From: ysangkok at gmail dot com Operating system: Linux PHP version: 5.5.4 Package: Unknown/Other Function Bug Type: Bug Bug description:Segfault with built-in webserver and chunked transfer encoding
Description: ------------ Chunked transfer encoding crashes the built-in webserver. Test script: --------------- #!/bin/bash php -S 127.0.0.1:8801 sleep 2 echo -ne "POST /c.php HTTP/1.0\r Transfer-Encoding: chunked\r \r 3b\r aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r 49\r bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb\r 0" | nc 127.0.0.1 8801 Expected result: ---------------- No segfault Actual result: -------------- (gdb) run -S 127.0.0.1:8801 Starting program: /usr/bin/php5 -S 127.0.0.1:8801 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1". PHP 5.5.4-1+debphp.org~raring+1 Development Server started at Wed Oct 2 20:52:35 2013 Listening on http://127.0.0.1:8801 Document root is /var/www Press Ctrl-C to quit. [Wed Oct 2 20:52:37 2013] 127.0.0.1:42191 Invalid request (Unexpected EOF) *** Error in `/usr/bin/php5': free(): invalid next size (fast): 0x089f8658 *** Program received signal SIGSEGV, Segmentation fault. 0xb783c8a0 in malloc_consolidate (av=av@entry=0xb7975440 <main_arena>) at malloc.c:4081 4081 malloc.c: No such file or directory. (gdb) bt #0 0xb783c8a0 in malloc_consolidate (av=av@entry=0xb7975440 <main_arena>) at malloc.c:4081 #1 0xb783db73 in _int_malloc (av=av@entry=0xb7975440 <main_arena>, bytes=bytes@entry=630) at malloc.c:3358 #2 0xb7840682 in __libc_calloc (n=630, elem_size=1) at malloc.c:3169 #3 0xb7fe8931 in _dl_new_object (realname=realname@entry=0x89f85f0 "/lib/i386-linux-gnu/libgcc_s.so.1", libname=libname@entry=0xb792e605 "libgcc_s.so.1", type=type@entry=2, loader=loader@entry=0x0, mode=mode@entry=-1879048191, nsid=nsid@entry=0) at dl-object.c:76 #4 0xb7fe4520 in _dl_map_object_from_fd (name=name@entry=0xb792e605 "libgcc_s.so.1", fd=10, fbp=fbp@entry=0xbfffd0ec, realname=0x89f85f0 "/lib/i386-linux-gnu/libgcc_s.so.1", loader=loader@entry=0x0, l_type=l_type@entry=2, mode=mode@entry=-1879048191, stack_endp=stack_endp@entry=0xbfffd0e8, nsid=nsid@entry=0) at dl-load.c:1053 #5 0xb7fe6449 in _dl_map_object (loader=0x0, loader@entry=0xb7979000, name=name@entry=0xb792e605 "libgcc_s.so.1", type=type@entry=2, trace_mode=trace_mode@entry=0, mode=mode@entry=-1879048191, nsid=0) at dl-load.c:2606 #6 0xb7ff1075 in dl_open_worker (a=a@entry=0xbfffd48c) at dl-open.c:228 #7 0xb7fed05e in _dl_catch_error (objname=objname@entry=0xbfffd484, errstring=errstring@entry=0xbfffd488, mallocedp=mallocedp@entry=0xbfffd483, operate=operate@entry=0xb7ff0f40 <dl_open_worker>, args=args@entry=0xbfffd48c) at dl-error.c:177 #8 0xb7ff0af4 in _dl_open (file=0xb792e605 "libgcc_s.so.1", mode=-2147483647, caller_dlopen=0xb78ccc38 <init+40>, nsid=-2, argc=3, argv=0xbffff2e4, env=0x8897008) at dl-open.c:656 #9 0xb78f0711 in do_dlopen (ptr=ptr@entry=0xbfffd630) at dl-libc.c:87 #10 0xb7fed05e in _dl_catch_error (objname=0xbfffd608, errstring=0xbfffd60c, mallocedp=0xbfffd607, operate=0xb78f06b0 <do_dlopen>, args=0xbfffd630) at dl-error.c:177 #11 0xb78f0807 in dlerror_run (operate=operate@entry=0xb78f06b0 <do_dlopen>, args=args@entry=0xbfffd630) at dl-libc.c:46 #12 0xb78f0897 in __GI___libc_dlopen_mode (name=name@entry=0xb792e605 "libgcc_s.so.1", mode=mode@entry=-2147483647) at dl-libc.c:163 #13 0xb78ccc38 in init () at ../sysdeps/i386/backtrace.c:43 #14 0xb77b6dae in pthread_once () at ../nptl/sysdeps/unix/sysv/linux/i386/pthread_once.S:120 #15 0xb78ccea5 in __GI___backtrace (array=array@entry=0xbfffd880, size=size@entry=64) at ../sysdeps/i386/backtrace.c:120 #16 0xb7831ad1 