Bug #55121 [Asn]: Segfault with multipart/form-data POST / 404 request

2011-07-20 Thread nbpoole 
Edit report at https://bugs.php.net/bug.php?id=55121&edit=1

 ID: 55121
 Updated by: nbpo...@php.net
 Reported by:nbpo...@php.net
 Summary:Segfault with multipart/form-data POST / 404 request
 Status: Assigned
 Type:   Bug
 Package:Built-in web server
 Operating System:   Ubuntu 10.04.2 LTS (64-bit)
 PHP Version:5.4SVN-2011-07-03 (snap)
 Assigned To:   moriyoshi
 Block user comment: N
 Private report: N

 New Comment:

A similar segfault on OS X 10.6.7 can be caused using the original steps to 
reproduce:

$ curl --form a=b http://127.0.0.1:8000/file.php
$ curl http://127.0.0.1:8000/does_not_exist


Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0002011b0b30
0x00010024a3b5 in _zend_mm_free_int (heap=0x10100, p=0x1006651e0) at 
zend_alloc.c:2097
2097heap->size -= size;
(gdb) bt
#0  0x00010024a3b5 in _zend_mm_free_int (heap=0x10100, p=0x1006651e0) 
at 
zend_alloc.c:2097
#1  0x00010021e6af in destroy_uploaded_files_hash () at rfc1867.c:199
#2  0x00010021b252 in sapi_deactivate () at SAPI.c:535
#3  0x0001002fd61e in php_cli_server_send_error_page 
(server=0x7fff5fbfa730, 
client=0x100b4e6f0, status=404) at php_cli_server.c:1525
#4  0x0001002fb31e in php_cli_server_dispatch [inlined] () at 
/Users/nbpoole/php-test/php5.4-201107201630/sapi/cli/php_cli_server.c:1636
#5  0x0001002fb31e in php_cli_server_recv_event_read_request 
(server=0x7fff5fbfe970, client=0x1006651e0) at php_cli_server.c:1924
#6  0x0001002fcae5 in php_cli_server_do_event_for_each_fd_callback 
[inlined] 
() at /Users/nbpoole/php-test/php5.4-201107201630/sapi/cli/php_cli_server.c:2010
#7  0x0001002fcae5 in php_cli_server_do_event_for_each_fd [inlined] () at 
php_cli_server.c:671
#8  0x0001002fcae5 in php_cli_server_poller_iter_on_active [inlined] () at 
/Users/nbpoole/php-test/php5.4-201107201630/sapi/cli/php_cli_server.c:2046
#9  0x0001002fcae5 in php_cli_server_do_event_loop [inlined] () at 
/Users/nbpoole/php-test/php5.4-201107201630/sapi/cli/php_cli_server.c:2036
#10 0x0001002fcae5 in do_cli_server (argc=4, argv=0x10) at 
php_cli_server.c:2147
#11 0x0001002f6aa4 in main (argc=1606415328, argv=0x7fff5fbff400) at 
php_cli.c:1359


Previous Comments:

[2011-07-20 13:09:48] f...@php.net

I think the culprit lies in php_cli_server_client_populate_request_info
in the line
request_info->content_type = *val;
which doesn't terminate correctly at ; and reads
multipart/form-data; boundary=c1e04e412bff
instead of
multipart/form-data;


[2011-07-20 11:21:47] nbpo...@php.net

Hmm, previous test-case is no longer working for me either.

Try the following:

$ curl --form a=b  "http://localhost:8000/file.php";
$ curl  "http://localhost:8000/file2.php";
$ curl  "http://localhost:8000/file2.php";
$ curl --form a=b  "http://localhost:8000/file.php";

It results in a different segfault.


