Edit report at https://bugs.php.net/bug.php?id=64836&edit=1
ID: 64836
Updated by: a...@php.net
Reported by: r dot biegel at gmx dot at
Summary: segfault in softmagic.c
-Status: Assigned
+Status: Feedback
Type: Bug
Package: Unknown/Other Function
Operating System: Gentoo Linux
PHP Version: 5.4.15
Assigned To: ab
Block user comment: N
Private report: N
New Comment:
I've just compiled apache 2.4 with subversion 1.7.x module plus PHP-5.5, TS
build. But it still doesn't crash for me. Note that the libmagic is the same in
5.4 and 5.5 and was upgraded in 5.4.15 and 5.5.0 beta4.
To diagnose it further, is it possible you to check if the behavior is the same
with the earlier php versions? May be 5.4.14 or 5.5.0 beta3. Also i think this
behaviour is TS specific, svn might be even not the cause, too.
btw what do you mean "not using -D SVN"? As i've experienced the mod_dav_svn.so
has to be built from the subversion sources and is not contained in the apache
source tree.
Thanks.
Previous Comments:
------------------------------------------------------------------------
[2013-05-19 15:31:46] r dot biegel at gmx dot at
I used this little script to test the finfo_file function on its own. Crashes
in apache (if the file $fn exists, filetype doesn't matter), but it works on
cli:
<?php
$finfo = finfo_open();
$fn = "index.html";
echo "File ".$fn." is of type ".finfo_file($finfo,$fn);
finfo_close($finfo);
?>
So it has something to do with apache i thought and it turned out that
disabling SVN DAV in apache (not using -D SVN) fixes the problem. How can I
investigate further? Btw, I already upgraded from apache 2.2 to 2.4 before my
first report.
Here another (more detailed) bt:
Thread 28 (Thread 0x7fffd9feb700 (LWP 24821)):
#0 0x00007fffeeec2e6b in mget (ms=0x7fffd411c5f0, s=0x7fffd8896030 "GIF89a",
m=0x7fffd8a69268, nbytes=1218, o=0, cont_level=0, mode=32, text=0, flip=0,
recursion_level=1, printed_something=0x7fffd9fe7dd4,
need_separator=0x7fffd9fe7dd8, returnval=0x7fffd9fe7d24)
at ext/fileinfo/libmagic/softmagic.c:1610
off = 0
soffset = 410814606
offset = 0
count = 0
rv = -207172457
oneed_separator = 994741513
sbuf = 0x5cb76acd3615aac9 <Address 0x5cb76acd3615aac9 out of bounds>
rbuf = 0x8efc10f4e7cb6d6d <Address 0x8efc10f4e7cb6d6d out of bounds>
p = 0x7fffd411c660
ml = {magic = 0x180ffedff931d7c7, nmagic = 1473718312, map =
0xd8c865c8, next = 0x7fffd411c5f0, prev = 0x1a09a2a9d9c97089}
#1 0x00007fffeeebede8 in match (ms=0x7fffd411c5f0, magic=0x7fffd89170e8,
nmagic=9629, s=0x7fffd8896030 "GIF89a", nbytes=1218, offset=0, mode=32, text=0,
flip=0, recursion_level=0, printed_something=0x7fffd9fe7dd4,
need_separator=0x7fffd9fe7dd8, returnval=0x7fffd9fe7d24)
at ext/fileinfo/libmagic/softmagic.c:157
flush = 0
m = 0x7fffd8a69268
magindex = 5584
cont_level = 0
returnvalv = 0
e = -647236122
firstline = 1
print = 0
#2 0x00007fffeeebeb19 in file_softmagic (ms=0x7fffd411c5f0, buf=0x7fffd8896030
"GIF89a", nbytes=1218, mode=32, text=0)
at ext/fileinfo/libmagic/softmagic.c:82
ml = 0x7fffd40efb50
rv = 32767
printed_something = 0
need_separator = 0
#3 0x00007fffeeebc3a5 in file_buffer (ms=0x7fffd411c5f0,
stream=0x7fffd8d70388, inname=0x0, buf=0x7fffd8896030, nb=1218)
at ext/fileinfo/libmagic/funcs.c:238
m = 0
rv = 0
looks_text = 0
mime = 16
ubuf = 0x7fffd8896030 "GIF89a"
u8buf = 0x7fffd4255aa0
ulen = 3
code = 0x0
code_mime = 0x7fffef6f618f "binary"
type = 0x7fffef6f5f84 "binary"
#4 0x00007fffeeebd698 in file_or_stream (ms=0x7fffd411c5f0, inname=0x0,
stream=0x7fffd8d70388)
at ext/fileinfo/libmagic/magic.c:413
rv = -1
buf = 0x7fffd8896030 "GIF89a"
sb = {st_dev = 2058, st_ino = 105911862, st_nlink = 1, st_mode = 33188,
st_uid = 81, st_gid = 81, __pad0 = 0, st_rdev = 0, st_size = 1218,
st_blksize = 4096, st_blocks = 8, st_atim = {tv_sec = 1322087240,
tv_nsec = 505034622}, st_mtim = {tv_sec = 1276182426, tv_nsec = 0}, st_ctim = {
tv_sec = 1368462842, tv_nsec = 483233520}, __unused = {0, 0, 0}}
nbytes = 1218
no_in_stream = 0
tsrm_ls = 0x7fffd40068f0
#5 0x00007fffeeebd441 in magic_stream (ms=0x7fffd411c5f0,
stream=0x7fffd8d70388)
at ext/fileinfo/libmagic/magic.c:345
No locals.
