php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81294 Segfault when removing a filter
Submitted: 2021-07-25 19:13 UTC Modified: 2021-07-26 11:59 UTC
From: ivo dot andonov at gmail dot com Assigned: cmb (profile)
Status: Closed Package: Streams related
PHP Version: 7.4 OS: Linux / Windows
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: ivo dot andonov at gmail dot com
New email:
PHP Version: OS:

 

 [2021-07-25 19:13 UTC] ivo dot andonov at gmail dot com
Description:
------------
This one seems to be sourced back since quite some time (at least from 5.6.30 till 8.0.8). Right now I do not have the time for posting too many details but it should be pretty clear to understand by looking at streams/filter.c, function _php_stream_filter_flush, then the loop with current = filter and then referencing filter->fops->filter() instead of current->fops->filter().



Test script:
---------------
class some_user_filter {
...
}
stream_filter_register("some.filter", "some_user_filter");
$f = fopen("test", "wb");
$flt1 = stream_filter_append($f, "zlib.deflate", STREAM_FILTER_WRITE);
$flt2 = stream_filter_append($f, "some.filter", STREAM_FILTER_WRITE);
fwrite($f, "test");
stream_filter_remove($flt1); // this line will fail and at the end of the script a segfault / or MS Don't send / access violation
fwrite($f, "test"1);



Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-07-25 20:21 UTC] requinix@php.net
-Status: Open +Status: Verified
 [2021-07-25 20:21 UTC] requinix@php.net
https://github.com/php/php-src/blob/PHP-8.0.8/main/streams/filter.c#L419

Given that the definition of fops->filter is

php_stream_filter_status_t (*filter)(
  php_stream *stream,
  php_stream_filter *thisfilter,
  php_stream_bucket_brigade *buckets_in,
  php_stream_bucket_brigade *buckets_out,
  size_t *bytes_consumed,
  int flags
 );

it does seem odd to call with "thisfilter" as something different.
 [2021-07-26 11:58 UTC] cmb@php.net
-PHP Version: 8.0.8 +PHP Version: 7.4 -Assigned To: +Assigned To: cmb
 [2021-07-26 11:59 UTC] cmb@php.net
-Package: Filter related +Package: Streams related
 [2021-07-26 11:59 UTC] cmb@php.net
Changing to "Streams related", since "Filter related" is often
misused for ext/filter.
 [2021-07-26 12:13 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #81294: Segfault when removing a filter
On GitHub:  https://github.com/php/php-src/pull/7308
Patch:      https://github.com/php/php-src/pull/7308.patch
 [2021-07-27 10:17 UTC] git@php.net
Automatic comment on behalf of cmb69
Revision: https://github.com/php/php-src/commit/1fa26eccbaec3dc6ce645db144f08f46b63c1d59
Log: Fix #81294: Segfault when removing a filter
 [2021-07-27 10:17 UTC] git@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Thu Sep 23 18:03:37 2021 UTC