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0xb7934530 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:178 #17 0xb783c7e2 in malloc_printerr (action=<optimized out>, str=<optimized out>, ptr=0x89f8658) at malloc.c:4902 #18 0xb783d530 in _int_free (av=0xb7975440 <main_arena>, p=0x89f8650, have_lock=0) at malloc.c:3758 #19 0x08415c04 in php_cli_server_request_dtor (req=0x89f8484) at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli_server.c:1328 #20 php_cli_server_client_dtor (client=0x89f8440) at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli_server.c:1768 #21 php_cli_server_client_dtor_wrapper (p=0x89f85a4) at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli_server.c:2109 #22 0x08366a98 in zend_hash_del_key_or_index (ht=ht@entry=0x88929ac <server+556>, arKey=arKey@entry=0x0, nKeyLength=nKeyLength@entry=0, h=<optimized out>, flag=flag@entry=1) at /build/buildd/php5-5.5.4+dfsg/Zend/zend_hash.c:532 #23 0x08415cc8 in php_cli_server_close_connection (server=server@entry=0x8892780 <server>, client=0x89f8440) at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli_server.c:1785 #24 0x0841909e in php_cli_server_recv_event_read_request (server=0x8892780 <server>, client=0x89f8440) at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli_server.c:2234 #25 0x08419590 in php_cli_server_do_event_for_each_fd_callback (_params=_params@entry=0xbfffe064, fd=fd@entry=9, event=event@entry=1) at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli_server.c:2331 #26 0x08419f3c in php_cli_server_poller_iter_on_active (opaque=0xbfffe064, poller=<optimized out>, callback=<optimized out>) at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli_server.c:838 #27 php_cli_server_do_event_for_each_fd (server=<optimized out>, rhandler=<optimized out>, whandler=<optimized out>) ---Type <return> to continue, or q <return> to quit--- at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli_server.c:2352 #28 php_cli_server_do_event_loop (server=<optimized out>) at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli_server.c:2362 #29 do_cli_server (argc=argc@entry=3, argv=argv@entry=0x8897e20) at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli_server.c:2463 #30 0x080990fb in main (argc=3, argv=0x8897e20) at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli.c:1381 -- Edit bug report at https://bugs.php.net/bug.php?id=65818&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=65818&r=trysnapshot54 Try a snapshot (PHP 5.5): https://bugs.php.net/fix.php?id=65818&r=trysnapshot55 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=65818&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=65818&r=fixed Fixed in release: https://bugs.php.net/fix.php?id=65818&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=65818&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=65818&r=needscript Try newer version: https://bugs.php.net/fix.php?id=65818&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=65818&r=support Expected behavior: https://bugs.php.net/fix.php?id=65818&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=65818&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=65818&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=65818&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=65818&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=65818&r=dst IIS Stability: https://bugs.php.net/fix.php?id=65818&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=65818&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=65818&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=65818&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=65818&r=mysqlcfg
