PHP :: Bug #7827 :: PHP want to close an already closed file descriptor

Bug #7827	PHP want to close an already closed file descriptor
Submitted:	2000-11-15 04:13 UTC	Modified:	2002-06-16 08:23 UTC
From:	dav at nnx dot com	Assigned:
Status:	Not a bug	Package:	Reproducible Crash
PHP Version:	3.0.17	OS:	Linux RedHat
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2000-11-15 04:13 UTC] dav at nnx dot com

 
        PHP3 Bug report / PDFLib-0.6 segmentation fault.
        nnx tracking id #1280 <noc@nnx.com>
--
 
        The PHP code for pdf contains a bug who crash Apache with segmentation
fault message. The problem exist on Linux, with PHP 3.0.16, 3.0.17 and
3.0.18 (maybe with earlier versions), and pdflib 0.6.
 
        When using the JPEG functions with pdflib, all httpd ends script
execution with an Apache segfault error, and Apache errors logs reports:
 
[Wed Nov  8 14:29:31 2000] [notice] child pid 6346 exit signal Segmentation fault (11)
 
 
        Now, we retry the script with the php interpreter (ELF binary):
 
% php-3.0.18 -q /works/lab/php/pdf/script.php3
Content-Disposition: inline;filename=test.pdf
%PDF-1.1
.../...
trailer
<</Size 17
/Info 1 0 R
/Root 3 0 R
>>
startxref
1449
%%EOF
Segmentation fault (core dumped)
 
 
        So, we retry with gdb:
 
% gdb php-3.0.18
.../...
(gdb) set args -q /www/web-lab/shop.nnx.com/bo/test.phtml
.../...
(gdb) run
.../...
Program received signal SIGSEGV, Segmentation fault.
0x40235fc8 in main_arena () from /lib/libc.so.6
(gdb) backtrace
#0  0x40235fc8 in main_arena () from /lib/libc.so.6
#1  0x4019bfad in _IO_old_fclose (fp=0x40235f88) at oldiofclose.c:52
#2  0x401993c4 in _IO_new_fclose (fp=0x40235f88) at iofclose.c:44
#3  0x813a837 in PDF_close_JPEG (p=0x0, image=0x839dda8) at p_jpeg.c:376
#4  0x8139964 in PDF_close_image (p=0x0, image=0x839dda8) at p_image.c:304
#5  0x80acf78 in _free_pdf_image ()
 
--- p_jpeg.c ---
372
373 void
374 PDF_close_JPEG(PDF *p, PDF_image *image)
375 {
376     fclose(image->fp);
377     PDF_free(image);
378 }
 
 
--- p_image.c ---
300
301 void
302 PDF_close_image(PDF *p, PDF_image *image)
303 {
304     image->closefunc(p, image);
305 }
 
        So, we can see PHP calls PDF_close_image with PDF_image pointeur,
but _IO_new_fclose (libc function) try to close a file with a bad pointeur,
provoquing a segmentation fault.
 
        PDF_image is a structure, with a fp pointeur use to store the PDF file
descriptor. We restart now gdb, and set breakpoint:
 
(gdb) b PDF_close_JPEG
Breakpoint 1 at 0x813a82c: file p_jpeg.c, line 376.
(gdb) run
Breakpoint 1, PDF_close_JPEG (p=0x0, image=0x839dda8) at p_jpeg.c:376
376         fclose(image->fp);
(gdb) backtrace
#0  PDF_close_JPEG (p=0x0, image=0x839dda8) at p_jpeg.c:376
#1  0x8139964 in PDF_close_image (p=0x0, image=0x839dda8) at p_image.c:304
#2  0x80ace28 in php3_pdf_close_image ()
#3  0x805de0b in main ()
(gdb) p image->fp
$1 = (FILE *) 0x839e130
 
        At this point, value of thePDF file descriptor is 0x839e130 (image->fp).We continue program execution :
 
(gdb) cont
Breakpoint 1, PDF_close_JPEG (p=0x0, image=0x839dda8) at p_jpeg.c:376
376         fclose(image->fp);
(gdb) backtrace
#0  PDF_close_JPEG (p=0x0, image=0x839dda8) at p_jpeg.c:376
#1  0x8139964 in PDF_close_image (p=0x0, image=0x839dda8) at p_image.c:304
#2  0x80acf78 in _free_pdf_image ()
(gdb) p image->fp
$2 = (FILE *) 0x40235f88
 
        At this point, the PDF file descriptor IS INVALID, and the pointeur is
a random value. Libc cannot use this value like a valid file descriptor,
and crash the process with a SIGSEGV signal :
 
(gdb) c
Continuing.
 
