[PHP-DEV] Bug #11998 Updated: Crash on multipart file form upload

[me]

ID: 11998
User updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Old Status: Feedback
Status: Open
Bug Type: Reproducible crash
Operating System: FreeBSD 4.2-STABLE
PHP Version: 4.0CVS-2001-07-10
New Comment:

>From CVS as at 21/08/2001 16:15 NZDT using same form and uploading 2 images in the 
>fields supplied.

(gdb) bt
#0  0x1823fdbf in php_mime_split (
    buf=0x820000c '-' <repeats 29 times>, "7d12252130332\r\nContent-Disposition: 
form-data; name=\"id\"\r\n\r\n3319", cnt=33534, 
    boundary=0x819762a '-' <repeats 27 times>, "7d12252130332", array_ptr=0x817eaec) 
at rfc1867.c:174
#1  0x18240a3b in rfc1867_post_handler (
    content_type_dup=0x819760c "multipart/form-data; boundary=", '-' <repeats 27 
times>, "7d12252130332", arg=0x817eaec)
    at rfc1867.c:472
#2  0x1823eb25 in sapi_handle_post (arg=0x817eaec) at SAPI.c:107
#3  0x18241a01 in php_treat_data (arg=0, str=0x0, destArray=0x0) at 
php_variables.c:250
#4  0x1823c2ce in php_hash_environment () at main.c:1097
#5  0x1823b6f0 in php_request_startup () at main.c:684
#6  0x18238cd6 in apache_php_module_main (r=0x819e71c, display_source_mode=0) at 
sapi_apache.c:67
#7  0x18239822 in send_php (r=0x819e71c, display_source_mode=0, filename=0x0) at 
mod_php4.c:575
#8  0x18239882 in send_parsed_php (r=0x819e71c) at mod_php4.c:590
#9  0x80758a1 in ap_invoke_handler ()
#10 0x8089fa8 in process_request_internal ()
#11 0x808a402 in ap_internal_redirect ()
#12 0x181d48d2 in mod_gzip_redir1_handler () from 
/usr/local/apache_test/libexec/mod_gzip.so
#13 0x181d2fa0 in mod_gzip_handler () from /usr/local/apache_test/libexec/mod_gzip.so
#14 0x80758a1 in ap_invoke_handler ()
#15 0x8089fa8 in process_request_internal ()
#16 0x808a402 in ap_internal_redirect ()
#17 0x80602b2 in handle_dir ()
#18 0x80758a1 in ap_invoke_handler ()
#19 0x8089fa8 in process_request_internal ()
#20 0x808a012 in ap_process_request ()
#21 0x8080fdf in child_main ()
#22 0x808119d in make_child ()
#23 0x8081316 in startup_children ()
#24 0x8081924 in standalone_main ()
#25 0x808213c in main ()
#26 0x804f429 in _start ()
(gdb) 

Previous Comments:
------------------------------------------------------------------------

[2001-08-20 19:48:36] [EMAIL PROTECTED]

I can not reproduce it with your form and with latest CVS.
Please provide a GDB backtrace of the crash (using latest CVS of PHP)

--Jani


------------------------------------------------------------------------

[2001-08-19 17:22:19] [EMAIL PROTECTED]

Hmmm, maybe I missed something.

This form here crashes it:

http://philth.net.nz/upload.php

and the file it's posting to has 

<?
echo "foobar";
?>

in it.

------------------------------------------------------------------------

[2001-08-19 16:26:29] [EMAIL PROTECTED]

I can not reproduce this. I have a form with 30 indexed
file fields plus 50 with no preset indexes.
ie.

30 of these: <input type="file" name="test1[1]">
50 of these: <input type="file" name="test2[]">

And I can't get it to crash..do I have to upload ove 26
file or?

--Jani


------------------------------------------------------------------------

[2001-08-19 07:21:38] [EMAIL PROTECTED]

Simply a form containing more than 26 <input type="file"> tag's.

So,
<form action="/prop/" method="post" id="editForm" enctype="multipart/form-data">
        
        Image 1:<input type="file" name="img[1]" size="24" onclick="" onchange="">
        Image 2:<input type="file" name="img[2]" size="24" onclick="" onchange="">
                
                ... [Lots more here] ...
        
        Image 18:<input type="file" name="img[18]" size="24" onclick="" onchange="">
        Image 19:<input type="file" name="img[19]" size="24" onclick="" onchange="">
                
                
        Virtual Image 1:<input type="file" name="virtimg[1]" size="24" onclick="" 
onchange="">
        Image IVR 1:<input type="file" name="virtivr[1]" size="24" onclick="" 
onchange="">
                
                ... [Lots more here] ...
        
        Virtual Image 6:<input type="file" name="virtimg[6]" size="24" onclick="" 
onchange="">
        Image IVR 6:<input type="file" name="virtivr[6]" size="24" onclick="" 
onchange="">
        
        <input type="submit" value="  Submit  " id="submitButton">
</form>


It doesn't matter what's in the page it POST's too.


------------------------------------------------------------------------

[2001-08-19 04:46:27] [EMAIL PROTECTED]

Please include the shortest possible example
script into this report.


------------------------------------------------------------------------

The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
    http://bugs.php.net/?id=11998


Edit this bug report at http://bugs.php.net/?id=11998&edit=1


-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]