ID: 38648 Updated by: [EMAIL PROTECTED] Reported By: songmaqd at hotmail dot com -Status: Closed +Status: Bogus Bug Type: Streams related Operating System: UNIX PHP Version: 5CVS-2006-08-30 (CVS) Assigned To: pollita New Comment:
Changing status for record keeping purposes. Not actually bogus, but it is a duplicate of Bug#36515 which wins because it was reported first. For the record though, your report and analysis was much better :) Previous Comments: ------------------------------------------------------------------------ [2006-10-11 23:12:01] [EMAIL PROTECTED] This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. Fix will appear in 5.2.0RC6 ------------------------------------------------------------------------ [2006-09-01 12:57:19] [EMAIL PROTECTED] Assigned to the maintainer. ------------------------------------------------------------------------ [2006-08-31 10:07:31] songmaqd at hotmail dot com Here is the reproduce script: <?php class strtoupper_filter extends php_user_filter { function filter($in, $out, &$consumed, $closing) { while ($bucket = stream_bucket_make_writeable($in)) {} } } stream_filter_register("strtoupper", "strtoupper_filter"); $fp = fopen("foo-bar.txt", "w"); stream_filter_append($fp, "strtoupper"); fwrite($fp, "Line1\n"); Note: 1. This bug can not be reproduced on Linux platform. My distro is SuSE 10.1. I can reproduce the bug on one certain UNIX platform. 2.The above script is for testing purpose and is deliberated written like that. It is not following the stream filter coding way. 3. Here is some debugger info. "php_stream_bucket_unlink" was called twice I guess the second call is to clean the system resource and "brigade" is "0x0" at this moment. **** **** [1] stopped in php_stream_bucket_unlink at line 235 in file "filter.c" ($t2) 235 if (bucket->prev) { (/tmp/dbx) print *bucket (next = 0x0, prev = 0x0, brigade = 0x220C70E8, buf = "Line1.", buflen = 6, own_buf = 0, is_persistent = 0, refcount = 1) (/tmp/dbx) print *bucket->brigade (head = 0x2223D000, tail = 0x2223D000) (/tmp/dbx) print *bucket->brigade->head (next = 0x0, prev = 0x0, brigade = 0x220C70E8, buf = "Line1.", buflen = 6, own_buf = 0, is_persistent = 0, refcount = 1) (/tmp/dbx) next stopped in php_stream_bucket_unlink.$b156 at line 238 in file "filter.c" ($t2) 238 bucket->brigade->head = bucket->next; (/tmp/dbx) list 239 } 240 if (bucket->next) { 241 bucket->next->prev = bucket->prev; 242 } else if (bucket->brigade) { 243 bucket->brigade->tail = bucket->prev; 244 } 245 bucket->brigade = NULL; 246 bucket->next = bucket->prev = NULL; 247 } (/tmp/dbx) cont [1] stopped in php_stream_bucket_unlink at line 235 in file "filter.c" ($t2) 235 if (bucket->prev) { (/tmp/dbx) print *bucket (next = 0x0, prev = 0x0, brigade = 0x0, buf = "", buflen = 0, own_buf = 0, is_persistent = 0, refcount = 0) (/tmp/dbx) next stopped in php_stream_bucket_unlink at line 240 in file "filter.c" ($t2) 240 if (bucket->next) { (/tmp/dbx) next stopped in php_stream_bucket_unlink at line 245 in file "filter.c" ($t2) 245 bucket->brigade = NULL; (/tmp/dbx) next stopped in php_stream_bucket_unlink at line 246 in file "filter.c" ($t2) 246 bucket->next = bucket->prev = NULL; (/tmp/dbx) next stopped in php_stream_bucket_unlink at line 247 in file "filter.c" ($t2) 247 } (/tmp/dbx) cont program exited **** **** ------------------------------------------------------------------------ [2006-08-30 08:48:23] [EMAIL PROTECTED] Thank you for this bug report. To properly diagnose the problem, we need a short but complete example script to be able to reproduce this bug ourselves. A proper reproducing script starts with <?php and ends with ?>, is max. 10-20 lines long and does not require any external resources such as databases, etc. If the script requires a database to demonstrate the issue, please make sure it creates all necessary tables, stored procedures etc. Please avoid embedding huge scripts into the report. ------------------------------------------------------------------------ [2006-08-30 05:49:47] songmaqd at hotmail dot com Description: ------------ In source file "main/streams/filter.c", function "PHPAPI void php_stream_bucket_unlink(php_stream_bucket *bucket TSRMLS_DC) " needs some additional sanity check for NULL pointer of "brigade". Otherwise it leads to core dump if "brigade" is NULL. A possible example for this fix is: PHPAPI void php_stream_bucket_unlink(php_stream_bucket *bucket TSRMLS_DC) { if (bucket->prev) { bucket->prev->next = bucket->next; } else if (bucket->brigade) /*newly added*/{ bucket->brigade->head = bucket->next; } if (bucket->next) { bucket->next->prev = bucket->prev; } else if (bucket->brigade) /*newly added*/{ bucket->brigade->tail = bucket->prev; } bucket->brigade = NULL; bucket->next = bucket->prev = NULL; } ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=38648&edit=1