Program received signal SIGSEGV, Segmentation fault.
0x40235fc8 in main_arena () from /lib/libc.so.6
(gdb) backtrace
#0  0x40235fc8 in main_arena () from /lib/libc.so.6
#1  0x4019bfad in _IO_old_fclose (fp=0x40235f88) at oldiofclose.c:52
#2  0x401993c4 in _IO_new_fclose (fp=0x40235f88) at iofclose.c:44
#3  0x813a837 in PDF_close_JPEG (p=0x0, image=0x839dda8) at p_jpeg.c:376
#4  0x8139964 in PDF_close_image (p=0x0, image=0x839dda8) at p_image.c:304
#5  0x80acf78 in _free_pdf_image ()
 
 
        We try to track libc calls during execution, and trace calls to fopen
and fclose functions:
 
fopen("./php3.ini", "r")                              = 0
fopen("/php3.ini", "r")                               = 0
fopen("/etc/httpd/php3.ini", "r")                     = 0x0827ee48
fclose(0x0827ee48)                                    = 0
fopen("/etc/httpd/browscap.ini", "r")                 = 0x082932c8
fclose(0x082932c8)                                    = 0
fopen("/www/web-lab/shop.nnx.com/bo/test.phtml", "r") = 0x08379b58
fopen("/www/web-lab/shop.nnx.com/bo/include...", "r") = 0x0837f458
fclose(0x0837f458)                                    = 0
fopen("/www/web-lab/shop.nnx.com/bo/nnx_pdf.php", "r")= 0x0837f6d0
fclose(0x0837f6d0)                                    = 0
fopen("foo.pdf", "w")                                 = 0x08386f58
fopen("foo.jpg", "rb")                                = 0x08387988
fclose(0x08387988)                                    = 0
fopen("test.jpg", "r")                                = 0x0839e200
fclose(0x0839e200)                                    = 0
fclose(0x08386f58)                                    = 0
fopen("test.pdf", "r")                                = 0x08386f58
fclose(0x08386f58)                                    = 0
fclose(0x40235f88 <unfinished ...>
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++
 
        And we see to calls to fclose, the first with a valid file descriptor
(0x08386f58 = fopen("test.pdf", "r")), the second with a random (wrong)
value as file descriptor (0x40235f88).
 
 
        Patch for PHP-3.0.18
 
--- cut here ---
--- functions/pdf.c.3.0.18      Thu Nov  9 21:31:13 2000
+++ functions/pdf.c     Thu Nov  9 21:45:32 2000
@@ -180,7 +180,7 @@
            close functions. It later versions it is the PDF doc.
           FIX ME: This probably causes in segm fault in pdflib 2.0
         */
-       PDF_close_image(NULL, image);
+//     PDF_close_image(NULL, image);
 #endif
 }
--- cut here ---
 
 
        With this patch, result when restarting the script is follow:
 
--- cut ---
% ltrace -e fopen,fclose /tmp/php-3.0.18 -q /www/web-lab/shop.nnx.com/bo/test.phtml 1>/dev/null
fopen("./php3.ini", "r")                          = 0
fopen("/php3.ini", "r")                           = 0
fopen("/etc/httpd/php3.ini", "r")                 = 0x0827ee48
fclose(0x0827ee48)                                = 0
fopen("/etc/httpd/browscap.ini", "r")             = 0x082932c8
fclose(0x082932c8)                                = 0
fopen("/www/web-lab/shop.nnx.com/bo/tes"..., "r") = 0x08379b58
fopen("/www/web-lab/shop.nnx.com/bo/inc"..., "r") = 0x0837f458
fclose(0x0837f458)                                = 0
fopen("/www/web-lab/shop.nnx.com/bo/nnx"..., "r") = 0x0837f6d0
fclose(0x0837f6d0)                                = 0
fopen("../catalogue_papier/test.pdf", "w")        = 0x08386f58
fopen("../photos/test.jpg", "rb")                 = 0x08387988
fclose(0x08387988)                                = 0
fopen("../photos/test.jpg", "r")                  = 0x0839e200
fclose(0x0839e200)                                = 0
fclose(0x08386f58)                                = 0
fopen("../catalogue_papier/test.pdf", "r")        = 0x08386f58
fclose(0x08386f58)                                = 0
fclose(0x08379b58)                                = 0
+++ exited (status 0) +++
--- cut ---
 
        And all is working fine, with JPG files or GIF files.
 
 
        dav.
--
David TILLOY - Chef de projets - <d.tilloy@nnx.com>
Neuronnexion (nnx) - 19/21, rue des Augustins - F-80000 Amiens
Voice (+33 3).22.71.61.90 - Fax (+33 3).22.71.61.99

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-06-16 08:23 UTC] sander@php.net

Thank you for taking the time to report a problem with PHP.
Unfortunately, PHP 3 is no longer supported. Please download
the latest version of PHP 4 from http://www.php.net/downloads.php

If you are able to reproduce the bug with one of the latest
versions of PHP, please change the PHP version on this bug report
to the version you tested and change the status back to "Open".
Again, thank you for your continued support of PHP.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 25 00:01:41 2024 UTC