Program received signal SIGSEGV, Segmentation fault.
_zend_mm_alloc_int (heap=0x8649170, size=40) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/Zend/zend_alloc.c:1906
1906heap->cache[index] = best_fit->prev_free_block;
(gdb) bt
#0  _zend_mm_alloc_int (heap=0x8649170, size=40) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/Zend/zend_alloc.c:1906
#1  0x082a79f0 in _ecalloc (nmemb=1, size=40) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/Zend/zend_alloc.c:2556
#2  0x08275fc5 in multipart_buffer_new (content_type_dup=, 
arg=0xb7fc42f8) at /home/nbpoole/Desktop/php/php5.4-
201107201430/main/rfc1867.c:283
#3  rfc1867_post_handler (content_type_dup=, 
arg=0xb7fc42f8) at /home/nbpoole/Desktop/php/php5.4-
201107201430/main/rfc1867.c:749
#4  0x08273b46 in sapi_handle_post (arg=0xb7fc42f8) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/main/SAPI.c:182
#5  0x0827a628 in php_default_treat_data (arg=0, str=0x0, destArray=0x0) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/main/php_variables.c:330
#6  0x082792aa in php_auto_globals_create_post (name=0xb7ea9bf4 "_POST", 
name_len=5) at /home/nbpoole/Desktop/php/php5.4-
201107201430/main/php_variables.c:690
#7  0x082a7d45 in zend_auto_global_init (auto_global=0x86524b8) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/Zend/zend_compile.c:6233
#8  0x082d564f in zend_hash_apply (ht=0x8649478, apply_func=0x82a7d20 
) at /home/nbpoole/Desktop/php/php5.4-
201107201430/Zend/zend_hash.c:716
#9  0x082b523b in zend_activate_auto_globals () at 
/home/nbpoole/Desktop/php/php5.4-201107201430/Zend/zend_compile.c:6243
#10 0x0827a7df in php_hash_environment () at /home/nbpoole/Desktop/php/php5.4-
201107201430/main/php_variables.c:650
#11 0x0826ba5d in php_request_startup () at /home/nbpoole/Desktop/php/php5.4-
201

Bug #55121 [Asn]: Segfault with multipart/form-data POST / 404 request

2011-07-20 Thread fa 
Edit report at https://bugs.php.net/bug.php?id=55121&edit=1

 ID: 55121
 Updated by: f...@php.net
 Reported by:nbpo...@php.net
 Summary:Segfault with multipart/form-data POST / 404 request
 Status: Assigned
 Type:   Bug
 Package:Built-in web server
 Operating System:   Ubuntu 10.04.2 LTS (64-bit)
 PHP Version:5.4SVN-2011-07-03 (snap)
 Assigned To:   moriyoshi
 Block user comment: N
 Private report: N

 New Comment:

I think the culprit lies in php_cli_server_client_populate_request_info
in the line
request_info->content_type = *val;
which doesn't terminate correctly at ; and reads
multipart/form-data; boundary=c1e04e412bff
instead of
multipart/form-data;


Previous Comments:

[2011-07-20 11:21:47] nbpo...@php.net

Hmm, previous test-case is no longer working for me either.

Try the following:

$ curl --form a=b  "http://localhost:8000/file.php";
$ curl  "http://localhost:8000/file2.php";
$ curl  "http://localhost:8000/file2.php";
$ curl --form a=b  "http://localhost:8000/file.php";

It results in a different segfault.


