Edit report at https://bugs.php.net/bug.php?id=61964&edit=1
ID: 61964 Updated by: s...@php.net Reported by: ni...@php.net Summary: finfo_open with directory causes invalid free -Status: Open +Status: Closed Type: Bug Package: Filesystem function related PHP Version: master-Git-2012-05-06 (Git) -Assigned To: +Assigned To: stas Block user comment: N Private report: N New Comment: This bug has been fixed in SVN. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. For Windows: http://windows.php.net/snapshots/ Thank you for the report, and for helping us make PHP better. Previous Comments: ------------------------------------------------------------------------ [2012-07-15 01:53:27] s...@php.net Automatic comment on behalf of reeze....@gmail.com Revision: http://git.php.net/?p=php-src.git;a=commit;h=1d2f61904987133d542c68cd349cf313d0bef1c8 Log: Fixed bug #61964 (finfo_open with directory cause invalid free) ------------------------------------------------------------------------ [2012-05-25 11:07:29] reeze dot xia at gmail dot com Hi, @Felipe I've updated the patch, I made a simple reproducable magic file: string > A > B and I add it to the test file.(file command itself will leak when use this magic file). @Laruence the reason why I ask Christos Zoulas is you mentioned load multiple magic file may lead problem, then I asked him. Anywayï¼ the crash is a problem of finfo and the fprintf thing, maybe more need to be done. ------------------------------------------------------------------------ [2012-05-25 02:03:33] larue...@php.net libmagic is obviously support dir, but PHP is not, I think you asked the wrong guy and wrong question. what I mean is, libmagic need a big operation, not just one and one little suture, before this, we can just be consistent with the doc said : 'no directory supproted" thanks ------------------------------------------------------------------------ [2012-05-24 18:25:18] fel...@php.net Hi, I got a crash when running the following code in the php-src root dir using your patch (pull-request): <?php finfo_open(FILEINFO_NONE, "."); (gdb) r ../bug.php Starting program: /home/felipe/dev/php5_3/sapi/cli/php ../bug.php [Thread debugging using libthread_db enabled] Program received signal SIGSEGV, Segmentation fault. memset () at ../sysdeps/i386/i686/memset.S:85 85 ../sysdeps/i386/i686/memset.S: No such file or directory. in ../sysdeps/i386/i686/memset.S Current language: auto The current source language is "auto; currently asm". (gdb) bt #0 memset () at ../sysdeps/i386/i686/memset.S:85 #1 0x081b29b9 in parse (ms=0x89baeac, mentryp=0xbfffae6c, nmentryp=0xbfffae68, line=0xbfff7dcb "> Makefile.fragments", lineno=143, action=0) at /home/felipe/dev/php5_3/ext/fileinfo/libmagic/apprentice.c:1178 #2 0x081b1a55 in load_1 (ms=0x89baeac, action=0, fn=0x89d4e48 "/home/felipe/dev/php5_3/acinclude.m4", errs=0xbfffae70, marray=0xbfffae6c, marraycount=0xbfffae68) at /home/felipe/dev/php5_3/ext/fileinfo/libmagic/apprentice.c:733 #3 0x081b1df8 in apprentice_load (ms=0x89baeac, magicp=0xbfffaef0, nmagicp=0xbfffaeec, fn=0x89baf58 "/home/felipe/dev/php5_3", action=0) at /home/felipe/dev/php5_3/ext/fileinfo/libmagic/apprentice.c:812 #4 0x081b0ebd in apprentice_1 (ms=0x89baeac, fn=0x89baf58 "/home/felipe/dev/php5_3", action=0, mlist=0x89bb33c) at /home/felipe/dev/php5_3/ext/fileinfo/libmagic/apprentice.c:275 #5 0x081b1180 in file_apprentice (ms=0x89baeac, fn=0x89baf58 "/home/felipe/dev/php5_3", action=0) at /home/felipe/dev/php5_3/ext/fileinfo/libmagic/apprentice.c:369 #6 0x081bb662 in magic_load (ms=0x89baeac, magicfile=0xbfffafb4 "/home/felipe/dev/php5_3") at /home/felipe/dev/php5_3/ext/fileinfo/libmagic/magic.c:308 #7 0x081b003d in zif_finfo_open (ht=2, return_value=0x89ba6b4, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0, tsrm_ls=0x8874050) at /home/felipe/dev/php5_3/ext/fileinfo/fileinfo.c:350 #8 0x084673bd in zend_do_fcall_common_helper_SPEC (execute_data=0x89e924c, tsrm_ls=0x8874050) at /home/felipe/dev/php5_3/Zend/zend_vm_execute.h:320 #9 0x0846bac4 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x89e924c, tsrm_ls=0x8874050) at /home/felipe/dev/php5_3/Zend/zend_vm_execute.h:1640 ---Type <return> to continue, or q <return> to quit--- #10 0x08466656 in execute (op_array=0x89badec, tsrm_ls=0x8874050) at /home/felipe/dev/php5_3/Zend/zend_vm_execute.h:107 #11 0x08433ee9 in zend_execute_scripts (type=8, tsrm_ls=0x8874050, retval=0x0, file_count=3) at /home/felipe/dev/php5_3/Zend/zend.c:1236 #12 0x083ae512 in php_execute_script (primary_file=0xbffff434, tsrm_ls=0x8874050) at /home/felipe/dev/php5_3/main/main.c:2308 #13 0x08510211 in main (argc=2, argv=0xbffff5b4) at /home/felipe/dev/php5_3/sapi/cli/php_cli.c:1189 (gdb) f 1 #1 0x081b29b9 in parse (ms=0x89baeac, mentryp=0xbfffae6c, nmentryp=0xbfffae68, line=0xbfff7dcb "> Makefile.fragments", lineno=143, action=0) at /home/felipe/dev/php5_3/ext/fileinfo/libmagic/apprentice.c:1178 1178 (void)memset(m, 0, sizeof(*m)); Current language: auto The current source language is "auto; currently c". (gdb) p m $1 = (struct magic *) 0x1d0 ------------------------------------------------------------------------ [2012-05-24 18:00:59] reeze dot xia at gmail dot com Hi, I've sent the file lib author, he replied it was intend to support dir open. and I sent a Pull Request: https://github.com/php/php-src/pull/91 @felipe will you take lookï¼ Thanks. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=61964 -- Edit this bug report at https://bugs.php.net/bug.php?id=61964&edit=1
