#38944 [NEW]: ZipArchive exits with SEGV

judas dot iscariote at gmail dot com · judas dot iscariote at gmail dot com

From: judas dot iscariote at gmail dot com
Operating system: linux
PHP version: 5CVS-2006-09-25 (CVS)
PHP Bug Type: Zip Related
Bug description: ZipArchive exits with SEGV

Description:
------------
the following code segfaults.

Reproduce code:
---------------
<?php

class zipper {

public $zip_handler;

public function __construct( )
{
$this->zip_handler = new ZipArchive;
}

public function Myopen($filename)
{
return $this->zip_handler->open($filename, ZIPARCHIVE::CREATE);
}
}

$foo = new zipper();
$foo->Myopen('/tmp/foo.zip');

var_dump($foo);
?>

Expected result:
----------------
$foo var_dump'ed

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x0000000000623d88 in zip_get_archive_comment (za=0xa74b50,
lenp=0x7fffaeae4534, flags=0)
at /home/cristian/php-src/ext/zip/lib/zip_get_archive_comment.c:49
49 *lenp = za->cdir->comment_len;
(gdb) bt full
#0 0x0000000000623d88 in zip_get_archive_comment (za=0xa74b50,
lenp=0x7fffaeae4534, flags=0)
at /home/cristian/php-src/ext/zip/lib/zip_get_archive_comment.c:49
No locals.
#1 0x00000000006181a5 in php_zipobj_get_zip_comment (za=0xa74b50,
len=0x7fffaeae4534)
at /home/cristian/php-src/ext/zip/php_zip.c:255
No locals.
#2 0x00000000006182c3 in php_zip_property_reader (obj=0x2b0afc0a57b0,
hnd=0x99b000, retval=0x7fffaeae45c8, newzval=0)
at /home/cristian/php-src/ext/zip/php_zip.c:322
retchar = 0x0
retint = 0
len = 0
#3 0x00000000006187f6 in php_zip_get_properties (object=0x2b0afc0a5638)
at /home/cristian/php-src/ext/zip/php_zip.c:467
obj = (ze_zip_object *) 0x2b0afc0a57b0
hnd = (zip_prop_handler *) 0x99b000
props = (HashTable *) 0x2b0afc0a5840
val = (zval *) 0x2b0afc0a5ee8
ret = 0
key = 0x99afe0 "comment"
key_len = 8
pos = (HashPosition) 0x99afa0
num_key = 5
#4 0x00000000005e082e in php_var_dump (struc=0x2b0afc0a5498, level=3) at
/home/cristian/php-src/ext/standard/var.c:140
myht = (HashTable *) 0x0
class_name = 0x7fffaeae4700 " G\177"
class_name_len = 5
php_element_dump_func = (int (*)(zval **, int, struct
__va_list_tag *, zend_hash_key *)) 0x5aeae4770
#5 0x00000000005e04bf in php_object_property_dump (zv=0x2b0afc0a5498,
num_args=1, args=0x7fffaeae47d0,
hash_key=0x7fffaeae47b0) at
/home/cristian/php-src/ext/standard/var.c:96
level = 1
prop_name = 0x2b0afc0a54c0 "zip_handler"
class_name = 0x0
#6 0x000000000068f27e in zend_hash_apply_with_arguments
(ht=0x2b0afc0a5368, destruct=0x5e034b <php_object_property_dump>,
num_args=1) at /home/cristian/php-src/Zend/zend_hash.c:710
p = (Bucket *) 0x2b0afc0a5480
args = {{gp_offset = 32, fp_offset = 48, overflow_arg_area =
0x7fffaeae48b0, reg_save_area = 0x7fffaeae47f0}}
hash_key = {arKey = 0x2b0afc0a54c0 "zip_handler", nKeyLength = 12,
h = 16128149184387123093}
#7 0x00000000005e099b in php_var_dump (struc=0x2b0afc0803b8, level=1) at
/home/cristian/php-src/ext/standard/var.c:152
myht = (HashTable *) 0x2b0afc0a5368
class_name = 0x2b0afc0a5318 ""
class_name_len = 6
php_element_dump_func = (int (*)(zval **, int, struct
__va_list_tag *,
zend_hash_key *)) 0x5e034b <php_object_property_dump>
#8 0x00000000005e0b5f in zif_var_dump (ht=1, return_value=0x2b0afc0a5958,
return_value_ptr=0x0, this_ptr=0x0,
return_value_used=0) at /home/cristian/php-src/ext/standard/var.c:193
args = (zval ***) 0x2b0afc0a51c0
argc = 1
i = 0
#9 0x00000000006a7cf6 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fffaeae4cd0)
at /home/cristian/php-src/Zend/zend_vm_execute.h:200
return_reference = 0 '\0'
opline = (zend_op *) 0x2b0afc0a2058
original_return_value = (zval **) 0x2b0afc0a52c0
current_scope = (zend_class_entry *) 0x0
current_this = (zval *) 0x0
return_value_used = 0
should_change_scope = 0 '\0'
ctor_opline = (zend_op *) 0x9006e8ddf
#10 0x00000000006add96 in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0x7fffaeae4cd0)
at /home/cristian/php-src/Zend/zend_vm_execute.h:1681
opline = (zend_op *) 0x2b0afc0a2058
fname = (zval *) 0x2b0afc0a2088
#11 0x00000000006a7797 in execute (op_array=0x2b0afc0a18d8) at
/home/cristian/php-src/Zend/zend_vm_execute.h:92
execute_data = {opline = 0x2b0afc0a2058, function_state =
{function_symbol_table = 0x2b0afc0a5520,
function = 0x96e050, reserved = {0x2b0afc0a1a08, 0x7fffaeae4d30,
0x67505e, 0x0}}, fbc = 0x0, op_array = 0x2b0afc0a18d8,
object = 0x0, Ts = 0x7fffaeae4b60, CVs = 0x7fffaeae4b40,
original_in_execution = 0 '\0', symbol_table = 0x93e168,
prev_execute_data = 0x0, old_error_reporting = 0x0}
#12 0x00000000006817b2 in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /home/cristian/php-src/Zend/zend.c:1096
files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area =
0x7fffaeae4f60, reg_save_area = 0x7fffaeae4ea0}}
i = 1
file_handle = (zend_file_handle *) 0x7fffaeae7360
orig_op_array = (zend_op_array *) 0x0
local_retval = (zval *) 0x0
#13 0x0000000000629426 in php_execute_script (primary_file=0x7fffaeae7360)
at /home/cristian/php-src/main/main.c:1759
realfile =
"/srv/www/htdocs/class.zipper.php\000\006\000\000\177\000\000-\210h\000\000\000\000\000�203\237\n+\000\000�216\n +\000\000\006\000\000\177\000\000�\220",
'\0' <repeats 13 times>, "\200u\177", '\0' <repeats 26 times>,
"�\n+\000\000\001\000\000\000\177\000\000\000\000\ 000\000\000\000\000\000str_pad\000HY{\000\000\000\ 000\000�203\237\n+\000\000\000\r\n+\000\000�\177\0 00\000B\005\n+\000\000�o\000\000\000\000\000\000\1 77y\000\000\000\000\000\224\000\000\000\000\000�h" ...
__orig_bailout = (jmp_buf *) 0x7fffaeae71e0
__bailout = {{__jmpbuf = {47326178421760, -69763556646008843, 0,
140736124056960, 0, 0, -69763556645996091,
-69707295103899789}, __mask_was_saved = 0, __saved_mask = {__val =
{6749112, 140736124055616, 6693656,
47321949667651, 2930667632, 0, 2186138353664, 8135640,
47326178184376, 140736124055888, 7341490, 8135640, 474, 0,
0, 3}}}}
prepend_file_p = (zend_file_handle *) 0x0
append_file_p = (zend_file_handle *) 0x0
prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0,
handle = {fd = 0, fp = 0x0, stream = {
handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive =
0}}, free_filename = 0 '\0'}
append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0,
handle = {fd = 0, fp = 0x0, stream = {
handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive =
0}}, free_filename = 0 '\0'}
old_cwd = 0x7fffaeae4f80 ""
retval = 0
#14 0x00000000007015ec in main (argc=2, argv=0x7fffaeae7588) at
/home/cristian/php-src/sapi/cli/php_cli.c:1108
__orig_bailout = (jmp_buf *) 0x0
__bailout = {{__jmpbuf = {47326178421760, -69763556646010363, 0,
140736124056960, 0, 0, -69763556646008891,
-69707295104778918}, __mask_was_saved = 0, __saved_mask = {__val =
{0, 0, 0, 0, 0, 140736124056288, 0, 0, 0, 0,
2641803917, 47326178424384, 47326178426208, 281474976710656, 0,
0}}}}
exit_status = 0
c = -1
file_handle = {type = 2 '\002', filename = 0x7fffaeae8ef1
"class.zipper.php",
opened_path = 0x2b0afc0a1868 'Z' <repeats 33 times>, "\204�217*",
handle = {fd = 10963600, fp = 0xa74a90, stream = {
handle = 0xa74a90, reader = 0x69a350 <zend_stream_stdio_reader>,
closer = 0x69a37c <zend_stream_stdio_closer>,
fteller = 0x69a3a3 <zend_stream_stdio_fteller>, interactive = 0}},
free_filename = 0 '\0'}
behavior = 1
reflection_what = 0x0
orig_optind = 1
orig_optarg = 0x0
arg_free = 0x7fffaeae8ef1 "class.zipper.php"
arg_excp = (char **) 0x7fffaeae7590
script_file = 0x7fffaeae8ef1 "class.zipper.php"
interactive = 0
module_started = 1
request_started = 1
lineno = 1
exec_direct = 0x0
exec_run = 0x0
exec_begin = 0x0
exec_end = 0x0
param_error = 0x0
hide_argv = 0
ini_entries_len = 110

