From: novicky at aarongroup dot cz
Operating system: linux
PHP version: 4.3.4
PHP Bug Type: Apache2 related
Bug description: readfile() segfaults on certain files
Description:
------------
Still the same problem as described in suspended bugs #26846 and #24301.
Segmentation fault occures when sending files of length 4k*n (where n can
be 4-6,8-30) via readfile().
System:
linux RH 8.0
apache 2.0.48
php 4.3.4
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 8192 (LWP 8803)]
0x4207c46c in memcpy () from /lib/i686/libc.so.6
(gdb) bt
#0 0x4207c46c in memcpy () from /lib/i686/libc.so.6
#1 0x403bbc58 in apr_pmemdup (a=0x40895000, m=0x4000, n=136459925) at
apr_strings.c:157
#2 0x405c8170 in php_apache_sapi_ub_write (str=0x40895000 'x' <repeats
200 times>..., str_length=16384)
at /home/linux/php/php-4.3.4/sapi/apache2handler/sapi_apache2.c:84
#3 0x4059fdf0 in php_ub_body_write_no_header (str=0x40895000 'x' <repeats
200 times>..., str_length=16384)
at /home/linux/php/php-4.3.4/main/output.c:689
#4 0x4059fe77 in php_ub_body_write (str=0x40895000 'x' <repeats 200
times>..., str_length=16384)
at /home/linux/php/php-4.3.4/main/output.c:719
#5 0x4059ee51 in php_body_write (str=0x40895000 'x' <repeats 200
times>..., str_length=16384)
at /home/linux/php/php-4.3.4/main/output.c:121
#6 0x4059b612 in _php_stream_passthru (stream=0x821ecd4) at
/home/linux/php/php-4.3.4/main/streams.c:1088
#7 0x4053ea5d in zif_readfile (ht=16385, return_value=0x821ecb4,
this_ptr=0x0, return_value_used=0)
at /home/linux/php/php-4.3.4/ext/standard/file.c:1817
#8 0x405c4542 in execute (op_array=0x821a2ac) at
/home/linux/php/php-4.3.4/Zend/zend_execute.c:1616
#9 0x405b7c41 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at /home/linux/php/php-4.3.4/Zend/zend.c:884
#10 0x40592253 in php_execute_script (primary_file=0xbffff6a0) at
/home/linux/php/php-4.3.4/main/main.c:1729
#11 0x405c8d2b in php_handler (r=0x820bfb8) at
/home/linux/php/php-4.3.4/sapi/apache2handler/sapi_apache2.c:537
#12 0x08098c1e in ap_run_handler (r=0x820bfb8) at config.c:195
#13 0x08099136 in ap_invoke_handler (r=0x820bfb8) at config.c:401
#14 0x080829d7 in ap_process_request (r=0x820bfb8) at http_request.c:288
#15 0x0807ebc1 in ap_process_http_connection (c=0x8205860) at
http_core.c:293
#16 0x080a1daa in ap_run_process_connection (c=0x8205860) at
connection.c:85
#17 0x080977c3 in child_main (child_num_arg=16385) at prefork.c:694
#18 0x0809796e in make_child (s=0x810bca0, slot=0) at prefork.c:734
#19 0x080979c7 in startup_children (number_to_start=5) at prefork.c:806
#20 0x080980b9 in ap_mpm_run (_pconf=0x80970ac, plog=0x81183f8,
s=0x810bca0) at prefork.c:1022
#21 0x0809cf56 in main (argc=2, argv=0xbffff9f4) at main.c:660
#22 0x420158d4 in __libc_start_main () from /lib/i686/libc.so.6
Reproduce code:
---------------
<?
$fl = 4096*4; // can be 4-6,8-30
$fn = "/tmp/file.tmp";
$fp = fopen ($fn, "wb");
fwrite ($fp, str_repeat ('x', $fl), $fl);
fclose($fp);
readfile($fn);
?>
--
Edit bug report at http://bugs.php.net/?id=27037&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=27037&r=trysnapshot4
Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=27037&r=trysnapshot5
Fixed in CVS: http://bugs.php.net/fix.php?id=27037&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=27037&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=27037&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=27037&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=27037&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=27037&r=support
Expected behavior: http://bugs.php.net/fix.php?id=27037&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=27037&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=27037&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=27037&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=27037&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=27037&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=27037&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=27037&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=27037&r=float
