ID: 26938 Updated by: [EMAIL PROTECTED] Reported By: runekl at opoint dot com -Status: Open +Status: Verified Bug Type: Program Execution Operating System: * PHP Version: 5CVS, 4CVS
Previous Comments: ------------------------------------------------------------------------ [2004-01-20 01:05:50] runekl at opoint dot com Here it is: Index: exec.c =================================================================== RCS file: /repository/php-src/ext/standard/exec.c,v retrieving revision 1.108 diff -u -r1.108 exec.c --- exec.c 8 Jan 2004 08:17:31 -0000 1.108 +++ exec.c 20 Jan 2004 06:07:37 -0000 @@ -112,12 +112,12 @@ if (type != 3) { b = buf; - while (php_stream_get_line(stream, b, EXEC_INPUT_BUF, &bufl)) { + while (php_stream_get_line(stream, b, buflen - (b - buf), &bufl)) { /* no new line found, let's read some more */ if (b[bufl - 1] != '\n' && !php_stream_eof(stream)) { if (buflen < (bufl + (b - buf) + EXEC_INPUT_BUF)) { bufl += b - buf; - buflen = bufl + EXEC_INPUT_BUF; + buflen = bufl + 1 + EXEC_INPUT_BUF; buf = erealloc(buf, buflen); b = buf + bufl; } else { @@ -125,7 +125,7 @@ } continue; } else if (b != buf) { - bufl += buflen - EXEC_INPUT_BUF; + bufl += (b - buf); } if (type == 1) { ------------------------------------------------------------------------ [2004-01-19 19:44:29] [EMAIL PROTECTED] I can reproduce this now, got the same result. Can you provide that patch in unified diff format? (diff -u) ------------------------------------------------------------------------ [2004-01-18 16:11:38] runekl at opoint dot com I get the this when running the test I have suggested. md5(line 0)= e86410fa2d6e2634fd8ac5f4b3afe7f3 (length 10) md5(line 1)= e84debf3a1d132871d7fe45c1c04c566 (length 20000) md5(line 2)= 2713d01e967adfd64c49857370ab420b (length 18191) md5(line 3)= 2ecdde3959051d913f61b14579ea136d (length 5) md5(line 4)= 2713d01e967adfd64c49857370ab420b (length 18191) md5(line 5)= 902fbdd2b1df0c4f70b4a5d23525e932 (length 3) Look at the lines 2 and 4. The lines to read are 10000 characters long, but PHP 'reads' 18191 bytes, e.g. 2*EXEC_INPUT_BUF-1 to much. The extra characters come from line 1. With the patch in my first post I get correct output. Since test 26615 does not test reading long lines good enough and is about a bug in the same loop, I suggest replacing it. ------------------------------------------------------------------------ [2004-01-17 10:20:51] runekl at opoint dot com I suggest you replace the test for bug 26615 with the one below. That should cover both cases. It will also make your distribution smaller -) --TEST-- Bug #26615 (exec crash on long input lines) --FILE-- <?php $out = array(); $status = -1; $php = getenv('TEST_PHP_EXECUTABLE'); exec($php . ' -r \'' . '$lengths = array(10,20000,10000,5,10000,3);' . 'foreach($lengths as $length) {' . ' for($i=0;$i<$length;$i++) print chr(65+$i % 27);' . ' print "\n";' . '}\'', $out, $status); for ($i=0;$i<6;$i++) print "md5(line $i)= " . md5($out[$i]) . " (length " . strlen($out[$i]) . ")\n"; ?> --EXPECT-- md5(line 0)= e86410fa2d6e2634fd8ac5f4b3afe7f3 (length 10) md5(line 1)= e84debf3a1d132871d7fe45c1c04c566 (length 20000) md5(line 2)= c33b4d2f86908eea5d75ee5a61fd81f4 (length 10000) md5(line 3)= 2ecdde3959051d913f61b14579ea136d (length 5) md5(line 4)= c33b4d2f86908eea5d75ee5a61fd81f4 (length 10000) md5(line 5)= 902fbdd2b1df0c4f70b4a5d23525e932 (length 3) ------------------------------------------------------------------------ [2004-01-16 16:38:38] runekl at opoint dot com Description: ------------ Exec fails to read two consecutive lines longer than 2*EXEC_INPUT_BUF correctly. While reading the first line, buflen is set to 3*EXEC_INPUT_BUF. When reading part two of the second line, bufl will be EXEC_INPUT_BUF to large since b!=buf. Here is a patch: Index: exec.c =================================================================== RCS file: /repository/php-src/ext/standard/exec.c,v retrieving revision 1.108 diff -C4 -r1.108 exec.c *** exec.c 8 Jan 2004 08:17:31 -0000 1.108 --- exec.c 16 Jan 2004 21:35:35 -0000 *************** *** 111,132 **** if (type != 3) { b = buf; ! while (php_stream_get_line(stream, b, EXEC_INPUT_BUF, &bufl)) { /* no new line found, let's read some more */ if (b[bufl - 1] != '\n' && !php_stream_eof(stream)) { if (buflen < (bufl + (b - buf) + EXEC_INPUT_BUF)) { bufl += b - buf; ! buflen = bufl + EXEC_INPUT_BUF; buf = erealloc(buf, buflen); b = buf + bufl; } else { b += bufl; } continue; } else if (b != buf) { ! bufl += buflen - EXEC_INPUT_BUF; } if (type == 1) { PHPWRITE(buf, bufl); --- 111,132 ---- if (type != 3) { b = buf; ! while (php_stream_get_line(stream, b, buflen - (b - buf), &bufl)) { /* no new line found, let's read some more */ if (b[bufl - 1] != '\n' && !php_stream_eof(stream)) { if (buflen < (bufl + (b - buf) + EXEC_INPUT_BUF)) { bufl += b - buf; ! buflen = bufl + 1 + EXEC_INPUT_BUF; buf = erealloc(buf, buflen); b = buf + bufl; } else { b += bufl; } continue; } else if (b != buf) { ! bufl += (b - buf); } if (type == 1) { PHPWRITE(buf, bufl); ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=26938&edit=1