Home Original page

readfile() segfaults on certain files

Bug #27037 readfile() segfaults on certain files
Submitted: 2004-01-25 10:59 UTC Modified: 2004-01-28 21:12 UTC
From: novicky at aarongroup dot cz Assigned:
Status: Closed Package: Apache2 related
PHP Version: 4CVS, 5CVS OS: linux
Private report: No CVE-ID: None

 [2004-01-25 10:59 UTC] novicky at aarongroup dot cz

Description:
------------
Still the same problem as described in suspended bugs #26846 and #24301. Segmentation fault occures when sending files of length 4k*n (where n can be 4-6,8-30) via readfile().

System:
linux RH 8.0
apache 2.0.48
php 4.3.4

Backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 8192 (LWP 8803)]
0x4207c46c in memcpy () from /lib/i686/libc.so.6
(gdb) bt
#0  0x4207c46c in memcpy () from /lib/i686/libc.so.6
#1  0x403bbc58 in apr_pmemdup (a=0x40895000, m=0x4000, n=136459925) at apr_strings.c:157
#2  0x405c8170 in php_apache_sapi_ub_write (str=0x40895000 'x' <repeats 200 times>..., str_length=16384)
    at /home/linux/php/php-4.3.4/sapi/apache2handler/sapi_apache2.c:84
#3  0x4059fdf0 in php_ub_body_write_no_header (str=0x40895000 'x' <repeats 200 times>..., str_length=16384)
    at /home/linux/php/php-4.3.4/main/output.c:689
#4  0x4059fe77 in php_ub_body_write (str=0x40895000 'x' <repeats 200 times>..., str_length=16384)
    at /home/linux/php/php-4.3.4/main/output.c:719
#5  0x4059ee51 in php_body_write (str=0x40895000 'x' <repeats 200 times>..., str_length=16384)
    at /home/linux/php/php-4.3.4/main/output.c:121
#6  0x4059b612 in _php_stream_passthru (stream=0x821ecd4) at /home/linux/php/php-4.3.4/main/streams.c:1088
#7  0x4053ea5d in zif_readfile (ht=16385, return_value=0x821ecb4, this_ptr=0x0, return_value_used=0)
    at /home/linux/php/php-4.3.4/ext/standard/file.c:1817
#8  0x405c4542 in execute (op_array=0x821a2ac) at /home/linux/php/php-4.3.4/Zend/zend_execute.c:1616
#9  0x405b7c41 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/linux/php/php-4.3.4/Zend/zend.c:884
#10 0x40592253 in php_execute_script (primary_file=0xbffff6a0) at /home/linux/php/php-4.3.4/main/main.c:1729
#11 0x405c8d2b in php_handler (r=0x820bfb8) at /home/linux/php/php-4.3.4/sapi/apache2handler/sapi_apache2.c:537
#12 0x08098c1e in ap_run_handler (r=0x820bfb8) at config.c:195
#13 0x08099136 in ap_invoke_handler (r=0x820bfb8) at config.c:401
#14 0x080829d7 in ap_process_request (r=0x820bfb8) at http_request.c:288
#15 0x0807ebc1 in ap_process_http_connection (c=0x8205860) at http_core.c:293
#16 0x080a1daa in ap_run_process_connection (c=0x8205860) at connection.c:85
#17 0x080977c3 in child_main (child_num_arg=16385) at prefork.c:694
#18 0x0809796e in make_child (s=0x810bca0, slot=0) at prefork.c:734
#19 0x080979c7 in startup_children (number_to_start=5) at prefork.c:806
#20 0x080980b9 in ap_mpm_run (_pconf=0x80970ac, plog=0x81183f8, s=0x810bca0) at prefork.c:1022
#21 0x0809cf56 in main (argc=2, argv=0xbffff9f4) at main.c:660
#22 0x420158d4 in __libc_start_main () from /lib/i686/libc.so.6


Reproduce code:
---------------
<?
$fl = 4096*4; // can be 4-6,8-30
$fn = "/tmp/file.tmp";
$fp = fopen ($fn, "wb");
fwrite ($fp,  str_repeat ('x', $fl), $fl);
fclose($fp);
readfile($fn);
?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2004-01-28 21:12 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.