Program received signal SIGSEGV, Segmentation fault.
_zend_mm_alloc_int (heap=0x8649170, size=40) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/Zend/zend_alloc.c:1906
1906heap->cache[index] = best_fit->prev_free_block;
(gdb) bt
#0  _zend_mm_alloc_int (heap=0x8649170, size=40) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/Zend/zend_alloc.c:1906
#1  0x082a79f0 in _ecalloc (nmemb=1, size=40) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/Zend/zend_alloc.c:2556
#2  0x08275fc5 in multipart_buffer_new (content_type_dup=, 
arg=0xb7fc42f8) at /home/nbpoole/Desktop/php/php5.4-
201107201430/main/rfc1867.c:283
#3  rfc1867_post_handler (content_type_dup=, 
arg=0xb7fc42f8) at /home/nbpoole/Desktop/php/php5.4-
201107201430/main/rfc1867.c:749
#4  0x08273b46 in sapi_handle_post (arg=0xb7fc42f8) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/main/SAPI.c:182
#5  0x0827a628 in php_default_treat_data (arg=0, str=0x0, destArray=0x0) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/main/php_variables.c:330
#6  0x082792aa in php_auto_globals_create_post (name=0xb7ea9bf4 "_POST", 
name_len=5) at /home/nbpoole/Desktop/php/php5.4-
201107201430/main/php_variables.c:690
#7  0x082a7d45 in zend_auto_global_init (auto_global=0x86524b8) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/Zend/zend_compile.c:6233
#8  0x082d564f in zend_hash_apply (ht=0x8649478, apply_func=0x82a7d20 
) at /home/nbpoole/Desktop/php/php5.4-
201107201430/Zend/zend_hash.c:716
#9  0x082b523b in zend_activate_auto_globals () at 
/home/nbpoole/Desktop/php/php5.4-201107201430/Zend/zend_compile.c:6243
#10 0x0827a7df in php_hash_environment () at /home/nbpoole/Desktop/php/php5.4-
201107201430/main/php_variables.c:650
#11 0x0826ba5d in php_request_startup () at /home/nbpoole/Desktop/php/php5.4-
201107201430/main/main.c:1493
#12 0x0836e610 in php_cli_server_dispatch_script (server=0x86443c0, 
client=0x872d900) at /home/nbpoole/Desktop/php/php5.4-
201107201430/sapi/cli/php_cli_server.c:1599
#13 0x0836e8f5 in php_cli_server_dispatch (server=0x86443c0, client=0x872d900) 
at /home/nbpoole/Desktop/php/php5.4-201107201430/sapi/cli/php_cli_server.c:1755
#14 php_cli_server_recv_event_read_request (server=0x86443c0, client=0x872d900) 
at /home/nbpoole/Desktop/php/php5.4-201107201430/sapi/cli/php_cli_server.c:1924
#15 0x0836f0ff in php_cli_server_do_event_for_each_fd_callback 
(_params=0xbfffe15c, fd=6, event=1) at /home/nbpoole/Desktop/php/php5.4-
201107201430/sapi/cli/php_cli_server.c:2015
#16 0x0836fbd7 in php_cli_server_poller_iter_on_active (argc=3, 
argv=0xb394) 
at /home/nbpoole/Desktop/php/php5.4-201107201430/sapi/cli/php_cli_server.c:671
#17 php_cli_server_do_event_for_each_fd (argc=3, argv=0xb394) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/sapi/cli/php_cli_server.c:2036
#18 php_cli_server_do_event_loop (argc=3, argv=0xb394) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/sapi/cli/php_cli_server.c:2046
#19 do_cli_server (argc=3, argv=0xb394) at /home/nbpoole/Desktop/php/php5.4-
201107201430/sapi/cli/php_cli_server.c:2147
#20 0x08368143 in main (argc=3, argv=0xb394) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/sapi/cli/php_cli.c:1359

This was done with the latest 5.4 from snaps.


[2011-07-20 06:50:25] f...@php.net

Just tried this on Debian testing and 5_4-HEAD and can't reproduce it.

$ curl --form a=b  "http://localhost:8000/file.php";
$ curl  "http://localhost:8000/file2.php";

[Wed Jul 20 12:50:05 2011] ::1:50522 POST /file.php - Request read
[Wed Jul 20 12:50:05 2011] ::1:50522 POST /file.php - Response sent 
successfully 
(200)
[Wed Jul 20 12:50:13 2011] ::1:50523 GET /file.txt - Request read
[Wed Jul 20 1

Bug #55121 [Asn]: Segfault with multipart/form-data POST / 404 request

2011-07-20 Thread nbpoole 
Edit report at https://bugs.php.net/bug.php?id=55121&edit=1

 ID: 55121
 Updated by: nbpo...@php.net
 Reported by:nbpo...@php.net
 Summary:Segfault with multipart/form-data POST / 404 request
 Status: Assigned
 Type:   Bug
 Package:Built-in web server
 Operating System:   Ubuntu 10.04.2 LTS (64-bit)
 PHP Version:5.4SVN-2011-07-03 (snap)
 Assigned To:   moriyoshi
 Block user comment: N
 Private report: N

 New Comment:

Hmm, previous test-case is no longer working for me either.

Try the following:

$ curl --form a=b  "http://localhost:8000/file.php";
$ curl  "http://localhost:8000/file2.php";
$ curl  "http://localhost:8000/file2.php";
$ curl --form a=b  "http://localhost:8000/file.php";

It results in a different segfault.


