php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72221 Segmentation fault in stream_get_line()
Submitted: 2016-05-16 09:31 UTC Modified: -
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: a dot cobest at gmail dot com Assigned:
Status: Closed Package: *General Issues
PHP Version: 7.0.6 OS: Linux, MacOS
Private report: No CVE-ID:
 [2016-05-16 09:31 UTC] a dot cobest at gmail dot com
Description:
------------
We have one combined text file. The text file contains the PNG files as base64 (data-url). All PNG files are identical. If you try to read all of them error (segmentation fault) occurs. 

The error occurs in the process of reading base64 (see backtrace below)

The error cannot be reproduced on any base64 (bug reproduced on file which reference is specified below).
The error cannot be reproduced in text file contains only one base64-PNG-file.
The error cannot be reproduced with any delimiter (the delimiter must have more than 3 characters and include letters and punctuation)

Link to problem file: https://www.dropbox.com/s/5yyi7nrsz0nviq8/test.txt?dl=1

Bug reproduced in PHP 7.0.4, 7.0.5, 7.0.6

GDB backtrace (PHP 7.0.6):
Program received signal SIGSEGV, Segmentation fault.
0x0000000100406113 in zend_memnstr_ex (
    haystack=0x106205ffe "kZRMT0rrspSBNwbpKW9OvfsP0/ab4bnrGPUQ9RD10Dr4hllPwYpkkYQVCZYmlpPZvxHejNJKQPCY5THIQ5yAs1HOscA7BbHPzHuMMxmmM635BdA6+KY4ZLjFSYqTISEtmodpq5mua/CIGmmNvyNSIqWUhTx3fVQ3WOKgwtcRBzEHIQcBgwECBwoChPIU5pLbasZsdaXm"..., needle=0x101202d18 "- e", needle_len=3, end=0x106207ffd "SFY"<error: Cannot access memory at address 0x106208000>) at Zend/zend_operators.c:2930
2930			p += td[(unsigned char)(p[needle_len])];
(gdb) bt
#0  0x0000000100406113 in zend_memnstr_ex (
    haystack=0x106205ffe "kZRMT0rrspSBNwbpKW9OvfsP0/ab4bnrGPUQ9RD10Dr4hllPwYpkkYQVCZYmlpPZvxHejNJKQPCY5THIQ5yAs1HOscA7BbHPzHuMMxmmM635BdA6+KY4ZLjFSYqTISEtmodpq5mua/CIGmmNvyNSIqWUhTx3fVQ3WOKgwtcRBzEHIQcBgwECBwoChPIU5pLbasZsdaXm"..., needle=0x101202d18 "- e", needle_len=3, end=0x106207ffd "SFY"<error: Cannot access memory at address 0x106208000>) at Zend/zend_operators.c:2930
#1  0x000000010038727f in zend_memnstr (
    haystack=0x106205ffe "kZRMT0rrspSBNwbpKW9OvfsP0/ab4bnrGPUQ9RD10Dr4hllPwYpkkYQVCZYmlpPZvxHejNJKQPCY5THIQ5yAs1HOscA7BbHPzHuMMxmmM635BdA6+KY4ZLjFSYqTISEtmodpq5mua/CIGmmNvyNSIqWUhTx3fVQ3WOKgwtcRBzEHIQcBgwECBwoChPIU5pLbasZsdaXm"..., needle=0x101202d18 "- e", needle_len=3, end=0x106208000 <error: Cannot access memory at address 0x106208000>)
    at /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_tarballs_ports_lang_php/php70/work/php-7.0.6/Zend/zend_operators.h:182
#2  0x00000001003826b5 in _php_stream_search_delim (stream=0x101260a00, maxlen=10000000, skiplen=2121726, delim=0x101202d18 "- e", delim_len=3) at main/streams/streams.c:1002
#3  0x0000000100382372 in php_stream_get_record (stream=0x101260a00, maxlen=10000000, delim=0x101202d18 "- e", delim_len=3) at main/streams/streams.c:1050
#4  0x000000010029dbd1 in zif_stream_get_line (execute_data=0x101215180, return_value=0x101215140) at ext/standard/streamsfuncs.c:1324
#5  0x00000001004721c1 in execute_internal (execute_data=0x101215180, return_value=0x101215140) at Zend/zend_execute.c:2036
#6  0x0000000100f67f6c in xdebug_execute_internal () from /opt/local/lib/php70/extensions/debug-non-zts-20151012/xdebug.so
#7  0x000000010049f040 in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x101215030) at Zend/zend_vm_execute.h:844
#8  0x00000001004dfaa0 in ZEND_USER_OPCODE_SPEC_HANDLER (execute_data=0x101215030) at Zend/zend_vm_execute.h:1589
#9  0x0000000100473b54 in execute_ex (ex=0x101215030) at Zend/zend_vm_execute.h:417
#10 0x0000000100f67af0 in xdebug_execute_ex () from /opt/local/lib/php70/extensions/debug-non-zts-20151012/xdebug.so
#11 0x0000000100473cc0 in zend_execute (op_array=0x101267600, return_value=0x0) at Zend/zend_vm_execute.h:458
#12 0x000000010040ca43 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at Zend/zend.c:1427
#13 0x000000010035b726 in php_execute_script (primary_file=0x7fff5fbff368) at main/main.c:2494
#14 0x00000001005087a3 in do_cli (argc=3, argv=0x7fff5fbffa80) at sapi/cli/php_cli.c:974
#15 0x00000001005075ce in main (argc=3, argv=0x7fff5fbffa80) at sapi/cli/php_cli.c:1344

Test script:
---------------
$file = $_SERVER["argv"][1];
$fp = fopen(realpath($file), "r");

while(!feof($fp)) {
    $line = stream_get_line($fp, 10000000, "-- end --");
}

echo "Done\n";

Expected result:
----------------
Done

Actual result:
--------------
segmentation fault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-16 10:13 UTC] a dot cobest at gmail dot com
In backtrace used delimiter '- e' instead of '-- end --' in code
 [2016-05-16 13:02 UTC] a dot cobest at gmail dot com
Error occurs if the delimiter has partial match before. I think there invalid reset internal pointers when delimiter not matched to substring but has some matched characters
 [2016-05-21 16:13 UTC] lauri dot kentta at gmail dot com
This is caused by a past-the-end access in zend_memnstr_ex.
https://github.com/php/php-src/pull/1916
 [2016-05-28 08:12 UTC] laruence@php.net
Automatic comment on behalf of lauri.kentta@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=287f9489d840f0e2c192c8db9fe69f7b03bb8af5
Log: Fix bug #72221 (segfault, past-the-end access)
 [2016-05-28 08:12 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2016-05-28 08:12 UTC] laruence@php.net
Automatic comment on behalf of lauri.kentta@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=26fa27d760c7b119805ba6d9db624f479d9b9fc8
Log: Fix bug #72221 (segfault, past-the-end access)
 [2016-07-20 11:30 UTC] davey@php.net
Automatic comment on behalf of lauri.kentta@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=287f9489d840f0e2c192c8db9fe69f7b03bb8af5
Log: Fix bug #72221 (segfault, past-the-end access)
 [2016-07-20 11:31 UTC] davey@php.net
Automatic comment on behalf of lauri.kentta@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=26fa27d760c7b119805ba6d9db624f479d9b9fc8
Log: Fix bug #72221 (segfault, past-the-end access)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Thu Jul 27 06:01:38 2017 UTC