Edit report at https://bugs.php.net/bug.php?id=65667&edit=1
ID: 65667 Updated by: ni...@php.net Reported by: imprec at gmail dot com Summary: ftp_nb_continue produces segfault -Status: Open +Status: Closed Type: Bug Package: FTP related Operating System: OSX PHP Version: 5.5.3 Block user comment: N Private report: N New Comment: Automatic comment on behalf of phofstet...@sensational.ch Revision: http://git.php.net/?p=php-src.git;a=commit;h=96cc419924c38874f9e2f2e5ccf3cd0430d90f43 Log: Fix bug #65667: ftp_nb_continue produces segfault Previous Comments: ------------------------------------------------------------------------ [2013-10-02 06:40:03] phofstetter at sensational dot ch Ok. Official Pull-Request submitted here: https://github.com/php/php-src/pull/478 Sorry for the spam. I initially just wanted to confirm the issue, but then I felt compelled to dig deeper and deeper, commenting more and more :-) ------------------------------------------------------------------------ [2013-10-02 06:30:51] phofstetter at sensational dot ch I think the bug was introduced in https://github.com/php/php-src/commit/a93a462dcefd62e07963dd2da506fbb3409c88b5 where php_stream_close(outstream); is called unconditionally. Thus any further ftp_nb_continue() will work on a stream that has already been closed. When I restore the behaviour pre-patch, the segfault goes away. I will create a proper pull request and attach it to this bug. ------------------------------------------------------------------------ [2013-10-02 06:14:18] phofstetter at sensational dot ch and here's one stack frame higher (giving you the data you requested): (gdb) p ftp $1 = (ftpbuf_t *) 0x7ffff7fcf1f8 (gdb) p ftp->stream $2 = (php_stream *) 0x7ffff7fceb78 (gdb) p data $3 = (databuf_t *) 0x7ffff7fd1388 (gdb) p ftp->stream->ops $4 = (php_stream_ops *) 0x0 Again, something is wrong with that stream. ------------------------------------------------------------------------ [2013-10-02 06:00:46] phofstetter at sensational dot ch Here's a bit of poking around in gdb: Program received signal SIGSEGV, Segmentation fault. 0x000000000070080d in _php_stream_write (stream=0x18eecb8, buf=0x19511b4 "\243\060\060\060\060\060\060\060\061\243\r\nPAD\243\060\243\060\060\062\063\071\060\243\060\060\067\065\063\061\243\060\060\060\060\060\060\060\061\243\r\nPAD\243\060\243\060\060\062\063\071\060\243\060\060\067\063\066\061\243\060\060\060\060\060\060\060\062\243\r\nPAD\243\060\243\060\060\062\063\071\060\243\060\060\064\065\070\060\243\060\060\060\060\060\060\062\071\243\r\nPAD\243\060\243\060\060\062\063\071\060\243\060\060\067\060\060\066\243\060\060\060\060\060\060\060\063\243\r\nPAD\243\060\243\060\060\062\063\071\060\243\060\060\060\063\061\061\243\060\060\060\060\060\060\060\065\243\r\nPAD\243\060\243\060\060\062\063\071\060\243\060\060\066\063\061\065\243\060\060\060\060\060\060\060\066\243\r\nPA"..., count=1352) at /home/crazyhat/popscan-deb/downloads/php-5.5.4/main/streams/streams.c:1233 warning: Source file is more recent than executable. 1233 if (buf == NULL || count == 0 || stream->ops->write == NULL) { (gdb) p count $1 = 1352 (gdb) p stream $2 = (php_stream *) 0x18eecb8 (gdb) p stream->ops $3 = (php_stream_ops *) 0x0 (gdb) stream->ops seems to be NULL ------------------------------------------------------------------------ [2013-10-02 05:52:56] phofstetter at sensational dot ch I can confirm this to happen on Linux too. Also in 5.4.20 (5.4.16 was fine) and 5.5.4 ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=65667 -- Edit this bug report at https://bugs.php.net/bug.php?id=65667&edit=1
