ID: 48518 Updated by: ras...@php.net Reported By: tony2...@php.net Status: Closed Bug Type: Reproducible crash Operating System: Linux PHP Version: 5.3CVS-2009-06-10 (CVS) Assigned To: iliaa New Comment:
It looks like the fix for this broke this case: <?php $url = 'http://slowgeek.com/test.xml'; $cfile = '/var/tmp/test_'.$prefix.md5($url).'.xml'; $ch = curl_init(); curl_setopt($ch, CURLOPT_FILE, $fp = fopen($cfile,'w')); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30); curl_setopt($ch, CURLOPT_TIMEOUT, 60); curl_setopt($ch, CURLOPT_URL, $url); $status = curl_exec($ch); if(!$status) echo curl_error($ch); fclose($fp); curl_close($ch); $data = file_get_contents($cfile); var_dump($data); // 0 bytes here fflush($fp); // fflush after the fclose?? $data = file_get_contents($cfile); var_dump($data); // full contents here Previous Comments: ------------------------------------------------------------------------ [2009-06-15 12:39:04] il...@php.net This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. ------------------------------------------------------------------------ [2009-06-10 13:41:23] tony2...@php.net Found another piece of strange code: PHP_FUNCTION(curl_exec) .... ch->uses++; if (ch->handlers->write->method == PHP_CURL_RETURN && ch->handlers->write->buf.len > 0) { --ch->uses; smart_str_0(&ch->handlers->write->buf); RETURN_STRINGL(ch->handlers->write->buf.c, ch->handlers->write->buf.len, 1); } --ch->uses; ... What's the point in uses++ and immediate uses-- ? ------------------------------------------------------------------------ [2009-06-10 12:51:21] tony2...@php.net Description: ------------ curl_setopt() doesn't increase reference count of file pointers passed along with CURLOPT_FILE and CURLOPT_WRITEHEADER options, which leads to invalid read/writes and as a result - random crashes because FILE* pointer is destroyed before write(). Simple patch fixes this problem, but there is another one to consider: should the refcount be decreased when closing the cURL handle? Patch proposed: http://dev.daylessday.org/diff/curl_write_handle.diff Reproduce code: --------------- <?php $tmp_dir = "/tmp/2"; $urls = array( 'http://ru.php.net/manual/en/function.curl-errno.php', 'http://ru.php.net/manual/en/function.curl-multi-close.php', 'http://ru.php.net/manual/en/function.curl-multi-getcontent.php', 'http://ru.php.net/manual/en/function.curl-multi-remove-handle.php', ); $mh = curl_multi_init(); foreach ($urls as $url) { $ch = curl_init(); $tmp_url = parse_url($url); $tmp_file = $tmp_dir."/".basename($tmp_url['path']); $fp = fopen($tmp_file, "w"); curl_setopt($ch, CURLOPT_RETURNTRANSFER,0); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_FILE, $fp); curl_multi_add_handle($mh, $ch); } $running = 0; do { curl_multi_exec($mh, $running); } while ($running > 0); ?> Actual result: -------------- ==29222== Invalid read of size 2 ==29222== at 0x60411F9: fwrite (in /lib64/libc-2.8.so) ==29222== by 0x45078F: curl_write (interface.c:882) ==29222== by 0x5738691: (within /usr/lib64/libcurl.so.4.0.1) ==29222== by 0x5750CC2: (within /usr/lib64/libcurl.so.4.0.1) ==29222== by 0x574D8F3: (within /usr/lib64/libcurl.so.4.0.1) ==29222== by 0x5752F7B: (within /usr/lib64/libcurl.so.4.0.1) ==29222== by 0x575380A: curl_multi_perform (in /usr/lib64/libcurl.so.4.0.1) ==29222== by 0x45736A: zif_curl_multi_exec (multi.c:216) ==29222== by 0x6340F6: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:313) ==29222== by 0x639955: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1601) ==29222== by 0x633386: execute (zend_vm_execute.h:104) ==29222== by 0x6045FA: zend_execute_scripts (zend.c:1188) ==29222== by 0x58FFDE: php_execute_script (main.c:2171) ==29222== by 0x6E904A: main (php_cli.c:1188) ==29222== Invalid write of size 8 ==29222== at 0x6041245: fwrite (in /lib64/libc-2.8.so) ==29222== by 0x45078F: curl_write (interface.c:882) ==29222== by 0x5738691: (within /usr/lib64/libcurl.so.4.0.1) ==29222== by 0x5750CC2: (within /usr/lib64/libcurl.so.4.0.1) ==29222== by 0x574D8F3: (within /usr/lib64/libcurl.so.4.0.1) ==29222== by 0x5752F7B: (within /usr/lib64/libcurl.so.4.0.1) ==29222== by 0x575380A: curl_multi_perform (in /usr/lib64/libcurl.so.4.0.1) ==29222== by 0x45736A: zif_curl_multi_exec (multi.c:216) ==29222== by 0x6340F6: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:313) ==29222== by 0x639955: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:1601) ==29222== by 0x633386: execute (zend_vm_execute.h:104) ==29222== by 0x6045FA: zend_execute_scripts (zend.c:1188) ==29222== by 0x58FFDE: php_execute_script (main.c:2171) ==29222== by 0x6E904A: main (php_cli.c:1188) ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=48518&edit=1
