From: trickie at gmail dot com Operating system: Gentoo Linux PHP version: 5.2.1 PHP Bug Type: Reproducible crash Bug description: exceed post_max_size and php_default_post_reader seg faults apache
Description: ------------ If you POST a request that triggers the default post reader (php_default_post_reader), and that request exceeds post_max_size then apache will segmentation fault. I first found this using the SOAP extension. Reproduce code: --------------- I have not been able to come up with a simple reproduce code, i can submit some of the more complex soap code i am using if necessary Expected result: ---------------- Normal processing of a POST request Actual result: -------------- Patch available: http://trickie.org/code/max_post_fix.patch GDB backtrace: Starting program: /usr/sbin/apache2 -X -D DEFAULT_VHOST -D PHP5 -f /etc/apache2/httpd.conf -k start (no debugging symbols found) Failed to read a valid object file image from memory. (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) [Thread debugging using libthread_db enabled] [New Thread -1213380944 (LWP 4640)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1213380944 (LWP 4640)] 0xb7747565 in _estrndup (s=0x0, length=743, __zend_filename=0xb7a05214 "/var/tmp/portage/dev-lang/php-5.2.1-r300/work/php5.2-200703260630/main/php_content_types.c", __zend_lineno=49, __zend_orig_filename=0x0, __zend_orig_lineno=0) at /var/tmp/portage/dev-lang/php-5.2.1-r300/work/php5.2-200703260630/Zend/zend_alloc.c:2351 2351 /var/tmp/portage/dev-lang/php-5.2.1-r300/work/php5.2-200703260630/Zend/zend_alloc.c: No such file or directory. in /var/tmp/portage/dev-lang/php-5.2.1-r300/work/php5.2-200703260630/Zend/zend_alloc.c (gdb) bt #0 0xb7747565 in _estrndup (s=0x0, length=743, __zend_filename=0xb7a05214 "/var/tmp/portage/dev-lang/php-5.2.1-r300/work/php5.2-200703260630/main/php_content_types.c", __zend_lineno=49, __zend_orig_filename=0x0, __zend_orig_lineno=0) at /var/tmp/portage/dev-lang/php-5.2.1-r300/work/php5.2-200703260630/Zend/zend_alloc.c:2351 #1 0xb771d24a in php_default_post_reader () at /var/tmp/portage/dev-lang/php-5.2.1-r300/work/php5.2-200703260630/main/php_content_types.c:49 #2 0xb7717e32 in sapi_read_post_data () at /var/tmp/portage/dev-lang/php-5.2.1-r300/work/php5.2-200703260630/main/SAPI.c:190 #3 0xb77185e8 in sapi_activate () at /var/tmp/portage/dev-lang/php-5.2.1-r300/work/php5.2-200703260630/main/SAPI.c:372 #4 0xb77108d6 in php_request_startup () at /var/tmp/portage/dev-lang/php-5.2.1-r300/work/php5.2-200703260630/main/main.c:1105 #5 0xb77dc3c8 in php_apache_request_ctor (r=0x8254238, ctx=0x8255700) at /var/tmp/portage/dev-lang/php-5.2.1-r300/work/php5.2-200703260630/sapi/apache2handler/sapi_apache2.c:458 #6 0xb77dc989 in php_handler (r=0x8254238) at /var/tmp/portage/dev-lang/php-5.2.1-r300/work/php5.2-200703260630/sapi/apache2handler/sapi_apache2.c:574 #7 0x0806a4f8 in ap_run_handler () #8 0x0806d5c1 in ap_invoke_handler () #9 0x0806735e in ap_process_request () #10 0x0806116b in _start () -- Edit bug report at http://bugs.php.net/?id=40921&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=40921&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=40921&r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=40921&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=40921&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=40921&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=40921&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=40921&r=needscript Try newer version: http://bugs.php.net/fix.php?id=40921&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=40921&r=support Expected behavior: http://bugs.php.net/fix.php?id=40921&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=40921&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=40921&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=40921&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=40921&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=40921&r=dst IIS Stability: http://bugs.php.net/fix.php?id=40921&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=40921&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=40921&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=40921&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=40921&r=mysqlcfg
