Bug #64836 [Fbk->Asn]: segfault in softmagic.c

[r dot biegel at gmx dot at]

Edit report at https://bugs.php.net/bug.php?id=64836&edit=1

 ID:                 64836
 User updated by:    r dot biegel at gmx dot at
 Reported by:        r dot biegel at gmx dot at
 Summary:            segfault in softmagic.c
-Status:             Feedback
+Status:             Assigned
 Type:               Bug
 Package:            Unknown/Other Function
 Operating System:   Gentoo Linux
 PHP Version:        5.4.15
 Assigned To:        ab
 Block user comment: N
 Private report:     N

 New Comment:

I used this little script to test the finfo_file function on its own. Crashes 
in apache (if the file $fn exists, filetype doesn't matter), but it works on 
cli:

<?php
$finfo = finfo_open();
$fn = "index.html";

echo "File ".$fn." is of type ".finfo_file($finfo,$fn);

finfo_close($finfo);

?>


So it has something to do with apache i thought and it turned out that 
disabling SVN DAV in apache (not using -D SVN) fixes the problem. How can I 
investigate further? Btw, I already upgraded from apache 2.2 to 2.4 before my 
first report.


Here another (more detailed) bt:

Thread 28 (Thread 0x7fffd9feb700 (LWP 24821)):
#0  0x00007fffeeec2e6b in mget (ms=0x7fffd411c5f0, s=0x7fffd8896030 "GIF89a", 
m=0x7fffd8a69268, nbytes=1218, o=0, cont_level=0, mode=32, text=0, flip=0, 
    recursion_level=1, printed_something=0x7fffd9fe7dd4, 
need_separator=0x7fffd9fe7dd8, returnval=0x7fffd9fe7d24)
    at ext/fileinfo/libmagic/softmagic.c:1610
        off = 0
        soffset = 410814606
        offset = 0
        count = 0
        rv = -207172457
        oneed_separator = 994741513
        sbuf = 0x5cb76acd3615aac9 <Address 0x5cb76acd3615aac9 out of bounds>
        rbuf = 0x8efc10f4e7cb6d6d <Address 0x8efc10f4e7cb6d6d out of bounds>
        p = 0x7fffd411c660
        ml = {magic = 0x180ffedff931d7c7, nmagic = 1473718312, map = 
0xd8c865c8, next = 0x7fffd411c5f0, prev = 0x1a09a2a9d9c97089}
#1  0x00007fffeeebede8 in match (ms=0x7fffd411c5f0, magic=0x7fffd89170e8, 
nmagic=9629, s=0x7fffd8896030 "GIF89a", nbytes=1218, offset=0, mode=32, text=0, 
    flip=0, recursion_level=0, printed_something=0x7fffd9fe7dd4, 
need_separator=0x7fffd9fe7dd8, returnval=0x7fffd9fe7d24)
    at ext/fileinfo/libmagic/softmagic.c:157
        flush = 0
        m = 0x7fffd8a69268
        magindex = 5584
        cont_level = 0
        returnvalv = 0
        e = -647236122
        firstline = 1
        print = 0
#2  0x00007fffeeebeb19 in file_softmagic (ms=0x7fffd411c5f0, buf=0x7fffd8896030 
"GIF89a", nbytes=1218, mode=32, text=0)
    at ext/fileinfo/libmagic/softmagic.c:82
        ml = 0x7fffd40efb50
        rv = 32767
        printed_something = 0
        need_separator = 0
#3  0x00007fffeeebc3a5 in file_buffer (ms=0x7fffd411c5f0, 
stream=0x7fffd8d70388, inname=0x0, buf=0x7fffd8896030, nb=1218)
    at ext/fileinfo/libmagic/funcs.c:238
        m = 0
        rv = 0
        looks_text = 0
        mime = 16
        ubuf = 0x7fffd8896030 "GIF89a"
        u8buf = 0x7fffd4255aa0
        ulen = 3
        code = 0x0
        code_mime = 0x7fffef6f618f "binary"
        type = 0x7fffef6f5f84 "binary"
#4  0x00007fffeeebd698 in file_or_stream (ms=0x7fffd411c5f0, inname=0x0, 
stream=0x7fffd8d70388)
    at ext/fileinfo/libmagic/magic.c:413
        rv = -1
        buf = 0x7fffd8896030 "GIF89a"
        sb = {st_dev = 2058, st_ino = 105911862, st_nlink = 1, st_mode = 33188, 
st_uid = 81, st_gid = 81, __pad0 = 0, st_rdev = 0, st_size = 1218, 
          st_blksize = 4096, st_blocks = 8, st_atim = {tv_sec = 1322087240, 
tv_nsec = 505034622}, st_mtim = {tv_sec = 1276182426, tv_nsec = 0}, st_ctim = {