--
Edit bug report at [url]http://bugs.php.net/?id=38944&edit=1[/url]
--
Try a CVS snapshot (PHP 4.4): [url]http://bugs.php.net/fix.php?id=38944&r=trysnapshot44[/url]
Try a CVS snapshot (PHP 5.2): [url]http://bugs.php.net/fix.php?id=38944&r=trysnapshot52[/url]
Try a CVS snapshot (PHP 6.0): [url]http://bugs.php.net/fix.php?id=38944&r=trysnapshot60[/url]
Fixed in CVS: [url]http://bugs.php.net/fix.php?id=38944&r=fixedcvs[/url]
Fixed in release: [url]http://bugs.php.net/fix.php?id=38944&r=alreadyfixed[/url]
Need backtrace: [url]http://bugs.php.net/fix.php?id=38944&r=needtrace[/url]
Need Reproduce Script: [url]http://bugs.php.net/fix.php?id=38944&r=needscript[/url]
Try newer version: [url]http://bugs.php.net/fix.php?id=38944&r=oldversion[/url]
Not developer issue: [url]http://bugs.php.net/fix.php?id=38944&r=support[/url]
Expected behavior: [url]http://bugs.php.net/fix.php?id=38944&r=notwrong[/url]
Not enough info: [url]http://bugs.php.net/fix.php?id=38944&r=notenoughinfo[/url]
Submitted twice: [url]http://bugs.php.net/fix.php?id=38944&r=submittedtwice[/url]
register_globals: [url]http://bugs.php.net/fix.php?id=38944&r=globals[/url]
PHP 3 support discontinued: [url]http://bugs.php.net/fix.php?id=38944&r=php3[/url]
Daylight Savings: [url]http://bugs.php.net/fix.php?id=38944&r=dst[/url]
IIS Stability: [url]http://bugs.php.net/fix.php?id=38944&r=isapi[/url]
Install GNU Sed: [url]http://bugs.php.net/fix.php?id=38944&r=gnused[/url]
Floating point limitations: [url]http://bugs.php.net/fix.php?id=38944&r=float[/url]
No Zend Extensions: [url]http://bugs.php.net/fix.php?id=38944&r=nozend[/url]
MySQL Configuration Error: [url]http://bugs.php.net/fix.php?id=38944&r=mysqlcfg[/url]

