Bug #61964 [Opn]: finfo_open with directory causes invalid free

laruence Thu, 24 May 2012 19:03:45 -0700

Edit report at https://bugs.php.net/bug.php?id=61964&edit=1


 ID:                 61964
 Updated by:         larue...@php.net
 Reported by:        ni...@php.net
 Summary:            finfo_open with directory causes invalid free
 Status:             Open
 Type:               Bug
 Package:            Filesystem function related
 PHP Version:        master-Git-2012-05-06 (Git)
 Block user comment: N
 Private report:     N

 New Comment:

libmagic is obviously support dir,  but PHP is not, I think you asked the wrong 
guy and wrong question.

what I mean is,  libmagic need a big operation, not just one and one little 
suture, before this, we can just be consistent with the doc said : 'no 
directory 
supproted" 

thanks


Previous Comments:
------------------------------------------------------------------------
[2012-05-24 18:25:18] fel...@php.net

Hi, I got a crash when running the following code in the php-src root dir using 
your patch (pull-request):

<?php
finfo_open(FILEINFO_NONE, ".");

(gdb) r ../bug.php 
Starting program: /home/felipe/dev/php5_3/sapi/cli/php ../bug.php
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
memset () at ../sysdeps/i386/i686/memset.S:85
85      ../sysdeps/i386/i686/memset.S: No such file or directory.
        in ../sysdeps/i386/i686/memset.S
Current language:  auto
The current source language is "auto; currently asm".
(gdb) bt
#0  memset () at ../sysdeps/i386/i686/memset.S:85
#1  0x081b29b9 in parse (ms=0x89baeac, mentryp=0xbfffae6c, nmentryp=0xbfffae68, 
line=0xbfff7dcb "> Makefile.fragments", lineno=143, action=0)
    at /home/felipe/dev/php5_3/ext/fileinfo/libmagic/apprentice.c:1178
#2  0x081b1a55 in load_1 (ms=0x89baeac, action=0, fn=0x89d4e48 
"/home/felipe/dev/php5_3/acinclude.m4", errs=0xbfffae70, marray=0xbfffae6c, 
marraycount=0xbfffae68)
    at /home/felipe/dev/php5_3/ext/fileinfo/libmagic/apprentice.c:733
#3  0x081b1df8 in apprentice_load (ms=0x89baeac, magicp=0xbfffaef0, 
nmagicp=0xbfffaeec, fn=0x89baf58 "/home/felipe/dev/php5_3", action=0)
    at /home/felipe/dev/php5_3/ext/fileinfo/libmagic/apprentice.c:812
#4  0x081b0ebd in apprentice_1 (ms=0x89baeac, fn=0x89baf58 
"/home/felipe/dev/php5_3", action=0, mlist=0x89bb33c) at 
/home/felipe/dev/php5_3/ext/fileinfo/libmagic/apprentice.c:275
#5  0x081b1180 in file_apprentice (ms=0x89baeac, fn=0x89baf58 
"/home/felipe/dev/php5_3", action=0) at 
/home/felipe/dev/php5_3/ext/fileinfo/libmagic/apprentice.c:369
#6  0x081bb662 in magic_load (ms=0x89baeac, magicfile=0xbfffafb4 
"/home/felipe/dev/php5_3") at 
/home/felipe/dev/php5_3/ext/fileinfo/libmagic/magic.c:308
#7  0x081b003d in zif_finfo_open (ht=2, return_value=0x89ba6b4, 
return_value_ptr=0x0, this_ptr=0x0, return_value_used=0, tsrm_ls=0x8874050)
    at /home/felipe/dev/php5_3/ext/fileinfo/fileinfo.c:350
#8  0x084673bd in zend_do_fcall_common_helper_SPEC (execute_data=0x89e924c, 
tsrm_ls=0x8874050) at /home/felipe/dev/php5_3/Zend/zend_vm_execute.h:320
#9  0x0846bac4 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x89e924c, 
tsrm_ls=0x8874050) at /home/felipe/dev/php5_3/Zend/zend_vm_execute.h:1640
---Type <return> to continue, or q <return> to quit---
#10 0x08466656 in execute (op_array=0x89badec, tsrm_ls=0x8874050) at 
/home/felipe/dev/php5_3/Zend/zend_vm_execute.h:107
#11 0x08433ee9 in zend_execute_scripts (type=8, tsrm_ls=0x8874050, retval=0x0, 
file_count=3) at /home/felipe/dev/php5_3/Zend/zend.c:1236
#12 0x083ae512 in php_execute_script (primary_file=0xbffff434, 
tsrm_ls=0x8874050) at /home/felipe/dev/php5_3/main/main.c:2308
#13 0x08510211 in main (argc=2, argv=0xbffff5b4) at 
/home/felipe/dev/php5_3/sapi/cli/php_cli.c:1189
(gdb) f 1
#1  0x081b29b9 in parse (ms=0x89baeac, mentryp=0xbfffae6c, nmentryp=0xbfffae68, 
line=0xbfff7dcb "> Makefile.fragments", lineno=143, action=0)
    at /home/felipe/dev/php5_3/ext/fileinfo/libmagic/apprentice.c:1178
1178                    (void)memset(m, 0, sizeof(*m));
Current language:  auto
The current source language is "auto; currently c".
(gdb) p m
$1 = (struct magic *) 0x1d0

------------------------------------------------------------------------
[2012-05-24 18:00:59] reeze dot xia at gmail dot com

Hi, 
I've sent the file lib author, he replied it was intend to support
dir open. and I sent a Pull Request: https://github.com/php/php-src/pull/91

@felipe will you take lookï¼

Thanks.

------------------------------------------------------------------------
[2012-05-13 11:03:52] ni...@php.net

Reeze already has a patch which fixes this issue and several related memory 
leaks. Though I can't find it anywhere now :/

------------------------------------------------------------------------
[2012-05-13 10:56:10] larue...@php.net

then I think we can simply prevent directory parameter

------------------------------------------------------------------------
[2012-05-09 23:37:07] fel...@php.net

In fact the libmagic code seems not prepared to work with directory, even 
alloc'ing the data properly and freeing, it causes memleaks in other parts.

------------------------------------------------------------------------


The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at

    https://bugs.php.net/bug.php?id=61964


-- 
Edit this bug report at https://bugs.php.net/bug.php?id=61964&edit=1

Bug #61964 [Opn]: finfo_open with directory causes invalid free

Reply via email to