            tv_sec = 1368462842, tv_nsec = 483233520}, __unused = {0, 0, 0}}
        nbytes = 1218
        no_in_stream = 0
        tsrm_ls = 0x7fffd40068f0
#5  0x00007fffeeebd441 in magic_stream (ms=0x7fffd411c5f0, 
stream=0x7fffd8d70388)
    at ext/fileinfo/libmagic/magic.c:345
No locals.
#6  0x00007fffeeeae9b8 in _php_finfo_get_type (ht=2, 
return_value=0x7fffd49f1e50, return_value_ptr=0x0, this_ptr=0x7fffd49f3d58, 
return_value_used=1, 
    tsrm_ls=0x7fffd40068f0, mode=2, mimetype_emu=0) at 
ext/fileinfo/fileinfo.c:540
        stream = 0x7fffd8d70388
        context = 0x7fffd8b84610
        tmp2 = 0x7fffd49db410 "/xxx/yyy/zzz/fileadmin/template/head.gif"
        wrap = 0x7fffefb6c700 <php_plain_files_wrapper>
        ssb = {sb = {st_dev = 2058, st_ino = 105911862, st_nlink = 1, st_mode = 
33188, st_uid = 81, st_gid = 81, __pad0 = 0, st_rdev = 0, st_size = 1218, 
            st_blksize = 4096, st_blocks = 8, st_atim = {tv_sec = 1322087240, 
tv_nsec = 505034622}, st_mtim = {tv_sec = 1276182426, tv_nsec = 0}, 
            st_ctim = {tv_sec = 1368462842, tv_nsec = 483233520}, __unused = 
{0, 0, 0}}}
        options = 16
        ret_val = 0x0
        buffer = 0x7fffd49db410 "/xxx/yyy/zzz/fileadmin/template/head.gif"
        buffer_len = 53
        finfo = 0x7fffd49e7e08
        zfinfo = 0x7fffef8234f1
        zcontext = 0x0
        what = 0x7fffef8234fc
        mime_directory = "directory"
        magic = 0x7fffd411c5f0
        object = 0x7fffd49f3d58
#7  0x00007fffeeeaec40 in zif_finfo_file (ht=2, return_value=0x7fffd49f1e50, 
return_value_ptr=0x0, this_ptr=0x7fffd49f3d58, return_value_used=1, 
    tsrm_ls=0x7fffd40068f0) at ext/fileinfo/fileinfo.c:578
No locals.
#8  0x00007fffef2f0da2 in zend_do_fcall_common_helper_SPEC 
(execute_data=0x7ffff7e61c98, tsrm_ls=0x7fffd40068f0)
    at Zend/zend_vm_execute.h:643
        ret = 0x7ffff7e61e28
        opline = 0x7fffd4903300
        should_change_scope = 1 '\001'
        fbc = 0x555555b0ef20
#9  0x00007fffef2f220e in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER 
(execute_data=0x7ffff7e61c98, tsrm_ls=0x7fffd40068f0)
    at Zend/zend_vm_execute.h:754
No locals.
(More stack frames follow...)


Previous Comments:
------------------------------------------------------------------------
[2013-05-17 15:57:47] a...@php.net

@r dot biegel at gmx dot at

Exactly, and the same way you could see with which options finfo_open() was 
invoked. That were very helpful.

Thanks

------------------------------------------------------------------------
[2013-05-17 15:56:07] a...@php.net

@r dot biegel at gmx dot at

Could you at least share the file it crashes on please? You can do that walking 
back in the stack when using gdb. Let me know if you need help with that.

------------------------------------------------------------------------
[2013-05-17 11:48:28] r dot biegel at gmx dot at

Downloaded a snapshot today, bug still exists. What commit are you referring to?

This bug seems to affect GIFs, but note that it is not this one which is about 
mp3 files:
https://bugs.php.net/bug.php?id=64830

------------------------------------------------------------------------
[2013-05-14 17:53:58] paj...@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

------------------------------------------------------------------------
[2013-05-14 16:49:33] r dot biegel at gmx dot at

Description:
------------
PHP segfaults when going through the typo3 upgrade wizzard (4.5 -> 6.1)

Not shure what's going on, but line 1610 in softmagic.c says:
offset += ms->c.li[cont_level-1].off;
but cont_level seems to be 0.