tony2001@php.net · tony2001@php.net

ID: 38944
Updated by: [email]tony2001@php.net[/email]
Reported By: judas dot iscariote at gmail dot com
-Status: Open
+Status: Assigned
Bug Type: Zip Related
Operating System: linux
PHP Version: 5CVS-2006-09-25 (CVS)
-Assigned To:
+Assigned To: pajoye

Previous Comments:
------------------------------------------------------------------------

[2006-09-25 00:27:49] judas dot iscariote at gmail dot com

Description:
------------
the following code segfaults.

Reproduce code:
---------------
<?php

class zipper {

public $zip_handler;

public function __construct( )
{
$this->zip_handler = new ZipArchive;
}

public function Myopen($filename)
{
return $this->zip_handler->open($filename,
ZIPARCHIVE::CREATE);
}
}

$foo = new zipper();
$foo->Myopen('/tmp/foo.zip');

var_dump($foo);
?>

Expected result:
----------------
$foo var_dump'ed

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x0000000000623d88 in zip_get_archive_comment (za=0xa74b50,
lenp=0x7fffaeae4534, flags=0)
at /home/cristian/php-src/ext/zip/lib/zip_get_archive_comment.c:49
49 *lenp = za->cdir->comment_len;
(gdb) bt full
#0 0x0000000000623d88 in zip_get_archive_comment (za=0xa74b50,
lenp=0x7fffaeae4534, flags=0)
at /home/cristian/php-src/ext/zip/lib/zip_get_archive_comment.c:49
No locals.
#1 0x00000000006181a5 in php_zipobj_get_zip_comment (za=0xa74b50,
len=0x7fffaeae4534)
at /home/cristian/php-src/ext/zip/php_zip.c:255
No locals.
#2 0x00000000006182c3 in php_zip_property_reader (obj=0x2b0afc0a57b0,
hnd=0x99b000, retval=0x7fffaeae45c8, newzval=0)
at /home/cristian/php-src/ext/zip/php_zip.c:322
retchar = 0x0
retint = 0
len = 0
#3 0x00000000006187f6 in php_zip_get_properties
(object=0x2b0afc0a5638) at
/home/cristian/php-src/ext/zip/php_zip.c:467
obj = (ze_zip_object *) 0x2b0afc0a57b0
hnd = (zip_prop_handler *) 0x99b000
props = (HashTable *) 0x2b0afc0a5840
val = (zval *) 0x2b0afc0a5ee8
ret = 0
key = 0x99afe0 "comment"
key_len = 8
pos = (HashPosition) 0x99afa0
num_key = 5
#4 0x00000000005e082e in php_var_dump (struc=0x2b0afc0a5498, level=3)
at /home/cristian/php-src/ext/standard/var.c:140
myht = (HashTable *) 0x0
class_name = 0x7fffaeae4700 " G\177"
class_name_len = 5
php_element_dump_func = (int (*)(zval **, int, struct
__va_list_tag *, zend_hash_key *)) 0x5aeae4770
#5 0x00000000005e04bf in php_object_property_dump (zv=0x2b0afc0a5498,
num_args=1, args=0x7fffaeae47d0,
hash_key=0x7fffaeae47b0) at
/home/cristian/php-src/ext/standard/var.c:96
level = 1
prop_name = 0x2b0afc0a54c0 "zip_handler"
class_name = 0x0
#6 0x000000000068f27e in zend_hash_apply_with_arguments
(ht=0x2b0afc0a5368, destruct=0x5e034b <php_object_property_dump>,
num_args=1) at /home/cristian/php-src/Zend/zend_hash.c:710
p = (Bucket *) 0x2b0afc0a5480
args = {{gp_offset = 32, fp_offset = 48, overflow_arg_area =
0x7fffaeae48b0, reg_save_area = 0x7fffaeae47f0}}
hash_key = {arKey = 0x2b0afc0a54c0 "zip_handler", nKeyLength =
12, h = 16128149184387123093}
#7 0x00000000005e099b in php_var_dump (struc=0x2b0afc0803b8, level=1)
at /home/cristian/php-src/ext/standard/var.c:152
myht = (HashTable *) 0x2b0afc0a5368
class_name = 0x2b0afc0a5318 ""
class_name_len = 6
php_element_dump_func = (int (*)(zval **, int, struct
__va_list_tag *,
zend_hash_key *)) 0x5e034b <php_object_property_dump>
#8 0x00000000005e0b5f in zif_var_dump (ht=1,
return_value=0x2b0afc0a5958, return_value_ptr=0x0, this_ptr=0x0,
return_value_used=0) at
/home/cristian/php-src/ext/standard/var.c:193
args = (zval ***) 0x2b0afc0a51c0
argc = 1
i = 0
#9 0x00000000006a7cf6 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fffaeae4cd0)
at /home/cristian/php-src/Zend/zend_vm_execute.h:200
return_reference = 0 '\0'
opline = (zend_op *) 0x2b0afc0a2058
original_return_value = (zval **) 0x2b0afc0a52c0
current_scope = (zend_class_entry *) 0x0
current_this = (zval *) 0x0
return_value_used = 0
should_change_scope = 0 '\0'
ctor_opline = (zend_op *) 0x9006e8ddf
#10 0x00000000006add96 in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0x7fffaeae4cd0)
at /home/cristian/php-src/Zend/zend_vm_execute.h:1681
opline = (zend_op *) 0x2b0afc0a2058
fname = (zval *) 0x2b0afc0a2088
