Bug #52944 [Opn->Ver]: fclose: quiet script interruption

[cataphract]

Edit report at http://bugs.php.net/bug.php?id=52944&edit=1

 ID:                 52944
 Updated by:         cataphr...@php.net
 Reported by:        svimik at mail dot ru
 Summary:            fclose: quiet script interruption
-Status:             Open
+Status:             Verified
 Type:               Bug
 Package:            *Network Functions
 Operating System:   Debian-50-lenny-64
 PHP Version:        5.3.3
 Block user comment: N



Previous Comments:
------------------------------------------------------------------------
[2010-09-28 21:58:55] cataphr...@php.net

I can confirm some sort of bug in both PHP 5.3.3 and trunk on Debian
Lenny x64.



On trunk:



[Tue Sep 28 20:54:06 2010]  Script:  '-'

---------------------------------------

/tmp/trunk/ext/zlib/zlib_filter.c(165) : Block 0x7fba5a6120c0 status:

Beginning:      OK (allocated on /tmp/trunk/ext/zlib/zlib_filter.c:311,
2048 bytes)

    Start:      OK

      End:      Overflown (magic=0x00000018 instead of 0x5289A744)

                At least 4 bytes overflown

---------------------------------------

done

[Tue Sep 28 20:54:06 2010]  Script:  '-'

/tmp/trunk/ext/zlib/zlib_filter.c(311) :  Freeing 0x7FBA5A6120C0 (2048
bytes), script=-

=== Total 1 memory leaks detected ===



On PHP 5.3.3 (sorry, not debug build), there's a segfault:



#0  zend_mm_remove_from_free_list (heap=0x11fc290, mm_block=0x1407380)

    at /opt/php-5.3.3/Zend/zend_alloc.c:841

#1  0x000000000069613e in _zend_mm_free_int (heap=0x11fc290,
p=0x1406b80)

    at /opt/php-5.3.3/Zend/zend_alloc.c:2019

#2  0x00007f029fa548c9 in php_zlib_inflate_dtor (

    thisfilter=<value optimized out>)

    at /opt/php-5.3.3/ext/zlib/zlib_filter.c:161

#3  0x0000000000678ae2 in php_stream_filter_free (filter=0x1409950)

    at /opt/php-5.3.3/main/streams/filter.c:312

#4  0x0000000000678b8a in php_stream_filter_remove (filter=0x0,
call_dtor=1)

    at /opt/php-5.3.3/main/streams/filter.c:531

#5  0x000000000067559a in _php_stream_free (stream=0x14096a0,
close_options=11)

    at /opt/php-5.3.3/main/streams/streams.c:369

#6  0x00000000006757d1 in stream_resource_regular_dtor (

    rsrc=<value optimized out>) at
/opt/php-5.3.3/main/streams/streams.c:1426

#7  0x00000000006c34a2 in list_entry_destructor (ptr=0x14097e0)

    at /opt/php-5.3.3/Zend/zend_list.c:184

#8  0x00000000006c2566 in zend_hash_del_key_or_index (ht=0xc6e7b0,
arKey=0x0,

    nKeyLength=0, h=2, flag=<value optimized out>)

    at /opt/php-5.3.3/Zend/zend_hash.c:497

#9  0x00000000006c3719 in _zend_list_delete (id=<value optimized out>)

    at /opt/php-5.3.3/Zend/zend_list.c:58

#10 0x00000000005fbd88 in zif_fclose (ht=<value optimized out>,

    return_value=0x1409228, return_value_ptr=<value optimized out>,

    this_ptr=<value optimized out>, return_value_used=<value optimized
out>)

    at /opt/php-5.3.3/ext/standard/file.c:928

#11 0x0000000000704cce in zend_do_fcall_common_helper_SPEC (

    execute_data=0x7f029f9ce050) at
/opt/php-5.3.3/Zend/zend_vm_execute.h:316

#12 0x00000000006e0589 in execute (op_array=0x14067c8)

    at /opt/php-5.3.3/Zend/zend_vm_execute.h:107

#13 0x00000000006b349b in zend_execute_scripts (type=8, retval=0x0,

    file_count=3) at /opt/php-5.3.3/Zend/zend.c:1194

#14 0x000000000065e5e8 in php_execute_script
(primary_file=0x7fff04d51350)

    at /opt/php-5.3.3/main/main.c:2260

#15 0x0000000000740717 in main (argc=1, argv=0x7fff04d515b8)

    at /opt/php-5.3.3/sapi/cli/php_cli.c:1192

------------------------------------------------------------------------
[2010-09-28 21:40:50] svimik at mail dot ru

Description:
------------
Don't know exactly, is it bug in zlib filter or in streams, but this
combination can produce a script crash without any error output.



Lets take some binary data like corrupted compressed data (not every
random data produce crash, so try file from my example). Use
stream_socket_pair with zlib.inflate filter on the second socket, which
is used for reading in my case.

Use non-blocking streams.

Then make exactly following sequence to produce crash:

1. write corrupted data to socket 0

2. call fread for socket 1 (returns nothing as expected, because string
cannot be uncompressed)

3. call fclose for socket 0

4. try fread for socket 1 once again

5. call fclose for socket 1 - on this step scrips dies.



Sorry, can't make a backtrace on a production server, because it is
necessary to recompile the php. Waiting for someone to confirm the bug.

Test script:
---------------
<?

error_reporting(E_ALL);

$sockets = stream_socket_pair(STREAM_PF_UNIX, STREAM_SOCK_STREAM,
STREAM_IPPROTO_IP);

stream_set_blocking($sockets[0], 0);

stream_set_blocking($sockets[1], 0);

stream_filter_append($sockets[1], "zlib.inflate", STREAM_FILTER_READ);



$in=file_get_contents("http://188.40.74.4/corrupted.gz";);

$out="";



fwrite($sockets[0], $in);

$out.=fread($sockets[1], 1);

fclose($sockets[0]);

$out.=fread($sockets[1], 1);



echo "closing...";

fclose($sockets[1]);

echo "done\r\n";

?>

Expected result:
----------------
Script should output "closing...done"

Actual result:
--------------
Script prints "closing..." but never "done"


------------------------------------------------------------------------



-- 
Edit this bug report at http://bugs.php.net/bug.php?id=52944&edit=1