#24301 [Fbk->Opn]: readfile() and fpassthru() die with SEGV on a 64k file

[hessu at hes dot iki dot fi]

 ID:               24301
 User updated by:  hessu at hes dot iki dot fi
 Reported By:      hessu at hes dot iki dot fi
-Status:           Feedback
+Status:           Open
 Bug Type:         Reproducible crash
 Operating System: linux 2.4.20
 PHP Version:      4CVS-2003-06-23 (stable)
 New Comment:

Here's the backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 5220)]
0x4207d88c in memcpy () from /lib/i686/libc.so.6
(gdb) bt
#0  0x4207d88c in memcpy () from /lib/i686/libc.so.6
#1  0x40112a74 in apr_pmemdup (a=0x4093a000, m=0x10000, n=137482157) at
apr_strings.c:157
#2  0x40383e74 in php_apache_sapi_ub_write (str=0x4093a000 'a' <repeats
200 times>..., 
    str_length=65536)
    at
/opt/src/web/ap-2.0.46/php4-STABLE-200306231730/sapi/apache2handler/sapi_apache2.c:84
#3  0x403551c9 in php_ub_body_write (str=0x4093a000 'a' <repeats 200
times>..., str_length=65536)
    at
/opt/src/web/ap-2.0.46/php4-STABLE-200306231730/main/output.c:680
#4  0x40354d41 in php_body_write (str=0x4093a000 'a' <repeats 200
times>..., str_length=65536)
    at
/opt/src/web/ap-2.0.46/php4-STABLE-200306231730/main/output.c:121
#5  0x4034e67c in _php_stream_passthru (stream=0x82e14d4,
__php_stream_call_depth=0, 
    __zend_filename=0x404193c0
"/opt/src/web/ap-2.0.46/php4-STABLE-200306231730/ext/standard/file.c",

    __zend_lineno=1791, __zend_orig_filename=0x0,
__zend_orig_lineno=0)
    at
/opt/src/web/ap-2.0.46/php4-STABLE-200306231730/main/streams.c:1087
#6  0x402e5da0 in zif_readfile (ht=65537, return_value=0x82e1494,
this_ptr=0x0, return_value_used=0)
    at
/opt/src/web/ap-2.0.46/php4-STABLE-200306231730/ext/standard/file.c:1791
#7  0x4037ebfc in execute (op_array=0x82e112c)
    at
/opt/src/web/ap-2.0.46/php4-STABLE-200306231730/Zend/zend_execute.c:1616
#8  0x4036f9bd in zend_execute_scripts (type=8, retval=0x0,
file_count=3)
    at /opt/src/web/ap-2.0.46/php4-STABLE-200306231730/Zend/zend.c:886
#9  0x4034380b in php_execute_script (primary_file=0xbffff6b0)
    at
/opt/src/web/ap-2.0.46/php4-STABLE-200306231730/main/main.c:1685
#10 0x403847c0 in php_handler (r=0x82c76a0)
    at
/opt/src/web/ap-2.0.46/php4-STABLE-200306231730/sapi/apache2handler/sapi_apache2.c:525
#11 0x080b9926 in ap_run_handler (r=0x82c76a0) at config.c:195
#12 0x080b9e3e in ap_invoke_handler (r=0x82c76a0) at config.c:401
#13 0x080a2dab in ap_process_request (r=0x82c76a0) at
http_request.c:288
#14 0x0809efe9 in ap_process_http_connection (c=0x82c1480) at
http_core.c:293
#15 0x080c2916 in ap_run_process_connection (c=0x82c1480) at
connection.c:85
#16 0x080b84dc in child_main (child_num_arg=65537) at prefork.c:696
#17 0x080b8686 in make_child (s=0x81a9ff0, slot=0) at prefork.c:736
#18 0x080b86df in startup_children (number_to_start=10) at
prefork.c:808
#19 0x080b8dd1 in ap_mpm_run (_pconf=0x80b7db8, plog=0x81e6090,
s=0x81a9ff0) at prefork.c:1024
#20 0x080bdaea in main (argc=2, argv=0xbffff974) at main.c:660
#21 0x420158f7 in __libc_start_main () from /lib/i686/libc.so.6

(gdb) frame 7
#7  0x4037ebfc in execute (op_array=0x82e112c)
    at
/opt/src/web/ap-2.0.46/php4-STABLE-200306231730/Zend/zend_execute.c:1616
1616                                                           
((zend_internal_function *)
EX(function_state).function)->handler(EX(opline)->extended_value,
EX(Ts)[EX(opline)->result.u.var].var.ptr, EX(object).ptr,
return_value_used TSRMLS_CC);
(gdb) print (char
*)(executor_globals.function_state_ptr->function)->common.function_name
$1 = 0x404162c0 "readfile"
(gdb)


Previous Comments:
------------------------------------------------------------------------

[2003-06-23 14:55:27] [EMAIL PROTECTED]

Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

------------------------------------------------------------------------

[2003-06-23 14:50:16] hessu at hes dot iki dot fi

Description:
------------
php-4.3.2 and php4-STABLE-200306231730 on apache-2.0.46, RedHat Linux
on i386, vanilla 2.4.20 kernel, gcc version 3.2 20020903 (Red Hat Linux
8.0 3.2-7).

When trying to send a binary or ascii file of exactly 65536 bytes using
readfile() or fpassthru(), the httpd process dies with a SIGSEGV. If
the file is 65535 or 65537 bytes long, it is sent out just fine. 32768
and 131072 bytes do not seem to crash, either.

The same source file does not crash the command line version of php.


Reproduce code:
---------------
$ cat 64kcrash.php
<? readfile("64k-of-data"); ?>
$
$ dd if=/dev/urandom of=64k-of-data bs=1 count=65536
OR
$ perl -e 'print "a" × 65536;' > 64k-of-data


Expected result:
----------------
The contents of the file should be sent.

Actual result:
--------------
[Mon Jun 23 22:46:56 2003] [notice] child pid 7805 exit signal
Segmentation fault (11)

client gets EOF after sending the request.


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=24301&edit=1