Bug #64830 [Com]: mimetype detection segfaults on mp3 file

[bluewind at xinu dot at]

Edit report at https://bugs.php.net/bug.php?id=64830&edit=1

 ID:                 64830
 Comment by:         bluewind at xinu dot at
 Reported by:        bluewind at xinu dot at
 Summary:            mimetype detection segfaults on mp3 file
 Status:             Feedback
 Type:               Bug
 Package:            Unknown/Other Function
 Operating System:   Arch Linux
 PHP Version:        5.4.15
 Block user comment: N
 Private report:     N

 New Comment:

Simple backtrace of the cli executable below. Do you want a full one or is this 
enough?


#0  0x00007ffff67751c9 in raise () from /usr/lib/libc.so.6
#1  0x00007ffff67765c8 in abort () from /usr/lib/libc.so.6
#2  0x00007ffff67b3037 in __libc_message () from /usr/lib/libc.so.6
#3  0x00007ffff67b88ae in malloc_printerr () from /usr/lib/libc.so.6
#4  0x00007ffff67b9587 in _int_free () from /usr/lib/libc.so.6
#5  0x0000000000586026 in mget (ms=0x7ffff7e1db78, s=0x7ffff5f87070 "ID3\004", 
m=0xa8cc40 <php_magic_database+1754848>, nbytes=262144, o=0, cont_level=1, 
mode=32, text=0, flip=0, recursion_level=1, printed_something=0x7fffffff99b0, 
need_separator=0x7fffffff99ac, 
    returnval=0x7fffffff98f8) at 
/home/flo/git/php-src/ext/fileinfo/libmagic/softmagic.c:1702
#6  0x000000000058253e in match (ms=0x7ffff7e1db78, magic=0x8e0658 
<php_magic_database+248>, nmagic=9899, s=0x7ffff5f87070 "ID3\004", 
nbytes=262144, offset=0, mode=32, text=0, flip=0, recursion_level=0, 
printed_something=0x7fffffff99b0, need_separator=0x7fffffff99ac, 
    returnval=0x7fffffff98f8) at 
/home/flo/git/php-src/ext/fileinfo/libmagic/softmagic.c:244
#7  0x000000000058200c in file_softmagic (ms=0x7ffff7e1db78, buf=0x7ffff5f87070 
"ID3\004", nbytes=262144, mode=32, text=0) at 
/home/flo/git/php-src/ext/fileinfo/libmagic/softmagic.c:82
#8  0x000000000057fe43 in file_buffer (ms=0x7ffff7e1db78, 
stream=0x7ffff7e1d368, inname=0x0, buf=0x7ffff5f87070, nb=262144) at 
/home/flo/git/php-src/ext/fileinfo/libmagic/funcs.c:238
#9  0x0000000000580ed7 in file_or_stream (ms=0x7ffff7e1db78, inname=0x0, 
stream=0x7ffff7e1d368) at 
/home/flo/git/php-src/ext/fileinfo/libmagic/magic.c:412
#10 0x0000000000580cba in magic_stream (ms=0x7ffff7e1db78, 
stream=0x7ffff7e1d368) at 
/home/flo/git/php-src/ext/fileinfo/libmagic/magic.c:344
#11 0x0000000000573b0c in _php_finfo_get_type (ht=1, 
return_value=0x7ffff7e1ebd0, return_value_ptr=0x0, this_ptr=0x7ffff7ff7a08, 
return_value_used=1, mode=2, mimetype_emu=0) at 
/home/flo/git/php-src/ext/fileinfo/fileinfo.c:540
#12 0x0000000000573d21 in zif_finfo_file (ht=1, return_value=0x7ffff7e1ebd0, 
return_value_ptr=0x0, this_ptr=0x7ffff7ff7a08, return_value_used=1) at 
/home/flo/git/php-src/ext/fileinfo/fileinfo.c:578
#13 0x00000000007cd002 in zend_do_fcall_common_helper_SPEC 
(execute_data=0x7ffff7fbb1c8) at 
/home/flo/git/php-src/Zend/zend_vm_execute.h:643
#14 0x00000000007cd66c in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER 
(execute_data=0x7ffff7fbb1c8) at 
/home/flo/git/php-src/Zend/zend_vm_execute.h:754
#15 0x00000000007cc5c1 in execute (op_array=0x103c1d0) at 
/home/flo/git/php-src/Zend/zend_vm_execute.h:410
#16 0x000000000079376c in zend_execute_scripts (type=8, retval=0x0, 
file_count=3) at /home/flo/git/php-src/Zend/zend.c:1315
#17 0x000000000070ff28 in php_execute_script (primary_file=0x7fffffffd3b0) at 
/home/flo/git/php-src/main/main.c:2492
#18 0x00000000008337f4 in do_cli (argc=2, argv=0x7fffffffd748) at 
/home/flo/git/php-src/sapi/cli/php_cli.c:988
#19 0x0000000000834799 in main (argc=2, argv=0x7fffffffd748) at 
/home/flo/git/php-src/sapi/cli/php_cli.c:1364