Program received signal SIGSEGV, Segmentation fault.
_zend_mm_alloc_int (heap=0x8649170, size=40) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/Zend/zend_alloc.c:1906
1906heap->cache[index] = best_fit->prev_free_block;
(gdb) bt
#0  _zend_mm_alloc_int (heap=0x8649170, size=40) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/Zend/zend_alloc.c:1906
#1  0x082a79f0 in _ecalloc (nmemb=1, size=40) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/Zend/zend_alloc.c:2556
#2  0x08275fc5 in multipart_buffer_new (content_type_dup=, 
arg=0xb7fc42f8) at /home/nbpoole/Desktop/php/php5.4-
201107201430/main/rfc1867.c:283
#3  rfc1867_post_handler (content_type_dup=, 
arg=0xb7fc42f8) at /home/nbpoole/Desktop/php/php5.4-
201107201430/main/rfc1867.c:749
#4  0x08273b46 in sapi_handle_post (arg=0xb7fc42f8) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/main/SAPI.c:182
#5  0x0827a628 in php_default_treat_data (arg=0, str=0x0, destArray=0x0) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/main/php_variables.c:330
#6  0x082792aa in php_auto_globals_create_post (name=0xb7ea9bf4 "_POST", 
name_len=5) at /home/nbpoole/Desktop/php/php5.4-
201107201430/main/php_variables.c:690
#7  0x082a7d45 in zend_auto_global_init (auto_global=0x86524b8) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/Zend/zend_compile.c:6233
#8  0x082d564f in zend_hash_apply (ht=0x8649478, apply_func=0x82a7d20 
) at /home/nbpoole/Desktop/php/php5.4-
201107201430/Zend/zend_hash.c:716
#9  0x082b523b in zend_activate_auto_globals () at 
/home/nbpoole/Desktop/php/php5.4-201107201430/Zend/zend_compile.c:6243
#10 0x0827a7df in php_hash_environment () at /home/nbpoole/Desktop/php/php5.4-
201107201430/main/php_variables.c:650
#11 0x0826ba5d in php_request_startup () at /home/nbpoole/Desktop/php/php5.4-
201107201430/main/main.c:1493
#12 0x0836e610 in php_cli_server_dispatch_script (server=0x86443c0, 
client=0x872d900) at /home/nbpoole/Desktop/php/php5.4-
201107201430/sapi/cli/php_cli_server.c:1599
#13 0x0836e8f5 in php_cli_server_dispatch (server=0x86443c0, client=0x872d900) 
at /home/nbpoole/Desktop/php/php5.4-201107201430/sapi/cli/php_cli_server.c:1755
#14 php_cli_server_recv_event_read_request (server=0x86443c0, client=0x872d900) 
at /home/nbpoole/Desktop/php/php5.4-201107201430/sapi/cli/php_cli_server.c:1924
#15 0x0836f0ff in php_cli_server_do_event_for_each_fd_callback 
(_params=0xbfffe15c, fd=6, event=1) at /home/nbpoole/Desktop/php/php5.4-
201107201430/sapi/cli/php_cli_server.c:2015
#16 0x0836fbd7 in php_cli_server_poller_iter_on_active (argc=3, 
argv=0xb394) 
at /home/nbpoole/Desktop/php/php5.4-201107201430/sapi/cli/php_cli_server.c:671
#17 php_cli_server_do_event_for_each_fd (argc=3, argv=0xb394) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/sapi/cli/php_cli_server.c:2036
#18 php_cli_server_do_event_loop (argc=3, argv=0xb394) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/sapi/cli/php_cli_server.c:2046
#19 do_cli_server (argc=3, argv=0xb394) at /home/nbpoole/Desktop/php/php5.4-
201107201430/sapi/cli/php_cli_server.c:2147
#20 0x08368143 in main (argc=3, argv=0xb394) at 
/home/nbpoole/Desktop/php/php5.4-201107201430/sapi/cli/php_cli.c:1359

This was done with the latest 5.4 from snaps.


Previous Comments:

[2011-07-20 06:50:25] f...@php.net

Just tried this on Debian testing and 5_4-HEAD and can't reproduce it.

