From: tony2...@php.net Operating system: Linux PHP version: 5.3CVS-2009-06-10 (CVS) PHP Bug Type: Reproducible crash Bug description: curl crashes when writing into invalid file handle
Description: ------------ curl_setopt() doesn't increase reference count of file pointers passed along with CURLOPT_FILE and CURLOPT_WRITEHEADER options, which leads to invalid read/writes and as a result - random crashes because FILE* pointer is destroyed before write(). Simple patch fixes this problem, but there is another one to consider: should the refcount be decreased when closing the cURL handle? Patch proposed: http://dev.daylessday.org/diff/curl_write_handle.diff Reproduce code: --------------- <?php $tmp_dir = "/tmp/2"; $urls = array( 'http://ru.php.net/manual/en/function.curl-errno.php', 'http://ru.php.net/manual/en/function.curl-multi-close.php', 'http://ru.php.net/manual/en/function.curl-multi-getcontent.php', 'http://ru.php.net/manual/en/function.curl-multi-remove-handle.php', ); $mh = curl_multi_init(); foreach ($urls as $url) { $ch = curl_init(); $tmp_url = parse_url($url); $tmp_file = $tmp_dir."/".basename($tmp_url['path']); $fp = fopen($tmp_file, "w"); curl_setopt($ch, CURLOPT_RETURNTRANSFER,0); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_FILE, $fp); curl_multi_add_handle($mh, $ch); } $running = 0; do { curl_multi_exec($mh, $running); } while ($running > 0); ?> Actual result: -------------- ==29222== Invalid read of size 2 ==29222== at 0x60411F9: fwrite (in /lib64/libc-2.8.so) ==29222== by 0x45078F: curl_write (interface.c:882) ==29222== by 0x5738691: (within /usr/lib64/libcurl.so.4.0.1) ==29222== by 0x5750CC2: (within /usr/lib64/libcurl.so.4.0.1) ==29222== by 0x574D8F3: (within /usr/lib64/libcurl.so.4.0.1) ==29222== by 0x5752F7B: (within /usr/lib64/libcurl.so.4.0.1) ==29222== by 0x575380A: curl_multi_perform (in /usr/lib64/libcurl.so.4.0.1) ==29222== by 0x45736A: zif_curl_multi_exec (multi.c:216) ==29222== by 0x6340F6: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:313) ==29222== by 0x639955: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1601) ==29222== by 0x633386: execute (zend_vm_execute.h:104) ==29222== by 0x6045FA: zend_execute_scripts (zend.c:1188) ==29222== by 0x58FFDE: php_execute_script (main.c:2171) ==29222== by 0x6E904A: main (php_cli.c:1188) ==29222== Invalid write of size 8 ==29222== at 0x6041245: fwrite (in /lib64/libc-2.8.so) ==29222== by 0x45078F: curl_write (interface.c:882) ==29222== by 0x5738691: (within /usr/lib64/libcurl.so.4.0.1) ==29222== by 0x5750CC2: (within /usr/lib64/libcurl.so.4.0.1) ==29222== by 0x574D8F3: (within /usr/lib64/libcurl.so.4.0.1) ==29222== by 0x5752F7B: (within /usr/lib64/libcurl.so.4.0.1) ==29222== by 0x575380A: curl_multi_perform (in /usr/lib64/libcurl.so.4.0.1) ==29222== by 0x45736A: zif_curl_multi_exec (multi.c:216) ==29222== by 0x6340F6: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:313) ==29222== by 0x639955: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1601) ==29222== by 0x633386: execute (zend_vm_execute.h:104) ==29222== by 0x6045FA: zend_execute_scripts (zend.c:1188) ==29222== by 0x58FFDE: php_execute_script (main.c:2171) ==29222== by 0x6E904A: main (php_cli.c:1188) -- Edit bug report at http://bugs.php.net/?id=48518&edit=1 -- Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=48518&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=48518&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=48518&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=48518&r=fixedcvs Fixed in CVS and need be documented: http://bugs.php.net/fix.php?id=48518&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=48518&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=48518&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=48518&r=needscript Try newer version: http://bugs.php.net/fix.php?id=48518&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=48518&r=support Expected behavior: http://bugs.php.net/fix.php?id=48518&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=48518&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=48518&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=48518&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=48518&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=48518&r=dst IIS Stability: http://bugs.php.net/fix.php?id=48518&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=48518&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=48518&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=48518&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=48518&r=mysqlcfg
