[Zlib-devel] php->gzopen segfaults since zlib-1.2.3.5

Török Edwin edwintorok at gmail.com
Wed Jan 27 15:48:32 EST 2010


On 01/27/2010 09:18 PM, Pierre Schmitz wrote:
> Hi all,
>
> I was pointed to a pear segfault in combination with zlib 1.2.3.7. I tracked 
> this down the php function gzopen. The last working version of zlib is 
> 1.2.3.4.
>
> I am currently not sure if this is an zlib or php issue; so I would appreciate 
> if you enlighten me here. ;-)
>
> The most simple way to reproduce the problem is the following php code 
> (assuming a test.tar.gz file exists in the same dir)
>
> <?php
>
> $f = gzopen('test.tar.gz', 'r');
> gzclose($f);
>
> ?>
>
> I have tested this with PHP 5.3.1 and 5.3.2RC1; but I assume previous versions 
> are affected, too.
>
> Here is a backtrace of the call:
>
> Core was generated by `php test.php'.

> Program terminated with signal 11, Segmentation fault.
> #0  0x00007f8e1aefe559 in free () from /lib/libc.so.6
> (gdb) bt
> #0  0x00007f8e1aefe559 in free () from /lib/libc.so.6
> #1  0x00007f8e1c6c82d6 in zcfree (opaque=0x0, ptr=0x800000000002) at 
> zutil.c:314
>   

Its trying to free an invalid pointer.

> #2  0x00007f8e1c6c3398 in inflateEnd (strm=0x25a5428) at inflate.c:1245
> #3  0x00007f8e1c6bd988 in gzclose_r (file=0x25a53b0) at gzread.c:648
> #4  0x00007f8e1c6bb64f in gzclose (file=0x25a53b0) at gzclose.c:23
> #5  0x00000000004789cb in php_gziop_close (stream=0x2581448, close_handle=1)
>     at /home/pierre/zlib-
> test/php/trunk/src/php-5.3.2RC1/ext/zlib/zlib_fopen_wrapper.c:79
> #6  0x0000000000679074 in _php_stream_free (stream=0x2581448, 
> close_options=11)
>     at /home/pierre/zlib-
> test/php/trunk/src/php-5.3.2RC1/main/streams/streams.c:356
> #7  0x000000000067bbcc in stream_resource_regular_dtor (rsrc=0x2581630)
>     at /home/pierre/zlib-
> test/php/trunk/src/php-5.3.2RC1/main/streams/streams.c:1426
> #8  0x00000000006f1077 in list_entry_destructor (ptr=0x2581630) at 
> /home/pierre/zlib-test/php/trunk/src/php-5.3.2RC1/Zend/zend_list.c:184
> #9  0x00000000006edf0f in zend_hash_del_key_or_index (ht=0xe850b0, arKey=0x0, 
> nKeyLength=0, h=5, flag=1)
>     at /home/pierre/zlib-test/php/trunk/src/php-5.3.2RC1/Zend/zend_hash.c:497
> #10 0x00000000006f0b8b in _zend_list_delete (id=5) at /home/pierre/zlib-
> test/php/trunk/src/php-5.3.2RC1/Zend/zend_list.c:58
> #11 0x00000000005a567f in zif_fclose (ht=1, return_value=0x257fb88, 
> return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
>     at /home/pierre/zlib-
> test/php/trunk/src/php-5.3.2RC1/ext/standard/file.c:928
> #12 0x00000000007141fb in zend_do_fcall_common_helper_SPEC 
> (execute_data=0x7f8e1cbe9090)
>     at /home/pierre/zlib-
> test/php/trunk/src/php-5.3.2RC1/Zend/zend_vm_execute.h:313
> #13 0x0000000000718c4a in ZEND_DO_FCALL_SPEC_CONST_HANDLER 
> (execute_data=0x7f8e1cbe9090)
>     at /home/pierre/zlib-
> test/php/trunk/src/php-5.3.2RC1/Zend/zend_vm_execute.h:1603
> #14 0x00000000007135ae in execute (op_array=0x25807b0) at /home/pierre/zlib-
> test/php/trunk/src/php-5.3.2RC1/Zend/zend_vm_execute.h:104
> #15 0x00000000006dd973 in zend_execute_scripts (type=8, retval=0x0, 
> file_count=3)
>     at /home/pierre/zlib-test/php/trunk/src/php-5.3.2RC1/Zend/zend.c:1194
> #16 0x000000000065e301 in php_execute_script (primary_file=0x7fffac37f4b0) at 
> /home/pierre/zlib-test/php/trunk/src/php-5.3.2RC1/main/main.c:2233
> #17 0x00000000007d2ebe in main (argc=2, argv=0x7fffac37f738) at 
> /home/pierre/zlib-test/php/trunk/src/php-5.3.2RC1/sapi/cli/php_cli.c:1192
>
> For reference, the code of the mentioned zlib_fopen_wrapper.c can be found at 
> http://svn.php.net/viewvc/php/php-
> src/branches/PHP_5_3_2/ext/zlib/zlib_fopen_wrapper.c?view=markup
>   


Here is a small C testcase:
#include <zlib.h>
#include <fcntl.h>
int main()
{
    int fd =  open("test.tar.gz", O_RDONLY);
    gzFile f = gzdopen(fd, "r");
    gzflush(f, Z_SYNC_FLUSH);
    gzclose(f);
    return 0;
}

The culprit seems to be gzflush, it calls gz_error with "Bad file
descriptor",
and then somehow state->window becomes an invalid pointer
(0x800000000002 for me, same as the backtrace above!)
by the time it reaches gzclose (and inflateEnd).

Best regards,
--Edwin




More information about the Zlib-devel mailing list