ID: 38648
Updated by: [EMAIL PROTECTED]
Reported By: songmaqd at hotmail dot com
-Status: Open
+Status: Assigned
Bug Type: Streams related
Operating System: UNIX
PHP Version: 5CVS-2006-08-30 (CVS)
-Assigned To:
+Assigned To: pollita
New Comment:
Assigned to the maintainer.
Previous Comments:
------------------------------------------------------------------------
[2006-08-31 10:07:31] songmaqd at hotmail dot com
Here is the reproduce script:
<?php
class strtoupper_filter extends php_user_filter {
function filter($in, $out, &$consumed, $closing)
{
while ($bucket = stream_bucket_make_writeable($in)) {}
}
}
stream_filter_register("strtoupper", "strtoupper_filter");
$fp = fopen("foo-bar.txt", "w");
stream_filter_append($fp, "strtoupper");
fwrite($fp, "Line1\n");
Note:
1. This bug can not be reproduced on Linux platform. My distro is SuSE
10.1. I can reproduce the bug on one certain UNIX platform.
2.The above script is for testing purpose and is deliberated written
like that. It is not following the stream filter coding way.
3. Here is some debugger info. "php_stream_bucket_unlink" was called
twice I guess the second call is to clean the system resource and
"brigade" is "0x0" at this moment.
**** ****
[1] stopped in php_stream_bucket_unlink at line 235 in file "filter.c"
($t2)
235 if (bucket->prev) {
(/tmp/dbx) print *bucket
(next = 0x0, prev = 0x0, brigade = 0x220C70E8, buf = "Line1.", buflen =
6, own_buf = 0, is_persistent = 0, refcount = 1)
(/tmp/dbx) print *bucket->brigade
(head = 0x2223D000, tail = 0x2223D000)
(/tmp/dbx) print *bucket->brigade->head
(next = 0x0, prev = 0x0, brigade = 0x220C70E8, buf = "Line1.", buflen =
6, own_buf = 0, is_persistent = 0, refcount = 1)
(/tmp/dbx) next
stopped in php_stream_bucket_unlink.$b156 at line 238 in file
"filter.c" ($t2)
238 bucket->brigade->head = bucket->next;
(/tmp/dbx) list
239 }
240 if (bucket->next) {
241 bucket->next->prev = bucket->prev;
242 } else if (bucket->brigade) {
243 bucket->brigade->tail = bucket->prev;
244 }
245 bucket->brigade = NULL;
246 bucket->next = bucket->prev = NULL;
247 }
(/tmp/dbx) cont
[1] stopped in php_stream_bucket_unlink at line 235 in file "filter.c"
($t2)
235 if (bucket->prev) {
(/tmp/dbx) print *bucket
(next = 0x0, prev = 0x0, brigade = 0x0, buf = "", buflen = 0, own_buf =
0, is_persistent = 0, refcount = 0)
(/tmp/dbx) next
stopped in php_stream_bucket_unlink at line 240 in file "filter.c"
($t2)
240 if (bucket->next) {
(/tmp/dbx) next
stopped in php_stream_bucket_unlink at line 245 in file "filter.c"
($t2)
245 bucket->brigade = NULL;
(/tmp/dbx) next
stopped in php_stream_bucket_unlink at line 246 in file "filter.c"
($t2)
246 bucket->next = bucket->prev = NULL;
(/tmp/dbx) next
stopped in php_stream_bucket_unlink at line 247 in file "filter.c"
($t2)
247 }
(/tmp/dbx) cont
program exited
**** ****
------------------------------------------------------------------------
[2006-08-30 08:48:23] [EMAIL PROTECTED]
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves.
A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external
resources such as databases, etc. If the script requires a
database to demonstrate the issue, please make sure it creates
all necessary tables, stored procedures etc.
Please avoid embedding huge scripts into the report.
------------------------------------------------------------------------
[2006-08-30 05:49:47] songmaqd at hotmail dot com
Description:
------------
In source file "main/streams/filter.c", function "PHPAPI void
php_stream_bucket_unlink(php_stream_bucket *bucket TSRMLS_DC)
" needs some additional sanity check for NULL pointer of "brigade".
Otherwise it leads to core dump if "brigade" is NULL.
A possible example for this fix is:
PHPAPI void php_stream_bucket_unlink(php_stream_bucket *bucket
TSRMLS_DC)
{
if (bucket->prev) {
bucket->prev->next = bucket->next;
} else if (bucket->brigade) /*newly added*/{
bucket->brigade->head = bucket->next;
}
if (bucket->next) {
bucket->next->prev = bucket->prev;
} else if (bucket->brigade) /*newly added*/{
bucket->brigade->tail = bucket->prev;
}
bucket->brigade = NULL;
bucket->next = bucket->prev = NULL;
}
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=38648&edit=1
