Edit report at https://bugs.php.net/bug.php?id=55121&edit=1
ID: 55121 Updated by: f...@php.net Reported by: nbpo...@php.net Summary: Segfault with multipart/form-data POST / 404 request -Status: Assigned +Status: Feedback Type: Bug Package: Built-in web server Operating System: Ubuntu 10.04.2 LTS (64-bit) PHP Version: 5.4SVN-2011-07-03 (snap) Assigned To: moriyoshi Block user comment: N Private report: N New Comment: Could you please try if this fix works on OS X as well? Tested on debian stable. Previous Comments: ------------------------------------------------------------------------ [2011-07-25 16:45:42] f...@php.net Automatic comment from SVN on behalf of fa Revision: http://svn.php.net/viewvc/?view=revision&revision=313677 Log: Fix #55121 Segfault with multipart/form-data POST ------------------------------------------------------------------------ [2011-07-20 13:41:49] nbpo...@php.net A similar segfault on OS X 10.6.7 can be caused using the original steps to reproduce: $ curl --form a=b http://127.0.0.1:8000/file.php $ curl http://127.0.0.1:8000/does_not_exist Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x00000002011b0b30 0x000000010024a3b5 in _zend_mm_free_int (heap=0x101000000, p=0x1006651e0) at zend_alloc.c:2097 2097 heap->size -= size; (gdb) bt #0 0x000000010024a3b5 in _zend_mm_free_int (heap=0x101000000, p=0x1006651e0) at zend_alloc.c:2097 #1 0x000000010021e6af in destroy_uploaded_files_hash () at rfc1867.c:199 #2 0x000000010021b252 in sapi_deactivate () at SAPI.c:535 #3 0x00000001002fd61e in php_cli_server_send_error_page (server=0x7fff5fbfa730, client=0x100b4e6f0, status=404) at php_cli_server.c:1525 #4 0x00000001002fb31e in php_cli_server_dispatch [inlined] () at /Users/nbpoole/php-test/php5.4-201107201630/sapi/cli/php_cli_server.c:1636 #5 0x00000001002fb31e in php_cli_server_recv_event_read_request (server=0x7fff5fbfe970, client=0x1006651e0) at php_cli_server.c:1924 #6 0x00000001002fcae5 in php_cli_server_do_event_for_each_fd_callback [inlined] () at /Users/nbpoole/php-test/php5.4-201107201630/sapi/cli/php_cli_server.c:2010 #7 0x00000001002fcae5 in php_cli_server_do_event_for_each_fd [inlined] () at php_cli_server.c:671 #8 0x00000001002fcae5 in php_cli_server_poller_iter_on_active [inlined] () at /Users/nbpoole/php-test/php5.4-201107201630/sapi/cli/php_cli_server.c:2046 #9 0x00000001002fcae5 in php_cli_server_do_event_loop [inlined] () at /Users/nbpoole/php-test/php5.4-201107201630/sapi/cli/php_cli_server.c:2036 #10 0x00000001002fcae5 in do_cli_server (argc=4, argv=0x10) at php_cli_server.c:2147 #11 0x00000001002f6aa4 in main (argc=1606415328, argv=0x7fff5fbff400) at php_cli.c:1359 ------------------------------------------------------------------------ [2011-07-20 13:09:48] f...@php.net I think the culprit lies in php_cli_server_client_populate_request_info in the line request_info->content_type = *val; which doesn't terminate correctly at ; and reads multipart/form-data; boundary=----------------------------c1e04e412bff instead of multipart/form-data; ------------------------------------------------------------------------ [2011-07-20 11:21:47] nbpo...@php.net Hmm, previous test-case is no longer working for me either. Try the following: $ curl --form a=b "http://localhost:8000/file.php" $ curl "http://localhost:8000/file2.php" $ curl "http://localhost:8000/file2.php" $ curl --form a=b "http://localhost:8000/file.php" It results in a different segfault. Program received signal SIGSEGV, Segmentation fault. _zend_mm_alloc_int (heap=0x8649170, size=40) at /home/nbpoole/Desktop/php/php5.4-201107201430/Zend/zend_alloc.c:1906 1906 heap->cache[index] = best_fit->prev_free_block; (gdb) bt #0 _zend_mm_alloc_int (heap=0x8649170, size=40) at /home/nbpoole/Desktop/php/php5.4-201107201430/Zend/zend_alloc.c:1906 #1 0x082a79f0 in _ecalloc (nmemb=1, size=40) at /home/nbpoole/Desktop/php/php5.4-201107201430/Zend/zend_alloc.c:2556 #2 0x08275fc5 in multipart_buffer_new (content_type_dup=<value optimized out>, arg=0xb7fc42f8) at /home/nbpoole/Desktop/php/php5.4- 201107201430/main/rfc1867.c:283 #3 rfc1867_post_handler (content_type_dup=<value optimized out>, arg=0xb7fc42f8) at /home/nbpoole/Desktop/php/php5.4- 201107201430/main/rfc1867.c:749 #4 0x08273b46 in sapi_handle_post (arg=0xb7fc42f8) at /home/nbpoole/Desktop/php/php5.4-201107201430/main/SAPI.c:182 #5 0x0827a628 in php_default_treat_data (arg=0, str=0x0, destArray=0x0) at /home/nbpoole/Desktop/php/php5.4-201107201430/main/php_variables.c:330 #6 0x082792aa in php_auto_globals_create_post (name=0xb7ea9bf4 "_POST", name_len=5) at /home/nbpoole/Desktop/php/php5.4- 201107201430/main/php_variables.c:690 #7 0x082a7d45 in zend_auto_global_init (auto_global=0x86524b8) at /home/nbpoole/Desktop/php/php5.4-201107201430/Zend/zend_compile.c:6233 #8 0x082d564f in zend_hash_apply (ht=0x8649478, apply_func=0x82a7d20 <zend_auto_global_init>) at /home/nbpoole/Desktop/php/php5.4- 201107201430/Zend/zend_hash.c:716 #9 0x082b523b in zend_activate_auto_globals () at /home/nbpoole/Desktop/php/php5.4-201107201430/Zend/zend_compile.c:6243 #10 0x0827a7df in php_hash_environment () at /home/nbpoole/Desktop/php/php5.4- 201107201430/main/php_variables.c:650 #11 0x0826ba5d in php_request_startup () at /home/nbpoole/Desktop/php/php5.4- 201107201430/main/main.c:1493 #12 0x0836e610 in php_cli_server_dispatch_script (server=0x86443c0, client=0x872d900) at /home/nbpoole/Desktop/php/php5.4- 201107201430/sapi/cli/php_cli_server.c:1599 #13 0x0836e8f5 in php_cli_server_dispatch (server=0x86443c0, client=0x872d900) at /home/nbpoole/Desktop/php/php5.4-201107201430/sapi/cli/php_cli_server.c:1755 #14 php_cli_server_recv_event_read_request (server=0x86443c0, client=0x872d900) at /home/nbpoole/Desktop/php/php5.4-201107201430/sapi/cli/php_cli_server.c:1924 #15 0x0836f0ff in php_cli_server_do_event_for_each_fd_callback (_params=0xbfffe15c, fd=6, event=1) at /home/nbpoole/Desktop/php/php5.4- 201107201430/sapi/cli/php_cli_server.c:2015 #16 0x0836fbd7 in php_cli_server_poller_iter_on_active (argc=3, argv=0xbffff394) at /home/nbpoole/Desktop/php/php5.4-201107201430/sapi/cli/php_cli_server.c:671 #17 php_cli_server_do_event_for_each_fd (argc=3, argv=0xbffff394) at /home/nbpoole/Desktop/php/php5.4-201107201430/sapi/cli/php_cli_server.c:2036 #18 php_cli_server_do_event_loop (argc=3, argv=0xbffff394) at /home/nbpoole/Desktop/php/php5.4-201107201430/sapi/cli/php_cli_server.c:2046 #19 do_cli_server (argc=3, argv=0xbffff394) at /home/nbpoole/Desktop/php/php5.4- 201107201430/sapi/cli/php_cli_server.c:2147 #20 0x08368143 in main (argc=3, argv=0xbffff394) at /home/nbpoole/Desktop/php/php5.4-201107201430/sapi/cli/php_cli.c:1359 This was done with the latest 5.4 from snaps. ------------------------------------------------------------------------ [2011-07-20 06:50:25] f...@php.net Just tried this on Debian testing and 5_4-HEAD and can't reproduce it. $ curl --form a=b "http://localhost:8000/file.php" $ curl "http://localhost:8000/file2.php" [Wed Jul 20 12:50:05 2011] ::1:50522 POST /file.php - Request read [Wed Jul 20 12:50:05 2011] ::1:50522 POST /file.php - Response sent successfully (200) [Wed Jul 20 12:50:13 2011] ::1:50523 GET /file.txt - Request read [Wed Jul 20 12:50:13 2011] ::1:50523 GET /file.txt - No such file or directory [Wed Jul 20 12:50:13 2011] ::1:50523 GET /file.txt - Sending error page (404) ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=55121 -- Edit this bug report at https://bugs.php.net/bug.php?id=55121&edit=1