#49052 [NEW]: ext/curl related segfault

Fri, 24 Jul 2009 20:11:38 -0700 

From:             janisjaunsudrabins at yahoo dot com
Operating system: Linux
PHP version:      5.2.10
PHP Bug Type:     cURL related
Bug description:  ext/curl related segfault

Description:
------------
php segfaults, it appears that problem is caused by code in
ext/curl/streams.c:495

if (slist) {
                curl_slist_free_all(slist);
        }

the list is freed too soon and it eventualy results in segfault in libc
strncasecmp down the road.

here is back trace:

#0  0xb7bf74fd in strncasecmp () from /lib/libc.so.6
(gdb) bt all
No symbol "all" in current context.
(gdb) bt full
#0  0xb7bf74fd in strncasecmp () from /lib/libc.so.6
No symbol table info available.
#1  0xb7ac03a4 in curl_strnequal (first=0x0, second=0xb7acb921
"User-Agent:", max=11) at strequal.c:64
No locals.
#2  0xb7aa7795 in checkheaders (data=<value optimized out>,
thisheader=0xb7acb921 "User-Agent:") at http.c:119
        head = (struct curl_slist *) 0x84ed130
        thislen = 11
#3  0xb7aa82f3 in Curl_http (conn=0x84ed330, done=0xbf872e68) at
http.c:1784
        data = (struct SessionHandle *) 0x84e4028
        buf = <value optimized out>
        result = <value optimized out>
        http = (struct HTTP *) 0x84eddb0
        ppath = 0x84ed660 "/"
        host = 0x84ed768 "www.example.com"
        te = <value optimized out>
        ptr = <value optimized out>
        request = 0xb7acb918 "GET"
        httpreq = HTTPREQ_GET
        addcookies = <value optimized out>
        included_body = 47244640256
#4  0xb7ab3dc1 in Curl_do (connp=0x84ed18c, done=0xbf872e68) at
url.c:4285
        result = <value optimized out>
        conn = (struct connectdata *) 0x84ed330
        data = (struct SessionHandle *) 0x84e4028
#5  0xb7ac30ec in multi_runsingle (multi=0x84ec570, easy=0x84ed180) at
multi.c:1076
        disconnect_conn = <value optimized out>
        connected = 191
        async = 135
        protocol_connect = false
        dophase_done = true
        done = false
        result = CURLM_OK
#6  0xb7ac43ff in curl_multi_perform (multi_handle=0x84ec570,
running_handles=0x84af9b4) at multi.c:1452
        result = <value optimized out>
        multi = (struct Curl_multi *) 0x0
        easy = (struct Curl_one_easy *) 0x84ed180
        returncode = CURLM_OK
        t = <value optimized out>
#7  0xb7ae3823 in php_curl_stream_read () from
/usr/lib/php/extensions/curl.so
No locals.
#8  0x081b6aa4 in php_stream_fill_read_buffer ()
No locals.
#9  0x081b6d31 in _php_stream_read ()
No locals.
#10 0x081b7552 in _php_stream_passthru ()
No locals.
#11 0x0813a5a5 in zif_fpassthru ()
No locals.
#12 0x0820ae1a in zend_do_fcall_common_helper_SPEC ()
No locals.
#13 0x08209d2f in execute ()
No locals.
#14 0x081e8070 in zend_execute_scripts ()
No locals.
#15 0x081a00c3 in php_execute_script ()
No locals.
#16 0x082728ce in main ()

while looking at the code i also noticed that stream_context_create does
contradict documentation regarding setting HTTP headers for PHP <= 5.2.10;

documentation states that headers should be passed as string but code
expects it to be hash so it just ignores the passed headers.

can somebody with more knowledge of curl extension check this out please
check this out?

Reproduce code:
---------------
<?php
$opts = array(
  'http'=>array(
    'method'=>"GET",
    'header'=>"Accept-language: en\r\n" .
              "Cookie: foo=bar\r\n"
  )
);

$context = stream_context_create($opts);

/* Sends an http request to www.example.com
   with additional headers shown above */
$fp = fopen('http://www.example.com', 'r', false, $context);
fpassthru($fp);
fclose($fp);
?>



-- 
Edit bug report at http://bugs.php.net/?id=49052&edit=1
-- 
Try a snapshot (PHP 5.2):            
http://bugs.php.net/fix.php?id=49052&r=trysnapshot52
Try a snapshot (PHP 5.3):            
http://bugs.php.net/fix.php?id=49052&r=trysnapshot53
Try a snapshot (PHP 6.0):            
http://bugs.php.net/fix.php?id=49052&r=trysnapshot60
Fixed in SVN:                        
http://bugs.php.net/fix.php?id=49052&r=fixed
Fixed in SVN and need be documented: 
http://bugs.php.net/fix.php?id=49052&r=needdocs
Fixed in release:                    
http://bugs.php.net/fix.php?id=49052&r=alreadyfixed
Need backtrace:                      
http://bugs.php.net/fix.php?id=49052&r=needtrace
Need Reproduce Script:               
http://bugs.php.net/fix.php?id=49052&r=needscript
Try newer version:                   
http://bugs.php.net/fix.php?id=49052&r=oldversion
Not developer issue:                 
http://bugs.php.net/fix.php?id=49052&r=support
Expected behavior:                   
http://bugs.php.net/fix.php?id=49052&r=notwrong
Not enough info:                     
http://bugs.php.net/fix.php?id=49052&r=notenoughinfo
Submitted twice:                     
http://bugs.php.net/fix.php?id=49052&r=submittedtwice
register_globals:                    
http://bugs.php.net/fix.php?id=49052&r=globals
PHP 4 support discontinued:          http://bugs.php.net/fix.php?id=49052&r=php4
Daylight Savings:                    http://bugs.php.net/fix.php?id=49052&r=dst
IIS Stability:                       
http://bugs.php.net/fix.php?id=49052&r=isapi
Install GNU Sed:                     
http://bugs.php.net/fix.php?id=49052&r=gnused
Floating point limitations:          
http://bugs.php.net/fix.php?id=49052&r=float
No Zend Extensions:                  
http://bugs.php.net/fix.php?id=49052&r=nozend
MySQL Configuration Error:           
http://bugs.php.net/fix.php?id=49052&r=mysqlcfg

Reply via email to