ID: 26846
Updated by: [EMAIL PROTECTED]
Reported By: djones at xtreme-eda dot com
-Status: Open
+Status: Feedback
Bug Type: Reproducible crash
Operating System: FreeBSD 4.8-RELEASE
PHP Version: 4.3.4
New Comment:
did you try the snapshot or not?
Previous Comments:
------------------------------------------------------------------------
[2004-01-12 16:08:50] djones at xtreme-eda dot com
I believe the problem to be at line 84 in sapi_apache2.c:
copy_str = apr_pmemdup( r->pool, str, str_length+1);
This function appears to copy one more byte than required.
It is not clear to me why this is required, as the length
is passed explicitly (and we ought to be able to pass
null-terminated data, e.g. Word documents!)
The problem: if the source is mmap()ped and the file in
question is exactly a multiple of the page size, then the
extra byte refers to a page just beyond the mapping. When
this final byte is accessed you get a segmentation fault.
I have verified that the segfault occurs in FreeBSD's
memcpy() at a point where the address is at the end of the
mapping and the remaining byte count is 1.
------------------------------------------------------------------------
[2004-01-08 20:38:04] [EMAIL PROTECTED]
Please try using this CVS snapshot:
http://snaps.php.net/php4-STABLE-latest.tar.gz
For Windows:
http://snaps.php.net/win32/php4-win32-STABLE-latest.zip
Cannot verify crash with latest CVS.
------------------------------------------------------------------------
[2004-01-08 16:09:36] djones at xtreme-eda dot com
Backtrace and autopsy:
Program received signal SIGSEGV, Segmentation fault.
0x282d0261 in memcpy () from /usr/lib/libc.so.4
(gdb) bt
#0 0x282d0261 in memcpy () from /usr/lib/libc.so.4
#1 0x41001 in ?? ()
#2 0x284705d0 in php_apache_sapi_ub_write (str=0x285f5000
"ÐÏ\021ࡱ\032á",
str_length=266240)
at /usr/ports/lang/php4/work/php-4.3.4/sapi/
apache2handler/sapi_apache2.c:84
#3 0x28438404 in php_ub_body_write_no_header
(str=0x285f5000 "ÐÏ\021ࡱ\032á",
str_length=266240) at /usr/ports/lang/php4/work/
php-4.3.4/main/output.c:689
#4 0x284384c3 in php_ub_body_write (str=0x285f5000 "ÐÏ
\021ࡱ\032á",
str_length=266240) at /usr/ports/lang/php4/work/
php-4.3.4/main/output.c:719
#5 0x284372b6 in php_body_write (str=0x285f5000 "ÐÏ\021à¡
±\032á",
str_length=266240) at /usr/ports/lang/php4/work/
php-4.3.4/main/output.c:121
#6 0x28432ecc in _php_stream_passthru (stream=0x818a624,
__php_stream_call_depth=0,
__zend_filename=0x2847c180 "/usr/ports/lang/php4/work/
php-4.3.4/ext/standard/file.c", __zend_lineno=1867,
__zend_orig_filename=0x0, __zend_orig_lineno=0)
at /usr/ports/lang/php4/work/php-4.3.4/main/
streams.c:1088
#7 0x283d752f in zif_fpassthru (ht=1,
return_value=0x81a2ca4, this_ptr=0x0,
return_value_used=0)
at /usr/ports/lang/php4/work/php-4.3.4/ext/standard/
file.c:1867
#8 0x28469298 in execute (op_array=0x81a3d24)
at /usr/ports/lang/php4/work/php-4.3.4/Zend/
zend_execute.c:1618
#9 0x284550b2 in zend_execute_scripts (type=8,
retval=0x0, file_count=3)
at /usr/ports/lang/php4/work/php-4.3.4/Zend/zend.c:884
#10 0x28428ce9 in php_execute_script
(primary_file=0xbfbff648)
at /usr/ports/lang/php4/work/php-4.3.4/main/
main.c:1729
#11 0x2847119a in php_handler (r=0x8197050)
at /usr/ports/lang/php4/work/php-4.3.4/sapi/
apache2handler/sapi_apache2.c:537
#12 0x806379c in ap_run_handler ()
#13 0x8063cc9 in ap_invoke_handler ()
#14 0x8060fca in ap_process_request ()
