Bug #55121 [Asn]: Segfault with multipart/form-data POST / 404 request

Wed, 20 Jul 2011 03:50:45 -0700 

Edit report at https://bugs.php.net/bug.php?id=55121&edit=1

 ID:                 55121
 Updated by:         f...@php.net
 Reported by:        nbpo...@php.net
 Summary:            Segfault with multipart/form-data POST / 404 request
 Status:             Assigned
 Type:               Bug
 Package:            Built-in web server
 Operating System:   Ubuntu 10.04.2 LTS (64-bit)
 PHP Version:        5.4SVN-2011-07-03 (snap)
 Assigned To:           moriyoshi
 Block user comment: N
 Private report:     N

 New Comment:

Just tried this on Debian testing and 5_4-HEAD and can't reproduce it.

$ curl --form a=b  "http://localhost:8000/file.php";
$ curl  "http://localhost:8000/file2.php";

[Wed Jul 20 12:50:05 2011] ::1:50522 POST /file.php - Request read
[Wed Jul 20 12:50:05 2011] ::1:50522 POST /file.php - Response sent 
successfully 
(200)
[Wed Jul 20 12:50:13 2011] ::1:50523 GET /file.txt - Request read
[Wed Jul 20 12:50:13 2011] ::1:50523 GET /file.txt - No such file or directory
[Wed Jul 20 12:50:13 2011] ::1:50523 GET /file.txt - Sending error page (404)


Previous Comments:
------------------------------------------------------------------------
[2011-07-03 14:35:11] nbpo...@php.net

Description:
------------
The built-in webserver repeatably segfaults for me when I send the following 
requests (in this order):

1. A multipart/form-data POST request
2. A GET request for a non-existent file

Test script:
---------------
Create an empty (0 byte) PHP file named file.php. Start the webserver from that 
file's directory. Then run the following commands:

curl --form a=b http://127.0.0.1:8000/file.php
curl http://127.0.0.1:8000/does_not_exist

Expected result:
----------------
Requests should be returned by the server without segfaulting.

Actual result:
--------------
After the second request has been made, I receive a segfault:

Program received signal SIGSEGV, Segmentation fault.
_zend_mm_free_int (heap=0xc91250, p=0xc889c8) at 
/home/nbpoole/php/php5.4-201107031630/Zend/zend_alloc.c:2100
2100            if (ZEND_MM_IS_FREE_BLOCK(next_block)) {
(gdb) bt
#0  _zend_mm_free_int (heap=0xc91250, p=0xc889c8) at 
/home/nbpoole/php/php5.4-201107031630/Zend/zend_alloc.c:2100
#1  0x00000000006272f1 in destroy_uploaded_files_hash () at 
/home/nbpoole/php/php5.4-201107031630/main/rfc1867.c:199
#2  0x0000000000625585 in sapi_deactivate () at 
/home/nbpoole/php/php5.4-201107031630/main/SAPI.c:533
#3  0x000000000071fe81 in php_cli_server_send_error_page (server=<value 
optimized out>, client=<value optimized out>, status=<value optimized out>)
    at /home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:1524
#4  0x00000000007207c9 in php_cli_server_begin_send_static (server=0xc89ba0, 
client=0xdfecf0) at 
/home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:1635
#5  php_cli_server_dispatch (server=0xc89ba0, client=0xdfecf0) at 
/home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:1747
#6  php_cli_server_recv_event_read_request (server=0xc89ba0, client=0xdfecf0) 
at /home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:1890
#7  0x00000000007211ea in php_cli_server_do_event_for_each_fd_callback 
(_params=<value optimized out>, fd=<value optimized out>, event=<value 
optimized out>)
    at /home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:1976
#8  0x000000000072185a in php_cli_server_poller_iter_on_active (argc=<value 
optimized out>, argv=<value optimized out>)
    at /home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:670
#9  php_cli_server_do_event_for_each_fd (argc=<value optimized out>, 
argv=<value optimized out>) at 
/home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:2002
#10 php_cli_server_do_event_loop (argc=<value optimized out>, argv=<value 
optimized out>) at 
/home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:2012
#11 do_cli_server (argc=<value optimized out>, argv=<value optimized out>) at 
/home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli_server.c:2097
#12 0x000000000071a33e in main (argc=<value optimized out>, argv=<value 
optimized out>) at /home/nbpoole/php/php5.4-201107031630/sapi/cli/php_cli.c:1359



------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=55121&edit=1

Reply via email to