ID: 26938
User updated by: runekl at opoint dot com
Reported By: runekl at opoint dot com
-Status: Feedback
+Status: Open
Bug Type: Program Execution
Operating System: All
PHP Version: 5CVS-2004-01-16 (dev)
New Comment:
That's strange, because it is not hard to read the code and see what
goes wrong.
I use Linux Redhat 9 with all updates. The compiler is gcc (GCC) 3.2.2
20030222 (Red Hat Linux 3.2.2-5). Is the constant EXEC_INPUT_BUF 4096
in php.h at your place? My configure is
'./configure' \
'--with-apxs2=/usr/local/apache2/bin/apxs' \
'--enable-track-vars' \
'--with-gd' \
'--enable-calendar' \
'--enable-inline-optimization' \
'--enable-safe-mode' \
'--enable-sysvsem' \
'--enable-sysvshm' \
'--with-zlib' \
'--with-mysql' \
'--with-lib-xml-dir=/usr/local/include/libxml2' \
'--with-xsl=/usr/local/include/libxslt' \
'--enable-wddx' \
'--with-gettext' \
'--with-png' \
'--with-jpeg' \
'--with-jpeg-6b' \
'--with-mm' \
'--without-sqlite' \
"$@"
Previous Comments:
------------------------------------------------------------------------
[2004-01-18 18:38:27] [EMAIL PROTECTED]
What OS do you use? (I tested within Linux and solaris, and your test
script works fine _without_ your patch)
------------------------------------------------------------------------
[2004-01-18 16:11:38] runekl at opoint dot com
I get the this when running the test I have suggested.
md5(line 0)= e86410fa2d6e2634fd8ac5f4b3afe7f3 (length 10)
md5(line 1)= e84debf3a1d132871d7fe45c1c04c566 (length 20000)
md5(line 2)= 2713d01e967adfd64c49857370ab420b (length 18191)
md5(line 3)= 2ecdde3959051d913f61b14579ea136d (length 5)
md5(line 4)= 2713d01e967adfd64c49857370ab420b (length 18191)
md5(line 5)= 902fbdd2b1df0c4f70b4a5d23525e932 (length 3)
Look at the lines 2 and 4. The lines to read are 10000 characters
long, but PHP 'reads' 18191 bytes, e.g. 2*EXEC_INPUT_BUF-1 to much.
The extra characters come from line 1.
With the patch in my first post I get correct output.
Since test 26615 does not test reading long lines good enough and is
about a bug in the same loop, I suggest replacing it.
------------------------------------------------------------------------
[2004-01-18 10:19:13] [EMAIL PROTECTED]
That test passes for me with latest CVS..?
So what's the bug? :)
------------------------------------------------------------------------
[2004-01-17 10:20:51] runekl at opoint dot com
I suggest you replace the test for bug 26615 with the one below. That
should cover both cases. It will also make your distribution smaller
-)
--TEST--
Bug #26615 (exec crash on long input lines)
--FILE--
<?php
$out = array();
$status = -1;
$php = getenv('TEST_PHP_EXECUTABLE');
exec($php . ' -r \''
. '$lengths = array(10,20000,10000,5,10000,3);'
. 'foreach($lengths as $length) {'
. ' for($i=0;$i<$length;$i++) print chr(65+$i % 27);'
. ' print "\n";'
. '}\'', $out, $status);
for ($i=0;$i<6;$i++)
print "md5(line $i)= " . md5($out[$i]) . " (length " .
strlen($out[$i]) . ")\n";
?>
--EXPECT--
md5(line 0)= e86410fa2d6e2634fd8ac5f4b3afe7f3 (length 10)
md5(line 1)= e84debf3a1d132871d7fe45c1c04c566 (length 20000)
md5(line 2)= c33b4d2f86908eea5d75ee5a61fd81f4 (length 10000)
md5(line 3)= 2ecdde3959051d913f61b14579ea136d (length 5)
md5(line 4)= c33b4d2f86908eea5d75ee5a61fd81f4 (length 10000)
md5(line 5)= 902fbdd2b1df0c4f70b4a5d23525e932 (length 3)
------------------------------------------------------------------------
[2004-01-16 16:38:38] runekl at opoint dot com
Description:
------------
Exec fails to read two consecutive lines longer than 2*EXEC_INPUT_BUF
correctly. While reading the first line, buflen is set to
3*EXEC_INPUT_BUF. When reading part two of the second line, bufl will
be EXEC_INPUT_BUF to large since b!=buf.
Here is a patch:
Index: exec.c
===================================================================
RCS file: /repository/php-src/ext/standard/exec.c,v
retrieving revision 1.108
diff -C4 -r1.108 exec.c
*** exec.c 8 Jan 2004 08:17:31 -0000 1.108
--- exec.c 16 Jan 2004 21:35:35 -0000
***************
*** 111,132 ****
if (type != 3) {
b = buf;
! while (php_stream_get_line(stream, b, EXEC_INPUT_BUF,
&bufl)) {
/* no new line found, let's read some more */
if (b[bufl - 1] != '\n' &&
!php_stream_eof(stream)) {
if (buflen < (bufl + (b - buf) +
EXEC_INPUT_BUF)) {
bufl += b - buf;
! buflen = bufl +
EXEC_INPUT_BUF;
buf = erealloc(buf, buflen);
b = buf + bufl;
} else {
b += bufl;
}
continue;
} else if (b != buf) {
! bufl += buflen - EXEC_INPUT_BUF;
}
if (type == 1) {
PHPWRITE(buf, bufl);
--- 111,132 ----
if (type != 3) {
b = buf;
! while (php_stream_get_line(stream, b, buflen - (b -
buf), &bufl)) {
/* no new line found, let's read some more */
if (b[bufl - 1] != '\n' &&
!php_stream_eof(stream)) {
if (buflen < (bufl + (b - buf) +
EXEC_INPUT_BUF)) {
bufl += b - buf;
! buflen = bufl + 1 +
EXEC_INPUT_BUF;
buf = erealloc(buf, buflen);
b = buf + bufl;
} else {
b += bufl;
}
continue;
} else if (b != buf) {
! bufl += (b - buf);
}
if (type == 1) {
PHPWRITE(buf, bufl);
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=26938&edit=1
