From: hufan at baidu dot com
Operating system: redhat 7.3
PHP version: 5.0.4
PHP Bug Type: Reproducible crash
Bug description: php_stream_mmap_range make apache core dump by returning
wrong pointer
Description:
------------
on some conditions ,php_stream_mmap_range return wrong pointer ,which
make apache core dump (signal 7)
here is core file track
#0 0x420e14f2 in writev () from /lib/i686/libc.so.6
#1 0x081bee67 in writev_it_all ()
#2 0x081bf25f in large_write ()
#3 0x081bf31f in ap_bwrite ()
#4 0x081d2f3f in ap_rwrite ()
#5 0x0809024a in sapi_apache_ub_write (str=0x402da000 <Address 0x402da000
out of bounds>, str_length=33788)
at /home/work/source/php5/php-5.0.4/sapi/apache/mod_php5.c:102
#6 0x080a146b in php_ub_body_write_no_header (str=0x402da000 <Address
0x402da000 out of bounds>, str_length=33788)
at /home/work/source/php5/php-5.0.4/main/output.c:684
#7 0x080a150d in php_ub_body_write (str=0x402da000 <Address 0x402da000
out of bounds>, str_length=33788)
at /home/work/source/php5/php-5.0.4/main/output.c:714
#8 0x080a075e in php_body_write (str=0x402da000 <Address 0x402da000 out
of bounds>, str_length=33788)
at /home/work/source/php5/php-5.0.4/main/output.c:119
#9 0x080a3099 in _php_stream_passthru (stream=0x84a29e4) at
/home/work/source/php5/php-5.0.4/main/streams/streams.c:1157
(gdb) list
1152 size_t mapped;
1153
1154 p = php_stream_mmap_range(stream,
php_stream_tell(stream), PHP_STREAM_COPY_ALL,
PHP_STREAM_MAP_MODE_SHARED_READONLY, &mapped);
1155
1156 if (p) {
1157 PHPWRITE(p, mapped);
1158
1159 php_stream_mmap_unmap(stream);
1160
1161 return mapped;
(gdb) info locals
p = 0x31ec <Address 0x31ec out of bounds>
mapped = 33788
stream = (php_stream *) 0x84a29e4
bcount = 0
buf =
"\001\0\0\0\224=F\b\b\0\0\0{p\aBJ,J\bl\206C\b:\0\0\0.p\aB\001\0\0\0\001\0
\0\0\0\0\0\0*=)@\f\003\023B\0\0\0\0\210\032ÿ¿À\004\005Bp\026ÿ¿\0\0\0\0\0\0
\0\0ß\002\005B\200\026ÿ¿\0\0\0\0\0\0\0\0ß\002\005B\001\0\0\0\004\0\0\00K\0
\0?\005BP_F\b\0\0\0\0\001\0\0\0?\005B\006\0\0\0\001\0\0\0\001\0\0\0\004\0\0\0\030K",
'\0' <repeats 14 times>,
"hþH\btüB\b\n\0\0\0\001\0\0\0\001\0\0\0\004\0\0\0<\024ÿ¿¼CJ\b\0\0\0\0\0
\0\0\0\001\0\0\0"...
b = 139078116
--
Edit bug report at http://bugs.php.net/?id=33253&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=33253&r=trysnapshot4
Try a CVS snapshot (php5.0):
http://bugs.php.net/fix.php?id=33253&r=trysnapshot50
Try a CVS snapshot (php5.1):
http://bugs.php.net/fix.php?id=33253&r=trysnapshot51
Fixed in CVS: http://bugs.php.net/fix.php?id=33253&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=33253&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=33253&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=33253&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=33253&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=33253&r=support
Expected behavior: http://bugs.php.net/fix.php?id=33253&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=33253&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=33253&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=33253&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=33253&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=33253&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=33253&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=33253&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=33253&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=33253&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=33253&r=mysqlcfg