$ curl --form a=b  "http://localhost:8000/file.php";
$ curl  "http://localhost:8000/file2.php";

[Wed Jul 20 12:50:05 2011] ::1:50522 POST /file.php - Request read
[Wed Jul 20 12:50:05 2011] ::1:50522 POST /file.php - Response sent 
successfully 
(200)
[Wed Jul 20 12:50:13 2011] ::1:50523 GET /file.txt - Request read
[Wed Jul 20 12:50:13 2011] ::1:50523 GET /file.txt - No such file or directory
[Wed Jul 20 12:50:13 2011] ::1:50523 GET /file.txt - Sending error page (404)


[2011-07-03 14:35:11] nbpo...@php.net

Description:

The built-in webserver repeatably segfaults for me when I send the following 
requests (in this or

Bug #55121 [Asn]: Segfault with multipart/form-data POST / 404 request

2011-07-20 Thread fa 
Edit report at https://bugs.php.net/bug.php?id=55121&edit=1

 ID: 55121
 Updated by: f...@php.net
 Reported by:nbpo...@php.net
 Summary:Segfault with multipart/form-data POST / 404 request
 Status: Assigned
 Type:   Bug
 Package:Built-in web server
 Operating System:   Ubuntu 10.04.2 LTS (64-bit)
 PHP Version:5.4SVN-2011-07-03 (snap)
 Assigned To:   moriyoshi
 Block user comment: N
 Private report: N

 New Comment:

Just tried this on Debian testing and 5_4-HEAD and can't reproduce it.

$ curl --form a=b  "http://localhost:8000/file.php";
$ curl  "http://localhost:8000/file2.php";

[Wed Jul 20 12:50:05 2011] ::1:50522 POST /file.php - Request read
[Wed Jul 20 12:50:05 2011] ::1:50522 POST /file.php - Response sent 
successfully 
(200)
[Wed Jul 20 12:50:13 2011] ::1:50523 GET /file.txt - Request read
[Wed Jul 20 12:50:13 2011] ::1:50523 GET /file.txt - No such file or directory
[Wed Jul 20 12:50:13 2011] ::1:50523 GET /file.txt - Sending error page (404)


Previous Comments:

[2011-07-03 14:35:11] nbpo...@php.net

Description:

The built-in webserver repeatably segfaults for me when I send the following 
requests (in this order):

1. A multipart/form-data POST request
2. A GET request for a non-existent file

Test script:
---
Create an empty (0 byte) PHP file named file.php. Start the webserver from that 
file's directory. Then run the following commands:

curl --form a=b http://127.0.0.1:8000/file.php
curl http://127.0.0.1:8000/does_not_exist

Expected result:

Requests should be returned by the server without segfaulting.

Actual result:
--
After the second request has been made, I receive a segfault:

Program received signal SIGSEGV, Segmentation fault.
_zend_mm_free_int (heap=0xc91250, p=0xc889c8) at 
/home/nbpoole/php/php5.4-201107031630/Zend/zend_alloc.c:2100
2100if (ZEND_MM_IS_FREE_BLOCK(next_block)) {
(gdb) bt
#0  _zend_mm_free_int (heap=0xc91250, p=0xc889c8) at 
/home/nbpoole/php/php5.4-201107031630/Zend/zend_alloc.c:2100
#1  0x006272f1 in destroy_uploaded_files_hash () at 
/home/nbpoole/php/php5.4-201107031630/main/rfc1867.c:199
#2  0x00625585 in sapi_deactivate () at 
/home/nbpoole/php/php5.4-201107031630/main/SAPI.c:533
#3  0x0071fe81 in php_cli_server_send_error_page (server=, client=, status=)
at /home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:1524
#4  0x007207c9 in php_cli_server_begin_send_static (server=0xc89ba0, 
client=0xdfecf0) at 
/home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:1635
#5  php_cli_server_dispatch (server=0xc89ba0, client=0xdfecf0) at 
/home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:1747
#6  php_cli_server_recv_event_read_request (server=0xc89ba0, client=0xdfecf0) 
at /home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:1890
#7  0x007211ea in php_cli_server_do_event_for_each_fd_callback 
(_params=, fd=, event=)
at /home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:1976
#8  0x0072185a in php_cli_server_poller_iter_on_active (argc=, argv=)
at /home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:670
#9  php_cli_server_do_event_for_each_fd (argc=, 
argv=) at 
/home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:2002
#10 php_cli_server_do_event_loop (argc=, argv=) at 
/home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:2012
#11 do_cli_server (argc=, argv=) at 
/home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:2097
#12 0x0071a33e in main (argc=, argv=) at /home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli.c:1359







-- 
Edit this bug report at https://bugs.php.net/bug.php?id=55121&edit=1