#11 0x00000000006a7797 in execute (op_array=0x2b0afc0a18d8) at
/home/cristian/php-src/Zend/zend_vm_execute.h:92
execute_data = {opline = 0x2b0afc0a2058, function_state =
{function_symbol_table = 0x2b0afc0a5520,
function = 0x96e050, reserved = {0x2b0afc0a1a08, 0x7fffaeae4d30,
0x67505e, 0x0}}, fbc = 0x0, op_array = 0x2b0afc0a18d8,
object = 0x0, Ts = 0x7fffaeae4b60, CVs = 0x7fffaeae4b40,
original_in_execution = 0 '\0', symbol_table = 0x93e168,
prev_execute_data = 0x0, old_error_reporting = 0x0}
#12 0x00000000006817b2 in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /home/cristian/php-src/Zend/zend.c:1096
files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area =
0x7fffaeae4f60, reg_save_area = 0x7fffaeae4ea0}}
i = 1
file_handle = (zend_file_handle *) 0x7fffaeae7360
orig_op_array = (zend_op_array *) 0x0
local_retval = (zval *) 0x0
#13 0x0000000000629426 in php_execute_script
(primary_file=0x7fffaeae7360) at
/home/cristian/php-src/main/main.c:1759
realfile =
"/srv/www/htdocs/class.zipper.php\000\006\000\000\177\000\000-\210h\000\000\000\000\000�203\237\n+\000\000�216\n +\000\000\006\000\000\177\000\000�\220",
'\0' <repeats 13 times>, "\200u\177", '\0' <repeats 26 times>,
"�\n+\000\000\001\000\000\000\177\000\000\000\000\ 000\000\000\000\000\000str_pad\000HY{\000\000\000\ 000\000�203\237\n+\000\000\000\r\n+\000\000�\177\0 00\000B\005\n+\000\000�o\000\000\000\000\000\000\1 77y\000\000\000\000\000\224\000\000\000\000\000�h" ...
__orig_bailout = (jmp_buf *) 0x7fffaeae71e0
__bailout = {{__jmpbuf = {47326178421760, -69763556646008843,
0, 140736124056960, 0, 0, -69763556645996091,
-69707295103899789}, __mask_was_saved = 0, __saved_mask = {__val
= {6749112, 140736124055616, 6693656,
47321949667651, 2930667632, 0, 2186138353664, 8135640,
47326178184376, 140736124055888, 7341490, 8135640, 474, 0,
0, 3}}}}
prepend_file_p = (zend_file_handle *) 0x0
append_file_p = (zend_file_handle *) 0x0
prepend_file = {type = 0 '\0', filename = 0x0, opened_path =
0x0, handle = {fd = 0, fp = 0x0, stream = {
handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive =
0}}, free_filename = 0 '\0'}
append_file = {type = 0 '\0', filename = 0x0, opened_path =
0x0, handle = {fd = 0, fp = 0x0, stream = {
handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive =
0}}, free_filename = 0 '\0'}
old_cwd = 0x7fffaeae4f80 ""
retval = 0
#14 0x00000000007015ec in main (argc=2, argv=0x7fffaeae7588) at
/home/cristian/php-src/sapi/cli/php_cli.c:1108
__orig_bailout = (jmp_buf *) 0x0
__bailout = {{__jmpbuf = {47326178421760, -69763556646010363,
0, 140736124056960, 0, 0, -69763556646008891,
-69707295104778918}, __mask_was_saved = 0, __saved_mask = {__val
= {0, 0, 0, 0, 0, 140736124056288, 0, 0, 0, 0,
2641803917, 47326178424384, 47326178426208, 281474976710656, 0,
0}}}}
exit_status = 0
c = -1
file_handle = {type = 2 '\002', filename = 0x7fffaeae8ef1
"class.zipper.php",
opened_path = 0x2b0afc0a1868 'Z' <repeats 33 times>,
"\204�217*", handle = {fd = 10963600, fp = 0xa74a90, stream = {
handle = 0xa74a90, reader = 0x69a350 <zend_stream_stdio_reader>,
closer = 0x69a37c <zend_stream_stdio_closer>,
fteller = 0x69a3a3 <zend_stream_stdio_fteller>, interactive =
0}}, free_filename = 0 '\0'}
behavior = 1
reflection_what = 0x0
orig_optind = 1
orig_optarg = 0x0
arg_free = 0x7fffaeae8ef1 "class.zipper.php"
arg_excp = (char **) 0x7fffaeae7590
script_file = 0x7fffaeae8ef1 "class.zipper.php"
interactive = 0
module_started = 1
request_started = 1
lineno = 1
exec_direct = 0x0
exec_run = 0x0
exec_begin = 0x0
exec_end = 0x0
param_error = 0x0
hide_argv = 0
ini_entries_len = 110

------------------------------------------------------------------------

--
Edit this bug report at [url]http://bugs.php.net/?id=38944&edit=1[/url]

tony2001@php.net · tony2001@php.net

ID: 38944
Updated by: [email]tony2001@php.net[/email]
Reported By: judas dot iscariote at gmail dot com
Status: Assigned
Bug Type: Zip Related
Operating System: linux
PHP Version: 5CVS-2006-09-25 (CVS)
Assigned To: pajoye
New Comment:

Pierre, it looks like a problem in the underlying library:
(gdb) p za->cdir
$3 = (struct zip_cdir *) 0x0

Shouldn't it check for NULL before dereferencing the pointer?