======

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffdbfef700 (LWP 20398)]
0x00007fffeeec2e6f in mget (ms=0x7fffd40f1410, s=0x7fffd4704760 "GIF89a",
    m=0x7fffe8509268, nbytes=4749, o=0, cont_level=0, mode=32, text=0, flip=0,
    recursion_level=1, printed_something=0x7fffdbfebdd4,
    need_separator=0x7fffdbfebdd8, returnval=0x7fffdbfebd24)
    at ext/fileinfo/libmagic/softmagic.c:1610

======

#0  0x00007fffeeec2e6f in mget (ms=0x7fffd40f1410, s=0x7fffd4704760 "GIF89a",
    m=0x7fffe8509268, nbytes=4749, o=0, cont_level=0, mode=32, text=0, flip=0,
    recursion_level=1, printed_something=0x7fffdbfebdd4,
    need_separator=0x7fffdbfebdd8, returnval=0x7fffdbfebd24)
    at ext/fileinfo/libmagic/softmagic.c:1610
#1  0x00007fffeeebedec in match (ms=0x7fffd40f1410, magic=0x7fffe83b70e8,
    nmagic=9629, s=0x7fffd4704760 "GIF89a", nbytes=4749, offset=0, mode=32,
    text=0, flip=0, recursion_level=0, printed_something=0x7fffdbfebdd4,
    need_separator=0x7fffdbfebdd8, returnval=0x7fffdbfebd24)
    at ext/fileinfo/libmagic/softmagic.c:157
#2  0x00007fffeeebeb1d in file_softmagic (ms=0x7fffd40f1410,
    buf=0x7fffd4704760 "GIF89a", nbytes=4749, mode=32, text=0)
    at ext/fileinfo/libmagic/softmagic.c:82
#3  0x00007fffeeebc3a5 in file_buffer (ms=0x7fffd40f1410,
    stream=0x7fffd46d7998, inname=0x0, buf=0x7fffd4704760, nb=4749)
    at ext/fileinfo/libmagic/funcs.c:238
#4  0x00007fffeeebd698 in file_or_stream (ms=0x7fffd40f1410, inname=0x0,
    stream=0x7fffd46d7998)
    at ext/fileinfo/libmagic/magic.c:412
#5  0x00007fffeeebd441 in magic_stream (ms=0x7fffd40f1410,
    stream=0x7fffd46d7998)
    at ext/fileinfo/libmagic/magic.c:344
#6  0x00007fffeeeae9b8 in _php_finfo_get_type (ht=2,
    return_value=0x7fffd46e4e68, return_value_ptr=0x0,
    this_ptr=0x7fffd46e4e38, return_value_used=1, tsrm_ls=0x7fffd4008900,
    mode=2, mimetype_emu=0)
    at ext/fileinfo/fileinfo.c:540
#7  0x00007fffeeeaec40 in zif_finfo_file (ht=2, return_value=0x7fffd46e4e68,
    return_value_ptr=0x0, this_ptr=0x7fffd46e4e38, return_value_used=1,
    tsrm_ls=0x7fffd4008900)
    at ext/fileinfo/fileinfo.c:578
#8  0x00007fffef2f0972 in zend_do_fcall_common_helper_SPEC (
    execute_data=0x7ffff7e5db28, tsrm_ls=0x7fffd4008900)
    at Zend/zend_vm_execute.h:643
#9  0x00007fffef2f1dde in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (
    execute_data=0x7ffff7e5db28, tsrm_ls=0x7fffd4008900)
    at Zend/zend_vm_execute.h:754
#10 0x00007fffef2ee767 in execute (op_array=0x7fffd45da558,
    tsrm_ls=0x7fffd4008900)
    at Zend/zend_vm_execute.h:410
#11 0x00007fffef2a453e in zend_execute_scripts (type=8,
    tsrm_ls=0x7fffd4008900, retval=0x0, file_count=3)
    at Zend/zend.c:1315
#12 0x00007fffef1e6053 in php_execute_script (primary_file=0x7fffdbfeea30,
    tsrm_ls=0x7fffd4008900)
    at main/main.c:2492
#13 0x00007fffef423efb in php_handler (r=0x7fffd4004980)
    at sapi/apache2handler/sapi_apache2.c:667
#14 0x00005555555ba9c6 in ap_run_handler (r=0x7fffd4004980) at config.c:169
#15 0x00005555555bb56d in ap_invoke_handler (r=0x7fffd4004980) at config.c:432
#16 0x00005555555db438 in ap_process_async_request (r=0x7fffd4004980)
    at http_request.c:317
#17 0x00005555555db543 in ap_process_request (r=0x7fffd4004980)
    at http_request.c:363
#18 0x00005555555d721a in ap_process_http_sync_connection (c=0x7fffe4003228)
    at http_core.c:190
#19 0x00005555555d7353 in ap_process_http_connection (c=0x7fffe4003228)
    at http_core.c:231
#20 0x00005555555ca23d in ap_run_process_connection (c=0x7fffe4003228)
    at connection.c:41
#21 0x00005555555ca828 in ap_process_connection (c=0x7fffe4003228,
    csd=0x7fffe4003010) at connection.c:202
#22 0x00005555555e5e36 in process_socket (thd=0x5555558a8a78,
    p=0x7fffe4002f98, sock=0x7fffe4003010, my_child_num=0, my_thread_num=20,
    bucket_alloc=0x7fffd40008e8) at worker.c:620
#23 0x00005555555e6e1e in worker_thread (thd=0x5555558a8a78,
    dummy=0x7fffe4000f80) at worker.c:979
#24 0x00007ffff6713f6b in start_thread () from /lib64/libpthread.so.0
#25 0x00007ffff6248d8d in clone () from /lib64/libc.so.6


