Bug #15905 Updated: long filenames in fopen() crash PHP.

a . mayrhofer Thu, 07 Mar 2002 02:35:34 -0800

 ID:               15905
 Updated by:       [EMAIL PROTECTED]
 Reported By:      [EMAIL PROTECTED]
 Status:           Open
 Bug Type:         Reproducible crash
 Operating System: Solaris 2.6
 PHP Version:      4.1.2
 New Comment:


Happens still with latest CVS snapshot (200203070000), please see gdb
debugging session below:

(gdb) run crash.php
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /src/webstuff/php4-200203070000/php crash.php
warning: Unable to find dynamic linker breakpoint function.
warning: GDB will be unable to debug shared library initializers
warning: and track explicitly loaded dynamic code.

Breakpoint 1, php_checkuid (filename=0x1d2180 'x' <repeats 200
times>..., 
    fopen_mode=0x1c9278 "r", mode=4) at safe_mode.c:50
50              long uid=0L, gid=0L, duid=0L, dgid=0L;
(gdb) step
55              if (!filename) {
(gdb) 
59              if (fopen_mode) {
(gdb) 
60                      if (fopen_mode[0] == 'r') {
(gdb) 
71              if (!strncasecmp(filename,"http://";, 7) ||
!strncasecmp(filename,"ftp://";, 6)) {
(gdb) print filename
$7 = 0x1d2180 'x' <repeats 200 times>...
(gdb) 
$8 = 0x1d2180 'x' <repeats 200 times>...
(gdb) 
$9 = 0x1d2180 'x' <repeats 200 times>...
(gdb) step
78              if (mode != CHECKUID_ALLOW_ONLY_DIR) {
(gdb) 
79                      VCWD_REALPATH(filename, path);
(gdb) 
80                      ret = VCWD_STAT(path, &sb);
(gdb) 
81                      if (ret < 0) {
(gdb) 
82                              if (mode == CHECKUID_DISALLOW_FILE_NOT_EXISTS) {(gdb) 
83                                      php_error(E_WARNING, "Unable to access %s", 
filename);
(gdb) print filename
$10 = 0x1d2180 'x' <repeats 200 times>...
(gdb) 
$11 = 0x1d2180 'x' <repeats 200 times>...
(gdb) step
zend_error (type=2, format=<error type>) at zend.c:642
642             switch (type) {
(gdb) 
657                             if (zend_is_compiling(TSRMLS_C)) {
(gdb) 
zend_is_compiling () at zend_compile.c:147
147             return CG(in_compilation);
(gdb) 
zend_is_executing () at zend_execute_API.c:263
263             return EG(in_execution);
(gdb) 
zend_error (type=2, format=<error type>) at zend.c:661
661                                     error_filename = 
zend_get_executed_filename(TSRMLS_C);
(gdb) print error_filename
$12 = <incomplete type>
(gdb) step
zend_get_executed_filename () at zend_execute_API.c:243
243             if (EG(active_op_array)) {
(gdb) print active_op_array
No symbol "active_op_array" in current context.
(gdb) step
244                     return EG(active_op_array)->filename;
(gdb) print active_op_array
No symbol "active_op_array" in current context.
(gdb) print EG(active_op_array)->filename
No symbol "EG" in current context.
(gdb) step
zend_error (type=2, format=<error type>) at zend.c:662
662                                     error_lineno = 
zend_get_executed_lineno(TSRMLS_C);
(gdb) print error_filename
$13 = <incomplete type>
(gdb) 
$14 = <incomplete type>
(gdb) step
zend_get_executed_lineno () at zend_execute_API.c:253
253             if (EG(opline_ptr)) {
(gdb) print opline_ptr
No symbol "opline_ptr" in current context.
(gdb) step
254                     return active_opline->lineno;
(gdb) print filename
No symbol "filename" in current context.
(gdb) step

Program received signal SIGSEGV, Segmentation fault.
zend_get_executed_lineno () at zend_execute_API.c:254
254                     return active_opline->lineno;
(gdb) bt
#0  zend_get_executed_lineno () at zend_execute_API.c:254
#1  0xec1bc in zend_error (type=2, format=<error type>) at zend.c:662
#2  0xf5d30 in php_checkuid (filename=0x1d2180 'x' <repeats 200
times>..., 
    fopen_mode=0xefffe118 'x' <repeats 200 times>..., mode=0) at
safe_mode.c:83
#3  0x31de4 in php_fopen_url_wrapper (path=<error type>, mode=<error
type>, 
    options=2021161080, issock=<incomplete type>, socketd=<incomplete
type>, 
    opened_path=<error type>) at fopen_wrappers.c:582
Cannot access memory at address 0x787878b0.
(gdb)


Previous Comments:
------------------------------------------------------------------------

[2002-03-07 03:27:46] [EMAIL PROTECTED]

Can't reproduce it on Linux as well. Could be related to some solaris
weirdness. example script works fine if safe_mode is turned off. I'll
test with latest snap shots today.

cheers

axelm

------------------------------------------------------------------------

[2002-03-06 12:55:49] [EMAIL PROTECTED]

Does it only happen with safe_mode on?

Derick

------------------------------------------------------------------------

[2002-03-06 12:53:03] [EMAIL PROTECTED]

Can't reproduce this problem with latest CVS on Linux (don't have
solaris test environment).

Can you test with CVS ?

------------------------------------------------------------------------

[2002-03-06 12:16:07] [EMAIL PROTECTED]

sorry, gdb output was duplicated during cut'n'paste.

------------------------------------------------------------------------

[2002-03-06 12:06:58] [EMAIL PROTECTED]

Just investigated, it happens if the path name is longer than 1980
characters: PHP Works with 1980 characters, crashes with 1981.

Forgot to mention that i use the CGI version of PHP.

------------------------------------------------------------------------

The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
    http://bugs.php.net/15905

-- 
Edit this bug report at http://bugs.php.net/?id=15905&edit=1

Bug #15905 Updated: long filenames in fopen() crash PHP.

Reply via email to