Bug #65667 [Com]: ftp_nb_continue produces segfault

phofstetter at sensational dot ch Tue, 01 Oct 2013 23:40:49 -0700

Edit report at https://bugs.php.net/bug.php?id=65667&edit=1


 ID:                 65667
 Comment by:         phofstetter at sensational dot ch
 Reported by:        imprec at gmail dot com
 Summary:            ftp_nb_continue produces segfault
 Status:             Open
 Type:               Bug
 Package:            FTP related
 Operating System:   OSX
 PHP Version:        5.5.3
 Block user comment: N
 Private report:     N

 New Comment:

Ok. Official Pull-Request submitted here:

https://github.com/php/php-src/pull/478

Sorry for the spam. I initially just wanted to confirm the issue, but then I 
felt compelled to dig deeper and deeper, commenting more and more :-)


Previous Comments:
------------------------------------------------------------------------
[2013-10-02 06:30:51] phofstetter at sensational dot ch

I think the bug was introduced in 

https://github.com/php/php-src/commit/a93a462dcefd62e07963dd2da506fbb3409c88b5

where php_stream_close(outstream); is called unconditionally. Thus any further 
ftp_nb_continue() will work on a stream that has already been closed.

When I restore the behaviour pre-patch, the segfault goes away. 

I will create a proper pull request and attach it to this bug.

------------------------------------------------------------------------
[2013-10-02 06:14:18] phofstetter at sensational dot ch

and here's one stack frame higher (giving you the data you requested):

(gdb) p ftp
$1 = (ftpbuf_t *) 0x7ffff7fcf1f8
(gdb) p ftp->stream
$2 = (php_stream *) 0x7ffff7fceb78
(gdb) p data
$3 = (databuf_t *) 0x7ffff7fd1388
(gdb) p ftp->stream->ops
$4 = (php_stream_ops *) 0x0

Again, something is wrong with that stream.

------------------------------------------------------------------------
[2013-10-02 06:00:46] phofstetter at sensational dot ch

Here's a bit of poking around in gdb:

Program received signal SIGSEGV, Segmentation fault.
0x000000000070080d in _php_stream_write (stream=0x18eecb8,
    buf=0x19511b4 
"\243\060\060\060\060\060\060\060\061\243\r\nPAD\243\060\243\060\060\062\063\071\060\243\060\060\067\065\063\061\243\060\060\060\060\060\060\060\061\243\r\nPAD\243\060\243\060\060\062\063\071\060\243\060\060\067\063\066\061\243\060\060\060\060\060\060\060\062\243\r\nPAD\243\060\243\060\060\062\063\071\060\243\060\060\064\065\070\060\243\060\060\060\060\060\060\062\071\243\r\nPAD\243\060\243\060\060\062\063\071\060\243\060\060\067\060\060\066\243\060\060\060\060\060\060\060\063\243\r\nPAD\243\060\243\060\060\062\063\071\060\243\060\060\060\063\061\061\243\060\060\060\060\060\060\060\065\243\r\nPAD\243\060\243\060\060\062\063\071\060\243\060\060\066\063\061\065\243\060\060\060\060\060\060\060\066\243\r\nPA"...,
 count=1352) at 
/home/crazyhat/popscan-deb/downloads/php-5.5.4/main/streams/streams.c:1233
warning: Source file is more recent than executable.
1233        if (buf == NULL || count == 0 || stream->ops->write == NULL) {
(gdb) p count
$1 = 1352
(gdb) p stream
$2 = (php_stream *) 0x18eecb8
(gdb) p stream->ops
$3 = (php_stream_ops *) 0x0
(gdb)

stream->ops seems to be NULL

------------------------------------------------------------------------
[2013-10-02 05:52:56] phofstetter at sensational dot ch

I can confirm this to happen on Linux too.

Also in 5.4.20 (5.4.16 was fine) and 5.5.4

------------------------------------------------------------------------
[2013-09-17 08:36:21] imprec at gmail dot com

Well, not so much chance :(


(gdb) run
Starting program: /usr/local/bin/php 
/Users/romain/Documents/workspace/Phraseanet/ftp.php
Reading symbols for shared libraries 
+++++++++++++++++++++............................................... done
Reading symbols for shared libraries ...................... done
Reading symbols for shared libraries .. done
Reading symbols for shared libraries .. done
Reading symbols for shared libraries ....... done
Reading symbols for shared libraries ..... done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
bt full
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: 13 at address: 0x0000000000000000
0x0000000100387a75 in _php_stream_write ()
(gdb) bt full
#0  0x0000000100387a75 in _php_stream_write ()
No symbol table info available.
#1  0x000000010013ab6f in ftp_nb_continue_read ()
No symbol table info available.
#2  0x0000000100137c2c in zif_ftp_nb_continue ()
No symbol table info available.
#3  0x00000001003bf524 in dtrace_execute_internal ()
No symbol table info available.
#4  0x00000001004430c2 in zend_do_fcall_common_helper_SPEC ()
No symbol table info available.
#5  0x00000001003f310a in execute_ex ()
No symbol table info available.
#6  0x00000001003bf458 in dtrace_execute_ex ()
No symbol table info available.
#7  0x00000001003ce7ac in zend_execute_scripts ()
No symbol table info available.
#8  0x0000000100374602 in php_execute_script ()
No symbol table info available.
#9  0x0000000100467075 in do_cli ()
No symbol table info available.
#10 0x0000000100465e3d in main ()
No symbol table info available.
(gdb) p ftp
No symbol "ftp" in current context.
(gdb) p data
No symbol "data" in current context.
(gdb) p rcvd
No symbol "rcvd" in current context.
(gdb) 


Whereas my PHP is compiled with debug :

PHP 5.5.3 (cli) (built: Sep 12 2013 02:41:16) (DEBUG)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2013 Zend Technologies

------------------------------------------------------------------------


The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at

    https://bugs.php.net/bug.php?id=65667


-- 
Edit this bug report at https://bugs.php.net/bug.php?id=65667&edit=1

Bug #65667 [Com]: ftp_nb_continue produces segfault

Reply via email to