======

./php-config --configure-options

--prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu 
--mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share 
--sysconfdir=/etc --localstatedir=/var/lib --prefix=/usr/lib64/php5.4 
--mandir=/usr/lib64/php5.4/man --infodir=/usr/lib64/php5.4/info 
--libdir=/usr/lib64/php5.4/lib --with-libdir=lib64 --without-pear 
--enable-maintainer-zts --disable-bcmath --with-bz2=/usr --disable-calendar 
--enable-ctype --without-curl --without-curlwrappers --enable-dom 
--without-enchant --disable-exif --enable-fileinfo --enable-filter --enable-ftp 
--with-gettext=/usr --without-gmp --enable-hash --without-mhash --with-iconv 
--disable-intl --disable-ipv6 --enable-json --without-kerberos --enable-libxml 
--with-libxml-dir=/usr --enable-mbstring --with-mcrypt=/usr --without-mssql 
--with-onig=/usr --with-openssl=/usr --with-openssl-dir=/usr --disable-pcntl 
--enable-phar --enable-pdo --without-pgsql --enable-posix --without-pspell 
--without-recode --enable-simplexml --disable-shmop --without-snmp 
--enable-soap --enable-sockets --without-sqlite3 --without-sybase-ct 
--enable-sysvmsg --enable-sysvsem --enable-sysvshm --without-tidy 
--enable-tokenizer --disable-wddx --enable-xml --disable-xmlreader 
--disable-xmlwriter --without-xmlrpc --without-xsl --enable-zip 
--with-zlib=/usr --disable-debug --enable-dba --without-cdb --with-db4=/usr 
--disable-flatfile --with-gdbm=/usr --disable-inifile --without-qdbm 
--with-freetype-dir=/usr --with-t1lib=/usr --disable-gd-jis-conv 
--with-jpeg-dir=/usr --with-png-dir=/usr --without-xpm-dir --with-gd 
--with-imap=/usr --with-imap-ssl=/usr --with-ldap=/usr --without-ldap-sasl 
--with-mysql=/usr --with-mysql-sock=/var/run/mysqld/mysqld.sock 
--with-mysqli=/usr/bin/mysql_config --without-pdo-dblib --with-pdo-mysql=/usr 
--without-pdo-pgsql --without-pdo-sqlite --without-pdo-odbc 
--with-readline=/usr --without-libedit --without-mm --with-pic 
--with-pcre-regex=/usr --with-pcre-dir=/usr 
--with-config-file-path=/etc/php/apache2-php5.4 
--with-config-file-scan-dir=/etc/php/apache2-php5.4/ext-active --disable-embed 
--disable-cli --disable-cgi --disable-fpm --with-apxs2=/usr/sbin/apxs



------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=64836&edit=1