Previous Comments:
------------------------------------------------------------------------

[2006-09-25 00:27:49] judas dot iscariote at gmail dot com

Description:
------------
the following code segfaults.

Reproduce code:
---------------
<?php

class zipper {

public $zip_handler;

public function __construct( )
{
$this->zip_handler = new ZipArchive;
}

public function Myopen($filename)
{
return $this->zip_handler->open($filename,
ZIPARCHIVE::CREATE);
}
}

$foo = new zipper();
$foo->Myopen('/tmp/foo.zip');

var_dump($foo);
?>

Expected result:
----------------
$foo var_dump'ed

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x0000000000623d88 in zip_get_archive_comment (za=0xa74b50,
lenp=0x7fffaeae4534, flags=0)
at /home/cristian/php-src/ext/zip/lib/zip_get_archive_comment.c:49
49 *lenp = za->cdir->comment_len;
(gdb) bt full
#0 0x0000000000623d88 in zip_get_archive_comment (za=0xa74b50,
lenp=0x7fffaeae4534, flags=0)
at /home/cristian/php-src/ext/zip/lib/zip_get_archive_comment.c:49
No locals.
#1 0x00000000006181a5 in php_zipobj_get_zip_comment (za=0xa74b50,
len=0x7fffaeae4534)
at /home/cristian/php-src/ext/zip/php_zip.c:255
No locals.
#2 0x00000000006182c3 in php_zip_property_reader (obj=0x2b0afc0a57b0,
hnd=0x99b000, retval=0x7fffaeae45c8, newzval=0)
at /home/cristian/php-src/ext/zip/php_zip.c:322
retchar = 0x0
retint = 0
len = 0
#3 0x00000000006187f6 in php_zip_get_properties
(object=0x2b0afc0a5638) at
/home/cristian/php-src/ext/zip/php_zip.c:467
obj = (ze_zip_object *) 0x2b0afc0a57b0
hnd = (zip_prop_handler *) 0x99b000
props = (HashTable *) 0x2b0afc0a5840
val = (zval *) 0x2b0afc0a5ee8
ret = 0
key = 0x99afe0 "comment"
key_len = 8
pos = (HashPosition) 0x99afa0
num_key = 5
#4 0x00000000005e082e in php_var_dump (struc=0x2b0afc0a5498, level=3)
at /home/cristian/php-src/ext/standard/var.c:140
myht = (HashTable *) 0x0
class_name = 0x7fffaeae4700 " G\177"
class_name_len = 5
php_element_dump_func = (int (*)(zval **, int, struct
__va_list_tag *, zend_hash_key *)) 0x5aeae4770
#5 0x00000000005e04bf in php_object_property_dump (zv=0x2b0afc0a5498,
num_args=1, args=0x7fffaeae47d0,
hash_key=0x7fffaeae47b0) at
/home/cristian/php-src/ext/standard/var.c:96
level = 1
prop_name = 0x2b0afc0a54c0 "zip_handler"
class_name = 0x0
#6 0x000000000068f27e in zend_hash_apply_with_arguments
(ht=0x2b0afc0a5368, destruct=0x5e034b <php_object_property_dump>,
num_args=1) at /home/cristian/php-src/Zend/zend_hash.c:710
p = (Bucket *) 0x2b0afc0a5480
args = {{gp_offset = 32, fp_offset = 48, overflow_arg_area =
0x7fffaeae48b0, reg_save_area = 0x7fffaeae47f0}}
hash_key = {arKey = 0x2b0afc0a54c0 "zip_handler", nKeyLength =
12, h = 16128149184387123093}
#7 0x00000000005e099b in php_var_dump (struc=0x2b0afc0803b8, level=1)
at /home/cristian/php-src/ext/standard/var.c:152
myht = (HashTable *) 0x2b0afc0a5368
class_name = 0x2b0afc0a5318 ""
class_name_len = 6
php_element_dump_func = (int (*)(zval **, int, struct
__va_list_tag *,
zend_hash_key *)) 0x5e034b <php_object_property_dump>
#8 0x00000000005e0b5f in zif_var_dump (ht=1,
return_value=0x2b0afc0a5958, return_value_ptr=0x0, this_ptr=0x0,
return_value_used=0) at
/home/cristian/php-src/ext/standard/var.c:193
args = (zval ***) 0x2b0afc0a51c0
argc = 1
i = 0
#9 0x00000000006a7cf6 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fffaeae4cd0)
at /home/cristian/php-src/Zend/zend_vm_execute.h:200
return_reference = 0 '\0'
opline = (zend_op *) 0x2b0afc0a2058
original_return_value = (zval **) 0x2b0afc0a52c0
current_scope = (zend_class_entry *) 0x0
current_this = (zval *) 0x0
return_value_used = 0
should_change_scope = 0 '\0'
ctor_opline = (zend_op *) 0x9006e8ddf
#10 0x00000000006add96 in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0x7fffaeae4cd0)
at /home/cristian/php-src/Zend/zend_vm_execute.h:1681
opline = (zend_op *) 0x2b0afc0a2058
fname = (zval *) 0x2b0afc0a2088
#11 0x00000000006a7797 in execute (op_array=0x2b0afc0a18d8) at
/home/cristian/php-src/Zend/zend_vm_execute.h:92