#6 0x00007fffeeeae9b8 in _php_finfo_get_type (ht=2,
return_value=0x7fffd49f1e50, return_value_ptr=0x0, this_ptr=0x7fffd49f3d58,
return_value_used=1,
tsrm_ls=0x7fffd40068f0, mode=2, mimetype_emu=0) at
ext/fileinfo/fileinfo.c:540
stream = 0x7fffd8d70388
context = 0x7fffd8b84610
tmp2 = 0x7fffd49db410 "/xxx/yyy/zzz/fileadmin/template/head.gif"
wrap = 0x7fffefb6c700 <php_plain_files_wrapper>
ssb = {sb = {st_dev = 2058, st_ino = 105911862, st_nlink = 1, st_mode =
33188, st_uid = 81, st_gid = 81, __pad0 = 0, st_rdev = 0, st_size = 1218,
st_blksize = 4096, st_blocks = 8, st_atim = {tv_sec = 1322087240,
tv_nsec = 505034622}, st_mtim = {tv_sec = 1276182426, tv_nsec = 0},
st_ctim = {tv_sec = 1368462842, tv_nsec = 483233520}, __unused =
{0, 0, 0}}}
options = 16
ret_val = 0x0
buffer = 0x7fffd49db410 "/xxx/yyy/zzz/fileadmin/template/head.gif"
buffer_len = 53
finfo = 0x7fffd49e7e08
zfinfo = 0x7fffef8234f1
zcontext = 0x0
what = 0x7fffef8234fc
mime_directory = "directory"
magic = 0x7fffd411c5f0
object = 0x7fffd49f3d58
#7 0x00007fffeeeaec40 in zif_finfo_file (ht=2, return_value=0x7fffd49f1e50,
return_value_ptr=0x0, this_ptr=0x7fffd49f3d58, return_value_used=1,
tsrm_ls=0x7fffd40068f0) at ext/fileinfo/fileinfo.c:578
No locals.
#8 0x00007fffef2f0da2 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7ffff7e61c98, tsrm_ls=0x7fffd40068f0)
at Zend/zend_vm_execute.h:643
ret = 0x7ffff7e61e28
opline = 0x7fffd4903300
should_change_scope = 1 '\001'
fbc = 0x555555b0ef20
#9 0x00007fffef2f220e in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER
(execute_data=0x7ffff7e61c98, tsrm_ls=0x7fffd40068f0)
at Zend/zend_vm_execute.h:754
No locals.
(More stack frames follow...)
------------------------------------------------------------------------
[2013-05-17 15:57:47] a...@php.net
@r dot biegel at gmx dot at
Exactly, and the same way you could see with which options finfo_open() was
invoked. That were very helpful.
Thanks
------------------------------------------------------------------------
[2013-05-17 15:56:07] a...@php.net
@r dot biegel at gmx dot at
Could you at least share the file it crashes on please? You can do that walking
back in the stack when using gdb. Let me know if you need help with that.
------------------------------------------------------------------------
[2013-05-17 11:48:28] r dot biegel at gmx dot at
Downloaded a snapshot today, bug still exists. What commit are you referring to?
This bug seems to affect GIFs, but note that it is not this one which is about
mp3 files:
https://bugs.php.net/bug.php?id=64830
------------------------------------------------------------------------
[2013-05-14 17:53:58] paj...@php.net
The fix for this bug has been committed.
Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
For Windows:
http://windows.php.net/snapshots/
Thank you for the report, and for helping us make PHP better.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=64836
--
Edit this bug report at https://bugs.php.net/bug.php?id=64836&edit=1
