Edit report at http://bugs.php.net/bug.php?id=52944&edit=1
ID: 52944 Updated by: cataphr...@php.net Reported by: svimik at mail dot ru Summary: fclose: quiet script interruption -Status: Verified +Status: Analyzed Type: Bug Package: *Network Functions Operating System: Debian-50-lenny-64 PHP Version: 5.3.3 Block user comment: N New Comment: Fixed in the attached patch, which also includes a test. Previous Comments: ------------------------------------------------------------------------ [2010-09-29 03:54:39] cataphr...@php.net The following patch has been added/updated: Patch Name: zlib_filter_segfault_fix Revision: 1285725279 URL: http://bugs.php.net/patch-display.php?bug=52944&patch=zlib_filter_segfault_fix&revision=1285725279 ------------------------------------------------------------------------ [2010-09-28 22:10:55] cataphr...@php.net Valgrind log for trunk: http://nebm.ist.utl.pt/~glopes/valgrind-52944.log ------------------------------------------------------------------------ [2010-09-28 21:58:55] cataphr...@php.net I can confirm some sort of bug in both PHP 5.3.3 and trunk on Debian Lenny x64. On trunk: [Tue Sep 28 20:54:06 2010] Script: '-' --------------------------------------- /tmp/trunk/ext/zlib/zlib_filter.c(165) : Block 0x7fba5a6120c0 status: Beginning: OK (allocated on /tmp/trunk/ext/zlib/zlib_filter.c:311, 2048 bytes) Start: OK End: Overflown (magic=0x00000018 instead of 0x5289A744) At least 4 bytes overflown --------------------------------------- done [Tue Sep 28 20:54:06 2010] Script: '-' /tmp/trunk/ext/zlib/zlib_filter.c(311) : Freeing 0x7FBA5A6120C0 (2048 bytes), script=- === Total 1 memory leaks detected === On PHP 5.3.3 (sorry, not debug build), there's a segfault: #0 zend_mm_remove_from_free_list (heap=0x11fc290, mm_block=0x1407380) at /opt/php-5.3.3/Zend/zend_alloc.c:841 #1 0x000000000069613e in _zend_mm_free_int (heap=0x11fc290, p=0x1406b80) at /opt/php-5.3.3/Zend/zend_alloc.c:2019 #2 0x00007f029fa548c9 in php_zlib_inflate_dtor ( thisfilter=<value optimized out>) at /opt/php-5.3.3/ext/zlib/zlib_filter.c:161 #3 0x0000000000678ae2 in php_stream_filter_free (filter=0x1409950) at /opt/php-5.3.3/main/streams/filter.c:312 #4 0x0000000000678b8a in php_stream_filter_remove (filter=0x0, call_dtor=1) at /opt/php-5.3.3/main/streams/filter.c:531 #5 0x000000000067559a in _php_stream_free (stream=0x14096a0, close_options=11) at /opt/php-5.3.3/main/streams/streams.c:369 #6 0x00000000006757d1 in stream_resource_regular_dtor ( rsrc=<value optimized out>) at /opt/php-5.3.3/main/streams/streams.c:1426 #7 0x00000000006c34a2 in list_entry_destructor (ptr=0x14097e0) at /opt/php-5.3.3/Zend/zend_list.c:184 #8 0x00000000006c2566 in zend_hash_del_key_or_index (ht=0xc6e7b0, arKey=0x0, nKeyLength=0, h=2, flag=<value optimized out>) at /opt/php-5.3.3/Zend/zend_hash.c:497 #9 0x00000000006c3719 in _zend_list_delete (id=<value optimized out>) at /opt/php-5.3.3/Zend/zend_list.c:58 #10 0x00000000005fbd88 in zif_fclose (ht=<value optimized out>, return_value=0x1409228, return_value_ptr=<value optimized out>, this_ptr=<value optimized out>, return_value_used=<value optimized out>) at /opt/php-5.3.3/ext/standard/file.c:928 #11 0x0000000000704cce in zend_do_fcall_common_helper_SPEC ( execute_data=0x7f029f9ce050) at /opt/php-5.3.3/Zend/zend_vm_execute.h:316 #12 0x00000000006e0589 in execute (op_array=0x14067c8) at /opt/php-5.3.3/Zend/zend_vm_execute.h:107 #13 0x00000000006b349b in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /opt/php-5.3.3/Zend/zend.c:1194 #14 0x000000000065e5e8 in php_execute_script (primary_file=0x7fff04d51350) at /opt/php-5.3.3/main/main.c:2260 #15 0x0000000000740717 in main (argc=1, argv=0x7fff04d515b8) at /opt/php-5.3.3/sapi/cli/php_cli.c:1192 ------------------------------------------------------------------------ [2010-09-28 21:40:50] svimik at mail dot ru Description: ------------ Don't know exactly, is it bug in zlib filter or in streams, but this combination can produce a script crash without any error output. Lets take some binary data like corrupted compressed data (not every random data produce crash, so try file from my example). Use stream_socket_pair with zlib.inflate filter on the second socket, which is used for reading in my case. Use non-blocking streams. Then make exactly following sequence to produce crash: 1. write corrupted data to socket 0 2. call fread for socket 1 (returns nothing as expected, because string cannot be uncompressed) 3. call fclose for socket 0 4. try fread for socket 1 once again 5. call fclose for socket 1 - on this step scrips dies. Sorry, can't make a backtrace on a production server, because it is necessary to recompile the php. Waiting for someone to confirm the bug. Test script: --------------- <? error_reporting(E_ALL); $sockets = stream_socket_pair(STREAM_PF_UNIX, STREAM_SOCK_STREAM, STREAM_IPPROTO_IP); stream_set_blocking($sockets[0], 0); stream_set_blocking($sockets[1], 0); stream_filter_append($sockets[1], "zlib.inflate", STREAM_FILTER_READ); $in=file_get_contents("http://188.40.74.4/corrupted.gz";); $out=""; fwrite($sockets[0], $in); $out.=fread($sockets[1], 1); fclose($sockets[0]); $out.=fread($sockets[1], 1); echo "closing..."; fclose($sockets[1]); echo "done\r\n"; ?> Expected result: ---------------- Script should output "closing...done" Actual result: -------------- Script prints "closing..." but never "done" ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/bug.php?id=52944&edit=1