execute_data = {opline = 0x2b0afc0a2058, function_state =
{function_symbol_table = 0x2b0afc0a5520,
function = 0x96e050, reserved = {0x2b0afc0a1a08, 0x7fffaeae4d30,
0x67505e, 0x0}}, fbc = 0x0, op_array = 0x2b0afc0a18d8,
object = 0x0, Ts = 0x7fffaeae4b60, CVs = 0x7fffaeae4b40,
original_in_execution = 0 '\0', symbol_table = 0x93e168,
prev_execute_data = 0x0, old_error_reporting = 0x0}
#12 0x00000000006817b2 in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /home/cristian/php-src/Zend/zend.c:1096
files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area =
0x7fffaeae4f60, reg_save_area = 0x7fffaeae4ea0}}
i = 1
file_handle = (zend_file_handle *) 0x7fffaeae7360
orig_op_array = (zend_op_array *) 0x0
local_retval = (zval *) 0x0
#13 0x0000000000629426 in php_execute_script
(primary_file=0x7fffaeae7360) at
/home/cristian/php-src/main/main.c:1759
realfile =
"/srv/www/htdocs/class.zipper.php\000\006\000\000\177\000\000-\210h\000\000\000\000\000�203\237\n+\000\000�216\n +\000\000\006\000\000\177\000\000�\220",
'\0' <repeats 13 times>, "\200u\177", '\0' <repeats 26 times>,
"�\n+\000\000\001\000\000\000\177\000\000\000\000\ 000\000\000\000\000\000str_pad\000HY{\000\000\000\ 000\000�203\237\n+\000\000\000\r\n+\000\000�\177\0 00\000B\005\n+\000\000�o\000\000\000\000\000\000\1 77y\000\000\000\000\000\224\000\000\000\000\000�h" ...
__orig_bailout = (jmp_buf *) 0x7fffaeae71e0
__bailout = {{__jmpbuf = {47326178421760, -69763556646008843,
0, 140736124056960, 0, 0, -69763556645996091,
-69707295103899789}, __mask_was_saved = 0, __saved_mask = {__val
= {6749112, 140736124055616, 6693656,
47321949667651, 2930667632, 0, 2186138353664, 8135640,
47326178184376, 140736124055888, 7341490, 8135640, 474, 0,
0, 3}}}}
prepend_file_p = (zend_file_handle *) 0x0
append_file_p = (zend_file_handle *) 0x0
prepend_file = {type = 0 '\0', filename = 0x0, opened_path =
0x0, handle = {fd = 0, fp = 0x0, stream = {
handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive =
0}}, free_filename = 0 '\0'}
append_file = {type = 0 '\0', filename = 0x0, opened_path =
0x0, handle = {fd = 0, fp = 0x0, stream = {
handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive =
0}}, free_filename = 0 '\0'}
old_cwd = 0x7fffaeae4f80 ""
retval = 0
#14 0x00000000007015ec in main (argc=2, argv=0x7fffaeae7588) at
/home/cristian/php-src/sapi/cli/php_cli.c:1108
__orig_bailout = (jmp_buf *) 0x0
__bailout = {{__jmpbuf = {47326178421760, -69763556646010363,
0, 140736124056960, 0, 0, -69763556646008891,
-69707295104778918}, __mask_was_saved = 0, __saved_mask = {__val
= {0, 0, 0, 0, 0, 140736124056288, 0, 0, 0, 0,
2641803917, 47326178424384, 47326178426208, 281474976710656, 0,
0}}}}
exit_status = 0
c = -1
file_handle = {type = 2 '\002', filename = 0x7fffaeae8ef1
"class.zipper.php",
opened_path = 0x2b0afc0a1868 'Z' <repeats 33 times>,
"\204�217*", handle = {fd = 10963600, fp = 0xa74a90, stream = {
handle = 0xa74a90, reader = 0x69a350 <zend_stream_stdio_reader>,
closer = 0x69a37c <zend_stream_stdio_closer>,
fteller = 0x69a3a3 <zend_stream_stdio_fteller>, interactive =
0}}, free_filename = 0 '\0'}
behavior = 1
reflection_what = 0x0
orig_optind = 1
orig_optarg = 0x0
arg_free = 0x7fffaeae8ef1 "class.zipper.php"
arg_excp = (char **) 0x7fffaeae7590
script_file = 0x7fffaeae8ef1 "class.zipper.php"
interactive = 0
module_started = 1
request_started = 1
lineno = 1
exec_direct = 0x0
exec_run = 0x0
exec_begin = 0x0
exec_end = 0x0
param_error = 0x0
hide_argv = 0
ini_entries_len = 110

------------------------------------------------------------------------

--
Edit this bug report at [url]http://bugs.php.net/?id=38944&edit=1[/url]

pajoye@php.net · pajoye@php.net

ID: 38944
Updated by: [email]pajoye@php.net[/email]
Reported By: judas dot iscariote at gmail dot com
-Status: Assigned
+Status: Closed
Bug Type: Zip Related
Operating System: linux
PHP Version: 5CVS-2006-09-25 (CVS)
Assigned To: pajoye
New Comment:

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
[url]http://snaps.php.net/[/url].

