {
        curl_multi_perform(mh, &active);
    } while (active);

    return 0;

}


Test script:
---------------
<?php

$base = curl_init('http://example.com/');
$mh = curl_multi_init();

for ($i = 0; $i < 2; ++$i) {
    $ch = curl_copy_handle($base);
    curl_setopt($ch, CURLOPT_HTTPHEADER, ['Foo: Bar']);
    curl_multi_add_handle($mh, $ch);
}

do {
    curl_multi_exec($mh, $active);
} while ($active);

?>

Expected result:
----------------
No errors.

Actual result:
--------------
Segmentation fault.

Stack trace with gdb:

#0  0x00000001010ddc6a in Curl_raw_nequal () from /usr/local/opt/curl/lib/libcurl.4.dylib
#1  0x00000001010b81f0 in Curl_checkheaders () from /usr/local/opt/curl/lib/libcurl.4.dylib
#2  0x00000001010b6553 in Curl_http () from /usr/local/opt/curl/lib/libcurl.4.dylib
#3  0x00000001010c966d in Curl_do () from /usr/local/opt/curl/lib/libcurl.4.dylib
#4  0x00000001010d7cad in multi_runsingle () from /usr/local/opt/curl/lib/libcurl.4.dylib
#5  0x00000001010d7488 in curl_multi_perform () from /usr/local/opt/curl/lib/libcurl.4.dylib
#6  0x000000010019e52f in zif_curl_multi_exec (execute_data=<optimized out>, return_value=0x102216190)
    at ext/curl/multi.c:240
#7  0x00000001004775f7 in ZEND_DO_ICALL_SPEC_HANDLER (execute_data=0x1010f1c6b)
    at Zend/zend_vm_execute.h:586
#8  0x00000001004428f8 in execute_ex (ex=<optimized out>) at Zend/zend_vm_execute.h:417
#9  0x0000000100442bd9 in zend_execute (op_array=0x1010f1c6b, return_value=<optimized out>)
    at Zend/zend_vm_execute.h:458
#10 0x000000010040343b in zend_execute_scripts (type=0, retval=0x0, file_count=206956997)
    at Zend/zend.c:1428
#11 0x000000010039ede8 in php_execute_script (primary_file=0x101472e70) at main/main.c:2471
#12 0x0000000100493c31 in do_cli (argc=<optimized out>, argv=<optimized out>)
    at sapi/cli/php_cli.c:974
#13 0x0000000100492a85 in main (argc=2, argv=0x7fff5fbff628) at sapi/cli/php_cli.c:1345

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-02-05 11:53 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5fdfab743d964bb13602effc9efcd6f747e2f58c
Log: Fixed bug #71523 (Copied handle with new option CURLOPT_HTTPHEADER crashes while curl_multi_exec)
 [2016-02-05 11:53 UTC] laruence@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Wed Jun 28 12:01:42 2017 UTC