From: [EMAIL PROTECTED]
Operating system: Solaris 2.6
PHP version: 4.1.2
PHP Bug Type: Reproducible crash
Bug description: long filenames in fopen() crash PHP.
While upgrading PHP from 4.0.3pl1 to 4.1.2 i noticed crashes related to
long file names, espacially when running under safe_mode.
The problem can be reproduced using the following one liner:
<?
sleep(20);
fopen("xxxxxxxxxxxxxxxxxx..... [very long file name, 1000 characters]
...xxxxxxxxxx", "r");
?>
Please note that for obvious reasons the filename has been shortened in
the example above, the "sleep" statement has been added for debugging
purposes...
Process trace of PHP:
sigprocmask(SIG_UNBLOCK, 0xEFFFE5B8, 0x00000000) = 0
sigaction(SIGALRM, 0xEFFFE518, 0x00000000) = 0
resolvepath("xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
0xEFFFE078, 1024) Err#78 ENAMETOOLONG
Incurred fault #6, FLTBOUNDS %pc = 0xEF3A4644
siginfo: SIGSEGV SEGV_MAPERR addr=0xF0000000
Received signal #11, SIGSEGV [default]
siginfo: SIGSEGV SEGV_MAPERR addr=0xF0000000
*** process killed ***
gdb output:
(gdb) b php_fopen_wrapper
Breakpoint 1 at 0x2f3b8: file fopen_wrappers.c, line 245.
(gdb) cont
Continuing.
Breakpoint 1, php_fopen_wrapper (path=0x1cb060 'x' <repeats 200 times>...,
mode=0x1c71e8 "r", options=4, issock=0xefffe660, socketd=0x72,
opened_path=0x0) at fopen_wrappers.c:245
fopen_wrappers.c:245: No such file or directory.
(gdb)
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0xef3a4644 in strcpy ()
(gdb) bt
#0 0xef3a4644 in strcpy ()
#1 0xef3cbe18 in _realpath ()
#2 0xf8090 in php_checkuid (filename=0x1cb060 'x' <repeats 200 times>...,
fopen_mode=0x1c71e8 "r", mode=0) at safe_mode.c:79
#3 0x2fcf8 in php_fopen_url_wrapper (
path=0x78787878 <Address 0x78787878 out of bounds>,
mode=0x78787878 <Address 0x78787878 out of bounds>,
options=2021161080,
issock=0x78787878, socketd=0x78787878, opened_path=0x78787878)
at fopen_wrappers.c:558
Cannot access memory at address 0x787878b0.
(gdb) (gdb) b php_fopen_wrapper
Breakpoint 1 at 0x2f3b8: file fopen_wrappers.c, line 245.
(gdb) cont
Continuing.
Breakpoint 1, php_fopen_wrapper (path=0x1cb060 'x' <repeats 200 times>...,
mode=0x1c71e8 "r", options=4, issock=0xefffe660, socketd=0x72,
opened_path=0x0) at fopen_wrappers.c:245
fopen_wrappers.c:245: No such file or directory.
(gdb)
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0xef3a4644 in strcpy ()
(gdb) bt
#0 0xef3a4644 in strcpy ()
#1 0xef3cbe18 in _realpath ()
#2 0xf8090 in php_checkuid (filename=0x1cb060 'x' <repeats 200 times>...,
fopen_mode=0x1c71e8 "r", mode=0) at safe_mode.c:79
#3 0x2fcf8 in php_fopen_url_wrapper (
path=0x78787878 <Address 0x78787878 out of bounds>,
mode=0x78787878 <Address 0x78787878 out of bounds>,
options=2021161080,
issock=0x78787878, socketd=0x78787878, opened_path=0x78787878)
at fopen_wrappers.c:558
Cannot access memory at address 0x787878b0.
(gdb)
Other occurrences with different path names and include path lead to Bus
Errors...
If you need further information, don't hesitate to contact me.
Alex Mayrhofer
--
Edit bug report at http://bugs.php.net/?id=15905&edit=1
--
Fixed in CVS: http://bugs.php.net/fix.php?id=15905&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=15905&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=15905&r=needtrace
Try newer version: http://bugs.php.net/fix.php?id=15905&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=15905&r=support
Expected behavior: http://bugs.php.net/fix.php?id=15905&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=15905&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=15905&r=submittedtwice