#15 0x805cd66 in ap_process_http_connection ()
#16 0x806bc78 in ap_run_process_connection ()
#17 0x806bf0c in ap_process_connection ()
#18 0x8062443 in child_main ()
#19 0x8062500 in make_child ()
#20 0x80625f2 in startup_children ()
#21 0x8062927 in ap_mpm_run ()
#22 0x8067e36 in main ()
#23 0x805c99e in _start ()
(gdb) f 6
#6 0x28432ecc in _php_stream_passthru (stream=0x80d9924,
__php_stream_call_depth=0,
__zend_filename=0x2847c180 "/usr/ports/lang/php4/work/
php-4.3.4/ext/standard/file.c", __zend_lineno=1867,
__zend_orig_filename=0x0, __zend_orig_lineno=0)
at /usr/ports/lang/php4/work/php-4.3.4/main/
streams.c:1088
1088 PHPWRITE(p, len);
(gdb) p p
$1 = (void *) 0x285cd000
(gdb) p len
$2 = 266240
(gdb) p fd
$3 = 15
(gdb) p off
$4 = 4430856216
(gdb) p/x off
$5 = 0x108198018
(gdb) p *stream
$8 = {ops = 0x284a9a00, abstract = 0x8190a64, filterhead =
0x0,
filtertail = 0x0, wrapper = 0x284a9a9c, wrapperthis =
0x0, wrapperdata = 0x0,
fgetss_state = 0, is_persistent = 0, mode = "rb", '\000'
<repeats 13 times>,
rsrc_id = 2, in_free = 0, fclose_stdiocast = 0,
stdiocast = 0x0,
__exposed = 1,
__orig_path = 0x8191b24 "/usr/local/www/data/
RECORD_OF_DECISIONS_TEMPLATE_20030812.000024.doc", context
= 0x0, flags = 0, position = 0, readbuf = 0x0,
readbuflen = 0, readpos = 0, writepos = 0, chunk_size =
8192, eof = 0}
(gdb) p *$8.ops
$9 = {write = 0x2843385c <php_stdiop_write>,
read = 0x284338f4 <php_stdiop_read>, close = 0x284339cc
<php_stdiop_close>,
flush = 0x28433b00 <php_stdiop_flush>, label =
0x2848ad45 "STDIO",
seek = 0x28433b5c <php_stdiop_seek>, cast = 0x28433c1c
<php_stdiop_cast>,
stat = 0x28433d14 <php_stdiop_stat>,
set_option = 0x28433d78 <php_stdiop_set_option>}
(gdb) p {php_stdio_stream_data}0x8190a64
$11 = {file = 0x0, fd = 15, is_process_pipe = 0, is_pipe =
0,
temp_file_name = 0x0, last_op = 0 '\000'}
"off" looks, well, a little off. :-)
------------------------------------------------------------------------
[2004-01-08 14:34:59] [EMAIL PROTECTED]
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php
Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.
------------------------------------------------------------------------
[2004-01-08 13:16:54] djones at xtreme-eda dot com
Description:
------------
PHP configuration:
http://www.inode.org/test.php
I am running an application that sends files to the user using
fpassthru(). With certain files, Apache exits with signal 11. There
does not seem to be any distinguishing characteristic between files
that are sent OK and files that are not.
Reproduce code:
---------------
See http://www.inode.org/passthru.php_
The trailing underscore prevents execution so you can view the source.
The code contains paths to two files; one of which can be transferred
and one that cannot. You may transfer these files to your system to
attempt reproduction. (Instructions for said transfer are provided in
passthru.php)
Running the BAD file from the PHP command line appears to work
correctly so this might be a PHP-Apache interaction issue.
Expected result:
----------------
With the GOOD file: you can save the document and view it.
With the BAD file: I would expect to be able to save it too.
Actual result:
--------------
With the BAD file: Apache segfaults signal 11.
I'm not sure how I can get a GDB backtrace from a running Apache
instance.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=26846&edit=1