Thank you for the report, and for helping us make PHP better.

Yes, it was this problem, too bad that nttp lags. It would have save
30mins of tests ;)

Thanks for the head up and the test!

Previous Comments:
------------------------------------------------------------------------

[2006-09-25 08:30:51] [email]tony2001@php.net[/email]

Pierre, it looks like a problem in the underlying library:
(gdb) p za->cdir
$3 = (struct zip_cdir *) 0x0

Shouldn't it check for NULL before dereferencing the pointer?

------------------------------------------------------------------------

[2006-09-25 00:27:49] judas dot iscariote at gmail dot com

Description:
------------
the following code segfaults.

Reproduce code:
---------------
<?php

class zipper {

public $zip_handler;

public function __construct( )
{
$this->zip_handler = new ZipArchive;
}

public function Myopen($filename)
{
return $this->zip_handler->open($filename,
ZIPARCHIVE::CREATE);
}
}

$foo = new zipper();
$foo->Myopen('/tmp/foo.zip');

var_dump($foo);
?>

Expected result:
----------------
$foo var_dump'ed

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x0000000000623d88 in zip_get_archive_comment (za=0xa74b50,
lenp=0x7fffaeae4534, flags=0)
at /home/cristian/php-src/ext/zip/lib/zip_get_archive_comment.c:49
49 *lenp = za->cdir->comment_len;
(gdb) bt full
#0 0x0000000000623d88 in zip_get_archive_comment (za=0xa74b50,
lenp=0x7fffaeae4534, flags=0)
at /home/cristian/php-src/ext/zip/lib/zip_get_archive_comment.c:49
No locals.
#1 0x00000000006181a5 in php_zipobj_get_zip_comment (za=0xa74b50,
len=0x7fffaeae4534)
at /home/cristian/php-src/ext/zip/php_zip.c:255
No locals.
#2 0x00000000006182c3 in php_zip_property_reader (obj=0x2b0afc0a57b0,
hnd=0x99b000, retval=0x7fffaeae45c8, newzval=0)
at /home/cristian/php-src/ext/zip/php_zip.c:322
retchar = 0x0
retint = 0
len = 0
#3 0x00000000006187f6 in php_zip_get_properties
(object=0x2b0afc0a5638) at
/home/cristian/php-src/ext/zip/php_zip.c:467
obj = (ze_zip_object *) 0x2b0afc0a57b0
hnd = (zip_prop_handler *) 0x99b000
props = (HashTable *) 0x2b0afc0a5840
val = (zval *) 0x2b0afc0a5ee8
ret = 0
key = 0x99afe0 "comment"
key_len = 8
pos = (HashPosition) 0x99afa0
num_key = 5
#4 0x00000000005e082e in php_var_dump (struc=0x2b0afc0a5498, level=3)
at /home/cristian/php-src/ext/standard/var.c:140
myht = (HashTable *) 0x0
class_name = 0x7fffaeae4700 " G\177"
class_name_len = 5
php_element_dump_func = (int (*)(zval **, int, struct
__va_list_tag *, zend_hash_key *)) 0x5aeae4770
#5 0x00000000005e04bf in php_object_property_dump (zv=0x2b0afc0a5498,
num_args=1, args=0x7fffaeae47d0,
hash_key=0x7fffaeae47b0) at
/home/cristian/php-src/ext/standard/var.c:96
level = 1
prop_name = 0x2b0afc0a54c0 "zip_handler"
class_name = 0x0
#6 0x000000000068f27e in zend_hash_apply_with_arguments
(ht=0x2b0afc0a5368, destruct=0x5e034b <php_object_property_dump>,
num_args=1) at /home/cristian/php-src/Zend/zend_hash.c:710
p = (Bucket *) 0x2b0afc0a5480
args = {{gp_offset = 32, fp_offset = 48, overflow_arg_area =
0x7fffaeae48b0, reg_save_area = 0x7fffaeae47f0}}
hash_key = {arKey = 0x2b0afc0a54c0 "zip_handler", nKeyLength =
12, h = 16128149184387123093}
#7 0x00000000005e099b in php_var_dump (struc=0x2b0afc0803b8, level=1)
at /home/cristian/php-src/ext/standard/var.c:152
myht = (HashTable *) 0x2b0afc0a5368
class_name = 0x2b0afc0a5318 ""
class_name_len = 6
php_element_dump_func = (int (*)(zval **, int, struct
__va_list_tag *,
zend_hash_key *)) 0x5e034b <php_object_property_dump>
#8 0x00000000005e0b5f in zif_var_dump (ht=1,
return_value=0x2b0afc0a5958, return_value_ptr=0x0, this_ptr=0x0,
return_value_used=0) at
/home/cristian/php-src/ext/standard/var.c:193
args = (zval ***) 0x2b0afc0a51c0
argc = 1
i = 0
#9 0x00000000006a7cf6 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fffaeae4cd0)
at /home/cristian/php-src/Zend/zend_vm_execute.h:200
return_reference = 0 '\0'
opline = (zend_op *) 0x2b0afc0a2058
original_return_value = (zval **) 0x2b0afc0a52c0
current_scope = (zend_class_entry *) 0x0
current_this = (zval *) 0x0
return_value_used = 0
should_change_scope = 0 '\0'
ctor_opline = (zend_op *) 0x9006e8ddf
#10 0x00000000006add96 in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0x7fffaeae4cd0)
at /home/cristian/php-src/Zend/zend_vm_execute.h:1681
opline = (zend_op *) 0x2b0afc0a2058
fname = (zval *) 0x2b0afc0a2088
