php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74267 segfault with streams and invalid data
Submitted: 2017-03-17 20:27 UTC Modified: 2017-03-17 20:50 UTC
Votes:3
Avg. Score:3.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:1 (50.0%)
From: lindsay at notion dot ai Assigned:
Status: Verified Package: Streams related
PHP Version: 7.1.3 OS: linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: lindsay at notion dot ai
New email:
PHP Version: OS:

 

 [2017-03-17 20:27 UTC] lindsay at notion dot ai
Description:
------------
The scenario to recreate the segfault:

- use stream_filter_append to convert data on fwrite
- try to write data which fails the convert process
- blindly catch and ignore the failed fwrites
- segfault happens on fclose

Tested on 7.1.3, 7.0.13 and 5.6.28

Test script:
---------------
$fh = fopen('/tmp/segfault.txt', 'w');
stream_filter_append( $fh, 'convert.quoted-printable-decode', STREAM_FILTER_WRITE, array( 'line-break-chars' => "\r\n" ));

$lines = [
	"\r\n",
	" -=()\r\n",
	" -=\r\n",
	"\r\n"
	];

foreach ($lines as $line)
{
	try
	{
		fwrite($fh, $line);
	}
	catch (\Exception $e) { }
}

fclose($fh);


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-03-17 20:50 UTC] requinix@php.net
-Status: Open +Status: Verified
 [2017-03-17 20:50 UTC] requinix@php.net
Filter gives 3 "invalid byte sequence" warnings during the fwrites.

With PHP 7.1.2:

(gdb) bt
#0  0x00000000007c1d56 in php_conv_qprint_decode_convert (inst=0x7fccb3658480, in_pp=0x0, in_left_p=0x0, out_pp=0x7ffff9fbeea8, out_left_p=0x7ffff9fbeeb8)
    at /root/php/php-src/ext/standard/filters.c:1028
#1  0x00000000007c3227 in strfilter_convert_append_bucket (inst=0x7fccb3675000, stream=0x7fccb365fa00, filter=0x7fccb3676000, buckets_out=0x7ffff9fbf000, ps=0x0, buf_len=0,
    consumed=0x7ffff9fbef68, persistent=0) at /root/php/php-src/ext/standard/filters.c:1577
#2  0x00000000007c3752 in strfilter_convert_filter (stream=0x7fccb365fa00, thisfilter=0x7fccb3676000, buckets_in=0x7ffff9fbeff0, buckets_out=0x7ffff9fbf000,
    bytes_consumed=0x7ffff9fbefc0, flags=2) at /root/php/php-src/ext/standard/filters.c:1693
#3  0x0000000000803ec2 in _php_stream_write_filtered (stream=0x7fccb365fa00, buf=0x0, count=0, flags=2) at /root/php/php-src/main/streams/streams.c:1159
#4  0x0000000000803fcd in _php_stream_flush (stream=0x7fccb365fa00, closing=1) at /root/php/php-src/main/streams/streams.c:1208
#5  0x00000000008024aa in _php_stream_free (stream=0x7fccb365fa00, close_options=67) at /root/php/php-src/main/streams/streams.c:440
#6  0x000000000075a014 in zif_fclose (execute_data=0x7fccb3614130, return_value=0x7ffff9fbf150) at /root/php/php-src/ext/standard/file.c:898
#7  ...

(gdb) frame 0
#0  0x00000000007c1d56 in php_conv_qprint_decode_convert (inst=0x7fccb3658480, in_pp=0x0, in_left_p=0x0, out_pp=0x7ffff9fbeea8, out_left_p=0x7ffff9fbeeb8)
    at /root/php/php-src/ext/standard/filters.c:1028
1028            ps = (unsigned char *)(*in_pp);

(gdb) p *inst
$3 = {_super = {convert_op = 0x7c1ce6 <php_conv_qprint_decode_convert>, dtor = 0x7c1c56 <php_conv_qprint_decode_dtor>}, lbchars = 0x7fccb3672050 "\r\n", lbchars_len = 2, scan_stat = 5,
  next_char = 0, lbchars_dup = 1, persistent = 0, lb_ptr = 0, lb_cnt = 1}
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC