PHP :: Bug #75391 :: Crash / segmentation fault after fetching 4 files

Bug #75391	Crash / segmentation fault after fetching 4 files
Submitted:	2017-10-16 20:54 UTC	Modified:	2017-10-17 18:53 UTC
From:	cweiske@php.net	Assigned:	cweiske (profile)
Status:	Closed	Package:	Built-in web server
PHP Version:	7.1.10	OS:	Ubuntu 14.04
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	cweiske@php.net
New email:
PHP Version:		OS:

New/Additional Comment:

[2017-10-16 20:54 UTC] cweiske@php.net

Description:
------------
I reproducibly get a segmentation fault after fetching 4 URLs from the built-in webserver.

This is with PHP 7.1.10-1+ubuntu14.04.1+deb.sury.org+1 (cli) (built: Sep 29 2017 17:33:22) ( NTS )

Test script:
---------------
The files and the script to fetch them are here: https://github.com/cweiske/php-crash

Fetch files:
$ curl localhost:8002/randomizer.php
$ curl localhost:8002/links.html
$ curl -L localhost:8002/redirector.php
$ curl localhost:8002/links.html

- links.html is an empty file
- randomizer contains: <?php echo rand() ?>
- redirector.php contains: <?php header('location: links.html'); ?>

Expected result:
----------------
No crash.

Actual result:
--------------
[Mon Oct 16 22:50:14 2017] ::1:52228 [200]: /randomizer.php
[Mon Oct 16 22:50:14 2017] ::1:52229 [200]: /links.html
[Mon Oct 16 22:50:14 2017] ::1:52230 [302]: /redirector.php
[Mon Oct 16 22:50:14 2017] ::1:52231 [200]: /links.html

Program received signal SIGSEGV, Segmentation fault.
0x00005555557ca80b in zend_hash_str_find_bucket (h=10942615419019873312, len=13, str=0x55555585ce29 "Europe/Berlin", ht=0x7ffff5c041f8)
    at /build/php7.1-qveBs0/php7.1-7.1.10/Zend/zend_hash.c:504
504	/build/php7.1-qveBs0/php7.1-7.1.10/Zend/zend_hash.c: Datei oder Verzeichnis nicht gefunden.

(gdb) bt full
#0  0x00005555557ca80b in zend_hash_str_find_bucket (h=10942615419019873312, len=13, str=0x55555585ce29 "Europe/Berlin", ht=0x7ffff5c041f8)
    at /build/php7.1-qveBs0/php7.1-7.1.10/Zend/zend_hash.c:504
        nIndex = 1147437055
        idx = <optimized out>
        p = <optimized out>
        arData = 0x7ffff5c0e520
#1  zend_hash_str_find (ht=ht@entry=0x7ffff5c041f8, str=str@entry=0x55555585ce29 "Europe/Berlin", len=13) at /build/php7.1-qveBs0/php7.1-7.1.10/Zend/zend_hash.c:1970
No locals.
#2  0x0000555555642c67 in zend_hash_str_find_ptr (len=<optimized out>, str=0x55555585ce29 "Europe/Berlin", ht=0x7ffff5c041f8)
    at /build/php7.1-qveBs0/php7.1-7.1.10/Zend/zend_hash.h:748
        zv = <optimized out>
#3  php_date_parse_tzfile (formal_tzname=0x55555585ce29 "Europe/Berlin", tzdb=0x555555e80150) at /build/php7.1-qveBs0/php7.1-7.1.10/ext/date/php_date.c:944
No locals.
#4  0x0000555555644bf4 in get_timezone_info () at /build/php7.1-qveBs0/php7.1-7.1.10/ext/date/php_date.c:1040
        tzi = <optimized out>
#5  0x0000555555646c1d in php_format_date (format=format@entry=0x5555558b2d27 "r", format_len=format_len@entry=1, ts=1508187014, localtime=localtime@entry=1)
    at /build/php7.1-qveBs0/php7.1-7.1.10/ext/date/php_date.c:1293
        t = 0x7ffff5c01100
        tzi = <optimized out>
        string = <optimized out>
#6  0x000055555585552b in append_essential_headers (buffer=buffer@entry=0x7fffffffcf60, client=client@entry=0x555555e016e0, persistent=persistent@entry=1)
    at /build/php7.1-qveBs0/php7.1-7.1.10/sapi/cli/php_cli_server.c:357
        dt = <optimized out>
        tv = {tv_sec = 1508187014, tv_usec = 128072}
#7  0x000055555585813f in php_cli_server_begin_send_static (client=0x555555e016e0, server=0x555555bab840 <server>)
    at /build/php7.1-qveBs0/php7.1-7.1.10/sapi/cli/php_cli_server.c:2070
        chunk = 0x44647fff
        buffer = {s = 0x555555e83af0, a = 231}
        mime_type = 0x555555893b27 "text/html"
        fd = <optimized out>
        status = 200
#8  php_cli_server_dispatch (client=0x555555e016e0, server=0x555555bab840 <server>) at /build/php7.1-qveBs0/php7.1-7.1.10/sapi/cli/php_cli_server.c:2211
        is_static_file = <optimized out>
#9  php_cli_server_recv_event_read_request (server=0x555555bab840 <server>, client=0x555555e016e0) at /build/php7.1-qveBs0/php7.1-7.1.10/sapi/cli/php_cli_server.c:2400
        errstr = 0x0
        status = <optimized out>
#10 0x0000555555858829 in php_cli_server_do_event_for_each_fd_callback (_params=_params@entry=0x7fffffffd0a0, fd=fd@entry=6, event=event@entry=1)
    at /build/php7.1-qveBs0/php7.1-7.1.10/sapi/cli/php_cli_server.c:2485
        params = 0x7fffffffd0a0
        server = 0x555555bab840 <server>
#11 0x00005555558597f7 in php_cli_server_poller_iter_on_active (poller=0x555555bab848 <server+8>, callback=0x555555858750 <php_cli_server_do_event_for_each_fd_callback>, 
    opaque=0x7fffffffd0a0) at /build/php7.1-qveBs0/php7.1-7.1.10/sapi/cli/php_cli_server.c:844
        fd = 6
        max_fd = 6
#12 php_cli_server_do_event_for_each_fd (whandler=0x5555558567a0 <php_cli_server_send_event>, rhandler=0x555555857e40 <php_cli_server_recv_event_read_request>, 
    server=0x555555bab840 <server>) at /build/php7.1-qveBs0/php7.1-7.1.10/sapi/cli/php_cli_server.c:2503
        params = {server = 0x555555bab840 <server>, rhandler = 0x555555857e40 <php_cli_server_recv_event_read_request>, whandler = 0x5555558567a0 <php_cli_server_send_event>}
#13 php_cli_server_do_event_loop (server=0x555555bab840 <server>) at /build/php7.1-qveBs0/php7.1-7.1.10/sapi/cli/php_cli_server.c:2513
        tv = {tv_sec = 0, tv_usec = 999978}
#14 do_cli_server (argc=<optimized out>, argv=<optimized out>) at /build/php7.1-qveBs0/php7.1-7.1.10/sapi/cli/php_cli_server.c:2615
        php_optarg = 0x555555bb5050 "/home/cweiske/Dev/php.net/php-webserver-crash"
        php_optind = 5
        c = <optimized out>
        server_bind_address = <optimized out>
        document_root = <optimized out>
        router = 0x0
        document_root_buf = "/home/cweiske/Dev/php.net/php-webserver-crash", '\000' <repeats 667 times>...
#15 0x000055555563df64 in main (argc=5, argv=0x555555bb4f90) at /build/php7.1-qveBs0/php7.1-7.1.10/sapi/cli/php_cli.c:1384
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {0, -8053096010305461771, 140737488347700, 0, 0, 93824998793504, -8053096010293927435, -4221857602584403467}, __mask_was_saved = 0, 
            __saved_mask = {__val = {140737322714016, 140737324882848, 140737354125408, 140737354127720, 140737333497888, 0, 140737488348248, 140737354129864, 0, 5, 
                140737351948023, 1, 0, 140737354129864, 140737324951216, 1}}}}
        c = <optimized out>
        exit_status = 0
        module_started = 1
        sapi_started = 1
        php_optarg = 0x555555bb5050 "/home/cweiske/Dev/php.net/php-webserver-crash"
        php_optind = 5
        use_extended_info = 0
        ini_path_override = 0x0
        ini_entries = 0x0
        ini_entries_len = 0
        ini_ignore = 0
        sapi_module = <optimized out>

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-10-17 04:10 UTC] laruence@php.net

I can not reproduce this, you may try with latest src in github repo,

and you could also try to run with valgrind...

[2017-10-17 18:53 UTC] cweiske@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: cweiske

[2017-10-17 18:53 UTC] cweiske@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Wed Apr 24 12:01:29 2024 UTC