#11 0x00000000006a7797 in execute (op_array=0x2b0afc0a18d8) at
/home/cristian/php-src/Zend/zend_vm_execute.h:92
execute_data = {opline = 0x2b0afc0a2058, function_state =
{function_symbol_table = 0x2b0afc0a5520,
function = 0x96e050, reserved = {0x2b0afc0a1a08, 0x7fffaeae4d30,
0x67505e, 0x0}}, fbc = 0x0, op_array = 0x2b0afc0a18d8,
object = 0x0, Ts = 0x7fffaeae4b60, CVs = 0x7fffaeae4b40,
original_in_execution = 0 '\0', symbol_table = 0x93e168,
prev_execute_data = 0x0, old_error_reporting = 0x0}
#12 0x00000000006817b2 in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /home/cristian/php-src/Zend/zend.c:1096
files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area =
0x7fffaeae4f60, reg_save_area = 0x7fffaeae4ea0}}
i = 1
file_handle = (zend_file_handle *) 0x7fffaeae7360
orig_op_array = (zend_op_array *) 0x0
local_retval = (zval *) 0x0
#13 0x0000000000629426 in php_execute_script
(primary_file=0x7fffaeae7360) at
/home/cristian/php-src/main/main.c:1759
realfile =
"/srv/www/htdocs/class.zipper.php\000\006\000\000\177\000\000-\210h\000\000\000\000\000�203\237\n+\000\000�216\n +\000\000\006\000\000\177\000\000�\220",
'\0' <repeats 13 times>, "\200u\177", '\0' <repeats 26 times>,
"�\n+\000\000\001\000\000\000\177\000\000\000\000\ 000\000\000\000\000\000str_pad\000HY{\000\000\000\ 000\000�203\237\n+\000\000\000\r\n+\000\000�\177\0 00\000B\005\n+\000\000�o\000\000\000\000\000\000\1 77y\000\000\000\000\000\224\000\000\000\000\000�h" ...
__orig_bailout = (jmp_buf *) 0x7fffaeae71e0
__bailout = {{__jmpbuf = {47326178421760, -69763556646008843,
0, 140736124056960, 0, 0, -69763556645996091,
-69707295103899789}, __mask_was_saved = 0, __saved_mask = {__val
= {6749112, 140736124055616, 6693656,
47321949667651, 2930667632, 0, 2186138353664, 8135640,
47326178184376, 140736124055888, 7341490, 8135640, 474, 0,
0, 3}}}}
prepend_file_p = (zend_file_handle *) 0x0
append_file_p = (zend_file_handle *) 0x0
prepend_file = {type = 0 '\0', filename = 0x0, opened_path =
0x0, handle = {fd = 0, fp = 0x0, stream = {
handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive =
0}}, free_filename = 0 '\0'}
append_file = {type = 0 '\0', filename = 0x0, opened_path =
0x0, handle = {fd = 0, fp = 0x0, stream = {
handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive =
0}}, free_filename = 0 '\0'}
old_cwd = 0x7fffaeae4f80 ""
retval = 0
#14 0x00000000007015ec in main (argc=2, argv=0x7fffaeae7588) at
/home/cristian/php-src/sapi/cli/php_cli.c:1108
__orig_bailout = (jmp_buf *) 0x0
__bailout = {{__jmpbuf = {47326178421760, -69763556646010363,
0, 140736124056960, 0, 0, -69763556646008891,
-69707295104778918}, __mask_was_saved = 0, __saved_mask = {__val
= {0, 0, 0, 0, 0, 140736124056288, 0, 0, 0, 0,
2641803917, 47326178424384, 47326178426208, 281474976710656, 0,
0}}}}
exit_status = 0
c = -1
file_handle = {type = 2 '\002', filename = 0x7fffaeae8ef1
"class.zipper.php",
opened_path = 0x2b0afc0a1868 'Z' <repeats 33 times>,
"\204�217*", handle = {fd = 10963600, fp = 0xa74a90, stream = {
handle = 0xa74a90, reader = 0x69a350 <zend_stream_stdio_reader>,
closer = 0x69a37c <zend_stream_stdio_closer>,
fteller = 0x69a3a3 <zend_stream_stdio_fteller>, interactive =
0}}, free_filename = 0 '\0'}
behavior = 1
reflection_what = 0x0
orig_optind = 1
orig_optarg = 0x0
arg_free = 0x7fffaeae8ef1 "class.zipper.php"
arg_excp = (char **) 0x7fffaeae7590
script_file = 0x7fffaeae8ef1 "class.zipper.php"
interactive = 0
module_started = 1
request_started = 1
lineno = 1
exec_direct = 0x0
exec_run = 0x0
exec_begin = 0x0
exec_end = 0x0
param_error = 0x0
hide_argv = 0
ini_entries_len = 110

------------------------------------------------------------------------

--
Edit this bug report at [url]http://bugs.php.net/?id=38944&edit=1[/url]

#38944 [NEW]: ZipArchive exits with SEGV

Thread Tools

Display

#38944 [NEW]: ZipArchive exits with SEGV

Similar Questions and Discussions

#40494 [NEW]: Memory problem with ZipArchive::addFile()

#39784 [NEW]: Can't make an instance of ZipArchive

#39742 [NEW]: Class 'ZipArchive' not found

#39506 [NEW]: Archive corrupt with ZipArchive::addFile method

#38943 [NEW]: serious misbehaviour extending ZipArchive class

#38944 [Opn->Asn]: ZipArchive exits with SEGV

#38944 [Asn]: ZipArchive exits with SEGV

#38944 [Asn->Csd]: ZipArchive exits with SEGV

Posting Permissions