Previous Comments:
------------------------------------------------------------------------
[2013-05-13 18:02:18] paj...@php.net

can you try using CLI please?

And it would be very helpful to either use a debug build or load the debug 
symbols 
to generate the backtrace.

------------------------------------------------------------------------
[2013-05-13 17:58:07] bluewind at xinu dot at

Description:
------------
Uploading an mp3 file or using fileinfo to check the mimetype of an mp3 file 
causes a crash.

5.4.14 works fine, 5.4.15 crashes.

I bisected it down to 10367fa7c6a4a2cf9bee02d8905e284185428f09.

Doesn't seem to happen for every mp3 file so here's the one I used: 
http://flo.server-speed.net/tmp/php-bug-mp3/test.mp3

If you need any more information to track it down or can't reproduce it, I'm 
happy to help.

Test script:
---------------
<?php

        function mimetype($file) {
                $fileinfo = new finfo(FILEINFO_MIME_TYPE);
                $mimetype = $fileinfo->file($file);

                return $mimetype;
        }

echo mimetype ("test.mp3")."\n";

Expected result:
----------------
Output should be "audio/mpeg" and it shouldn't crash.

Actual result:
--------------
*** Error in `/home/flo/git/php-src/sapi/cgi/php-cgi': munmap_chunk(): invalid 
pointer: 0x00007f31e3dc24f0 ***
======= Backtrace: =========
/usr/lib/libc.so.6(+0x788ae)[0x7f31e258a8ae]
/home/flo/git/php-src/sapi/cgi/php-cgi[0x5860d6]
/home/flo/git/php-src/sapi/cgi/php-cgi[0x5825ee]
/home/flo/git/php-src/sapi/cgi/php-cgi[0x5820bc]
/home/flo/git/php-src/sapi/cgi/php-cgi[0x57fef3]
/home/flo/git/php-src/sapi/cgi/php-cgi[0x580f87]
/home/flo/git/php-src/sapi/cgi/php-cgi[0x580d6a]
/home/flo/git/php-src/sapi/cgi/php-cgi[0x573bbc]
/home/flo/git/php-src/sapi/cgi/php-cgi[0x573dd1]
/home/flo/git/php-src/sapi/cgi/php-cgi[0x7cd0b2]
/home/flo/git/php-src/sapi/cgi/php-cgi[0x7cd71c]
/home/flo/git/php-src/sapi/cgi/php-cgi(execute+0x369)[0x7cc671]
/home/flo/git/php-src/sapi/cgi/php-cgi(zend_execute_scripts+0x23c)[0x79381c]
/home/flo/git/php-src/sapi/cgi/php-cgi(php_execute_script+0x370)[0x70ffd8]
/home/flo/git/php-src/sapi/cgi/php-cgi[0x8370bb]
/usr/lib/libc.so.6(__libc_start_main+0xf5)[0x7f31e2533a15]
/home/flo/git/php-src/sapi/cgi/php-cgi[0x41fca9]



------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=64830&edit=1