Edit report at https://bugs.php.net/bug.php?id=61964&edit=1
ID: 61964
Comment by: reeze dot xia at gmail dot com
Reported by: ni...@php.net
Summary: finfo_open with directory causes invalid free
Status: Open
Type: Bug
Package: Filesystem function related
PHP Version: master-Git-2012-05-06 (Git)
Block user comment: N
Private report: N
New Comment:
Hi,
@Felipe I've updated the patch, I made a simple reproducable magic file:
string
> A
> B
and I add it to the test file.(file command itself will leak when use this
magic
file).
@Laruence
the reason why I ask Christos Zoulas is you mentioned load multiple magic file
may
lead problem, then I asked him.
Anywayï¼ the crash is a problem of finfo and the fprintf thing, maybe more
need
to be done.
Previous Comments:
------------------------------------------------------------------------
[2012-05-25 02:03:33] larue...@php.net
libmagic is obviously support dir, but PHP is not, I think you asked the wrong
guy and wrong question.
what I mean is, libmagic need a big operation, not just one and one little
suture, before this, we can just be consistent with the doc said : 'no
directory
supproted"
thanks
------------------------------------------------------------------------
[2012-05-24 18:25:18] fel...@php.net
Hi, I got a crash when running the following code in the php-src root dir using
your patch (pull-request):
<?php
finfo_open(FILEINFO_NONE, ".");
(gdb) r ../bug.php
Starting program: /home/felipe/dev/php5_3/sapi/cli/php ../bug.php
[Thread debugging using libthread_db enabled]
Program received signal SIGSEGV, Segmentation fault.
memset () at ../sysdeps/i386/i686/memset.S:85
85 ../sysdeps/i386/i686/memset.S: No such file or directory.
in ../sysdeps/i386/i686/memset.S
Current language: auto
The current source language is "auto; currently asm".
(gdb) bt
#0 memset () at ../sysdeps/i386/i686/memset.S:85
#1 0x081b29b9 in parse (ms=0x89baeac, mentryp=0xbfffae6c, nmentryp=0xbfffae68,
line=0xbfff7dcb "> Makefile.fragments", lineno=143, action=0)
at /home/felipe/dev/php5_3/ext/fileinfo/libmagic/apprentice.c:1178
#2 0x081b1a55 in load_1 (ms=0x89baeac, action=0, fn=0x89d4e48
"/home/felipe/dev/php5_3/acinclude.m4", errs=0xbfffae70, marray=0xbfffae6c,
marraycount=0xbfffae68)
at /home/felipe/dev/php5_3/ext/fileinfo/libmagic/apprentice.c:733
#3 0x081b1df8 in apprentice_load (ms=0x89baeac, magicp=0xbfffaef0,
nmagicp=0xbfffaeec, fn=0x89baf58 "/home/felipe/dev/php5_3", action=0)
at /home/felipe/dev/php5_3/ext/fileinfo/libmagic/apprentice.c:812
#4 0x081b0ebd in apprentice_1 (ms=0x89baeac, fn=0x89baf58
"/home/felipe/dev/php5_3", action=0, mlist=0x89bb33c) at
/home/felipe/dev/php5_3/ext/fileinfo/libmagic/apprentice.c:275
#5 0x081b1180 in file_apprentice (ms=0x89baeac, fn=0x89baf58
"/home/felipe/dev/php5_3", action=0) at
/home/felipe/dev/php5_3/ext/fileinfo/libmagic/apprentice.c:369
#6 0x081bb662 in magic_load (ms=0x89baeac, magicfile=0xbfffafb4
"/home/felipe/dev/php5_3") at
/home/felipe/dev/php5_3/ext/fileinfo/libmagic/magic.c:308
#7 0x081b003d in zif_finfo_open (ht=2, return_value=0x89ba6b4,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=0, tsrm_ls=0x8874050)
at /home/felipe/dev/php5_3/ext/fileinfo/fileinfo.c:350
#8 0x084673bd in zend_do_fcall_common_helper_SPEC (execute_data=0x89e924c,
tsrm_ls=0x8874050) at /home/felipe/dev/php5_3/Zend/zend_vm_execute.h:320
#9 0x0846bac4 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x89e924c,
tsrm_ls=0x8874050) at /home/felipe/dev/php5_3/Zend/zend_vm_execute.h:1640
---Type <return> to continue, or q <return> to quit---
#10 0x08466656 in execute (op_array=0x89badec, tsrm_ls=0x8874050) at
/home/felipe/dev/php5_3/Zend/zend_vm_execute.h:107
#11 0x08433ee9 in zend_execute_scripts (type=8, tsrm_ls=0x8874050, retval=0x0,
file_count=3) at /home/felipe/dev/php5_3/Zend/zend.c:1236
#12 0x083ae512 in php_execute_script (primary_file=0xbffff434,
tsrm_ls=0x8874050) at /home/felipe/dev/php5_3/main/main.c:2308
#13 0x08510211 in main (argc=2, argv=0xbffff5b4) at
/home/felipe/dev/php5_3/sapi/cli/php_cli.c:1189
(gdb) f 1
#1 0x081b29b9 in parse (ms=0x89baeac, mentryp=0xbfffae6c, nmentryp=0xbfffae68,
line=0xbfff7dcb "> Makefile.fragments", lineno=143, action=0)
at /home/felipe/dev/php5_3/ext/fileinfo/libmagic/apprentice.c:1178
1178 (void)memset(m, 0, sizeof(*m));
Current language: auto
The current source language is "auto; currently c".
(gdb) p m
$1 = (struct magic *) 0x1d0
------------------------------------------------------------------------
[2012-05-24 18:00:59] reeze dot xia at gmail dot com
Hi,
I've sent the file lib author, he replied it was intend to support
dir open. and I sent a Pull Request: https://github.com/php/php-src/pull/91
@felipe will you take lookï¼
Thanks.
------------------------------------------------------------------------
[2012-05-13 11:03:52] ni...@php.net
Reeze already has a patch which fixes this issue and several related memory
leaks. Though I can't find it anywhere now :/
------------------------------------------------------------------------
[2012-05-13 10:56:10] larue...@php.net
then I think we can simply prevent directory parameter
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=61964
--
Edit this bug report at https://bugs.php.net/bug.php?id=61964&edit=1
