x86的机器,linux装在vmware里面。
问题最后定位到了bbs2_readfile()函数里面。
gdb不是很熟悉,在函数里面开了一个文件,把变量输出到一个日志文件中。
/*
* refer Ecma-262
* '\033' -> \r (not exactly the same thing, but borrow...)
* '\n' -> \n
* '\\' -> \\
* '\'' -> \'
* '\"' -> \"
* '\0' -> possible start of attachment
* 0 <= char < 32 -> ignore
* others -> passthrough
*/
PHP_FUNCTION(bbs2_readfile)
{
char *filename;
int filename_len;
char *output_buffer;
int output_buffer_len, output_buffer_size, j,i;
char c;
char *ptr, *cur_ptr;
off_t ptrlen, mmap_ptrlen;
int in_chinese = false;
int chunk_size = 51200;
FILE *logs = fopen("/home/bbs/log/debug.txt","w+");
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s",
&filename, &filename_len) == FAILURE) {
fprintf(logs,"begin to parse parameter\n");
WRONG_PARAM_COUNT;
}
// ptr is the content of the file, mmap_ptrlen is the length of the file
if (safe_mmapfile(filename, O_RDONLY, PROT_READ, MAP_SHARED,
&ptr, &mmap_ptrlen, NULL) == 0) {
fprintf(logs,"safe_mmapfile() error\n");
RETURN_LONG(-1);
}
fprintf(logs,"the file size = %ld\n", mmap_ptrlen);
j = ptrlen = mmap_ptrlen;
if (j > chunk_size) j = chunk_size;
output_buffer_size = 2 * j + 16;
output_buffer = (char* )emalloc(output_buffer_size);
output_buffer_len = 0;
cur_ptr = ptr;
strcpy(output_buffer + output_buffer_len, "prints('");
output_buffer_len += 8;
while (1) {
for (; j > 0 ; j--) {
c = *cur_ptr;
if (c == '\0') { //we find an attachment here! there are eight '\0' next
fprintf(logs, "ptrlen: %ld \t", ptrlen);
for(i=0;i<8;i++)
fprintf(logs,"%02X ", cur_ptr[i]);
上面红色的语句加上以后,带附件的文章完全正常了,日志输出也完全正确,
但是没有附件的文章根本打不开了,函数根本不返回,浏览器里面30秒超时退出.
如果没有上面的语句的话情况刚好翻过来
if (ptrlen >= ATTACHMENT_SIZE + sizeof(int) + 2) {
if (!memcmp(cur_ptr, ATTACHMENT_PAD, ATTACHMENT_SIZE)) {
fprintf(logs,"\tgo to deal with attchment.\n");
ptrlen = -ptrlen;
break;
}
}
ptrlen--; cur_ptr++;
continue;
}
if (c < 0) { //this byte and the next byte consist of a hanzi
in_chinese = !in_chinese;
output_buffer[output_buffer_len++] = c;
} else {
do {
if (c == '\n') {
c = 'n';
} else if (c == '\033') {
c = 'r';
} else if (c != '\\' && c != '\'' && c != '\"' && c != '/' ) {
/* to prevent things like </script> */
if (c >= 32)
output_buffer[output_buffer_len++] = c;
break;
}
if (in_chinese && c == 'n') { //jump half hanzi
output_buffer[output_buffer_len++] = ' ';
}
output_buffer[output_buffer_len++] = '\\';
output_buffer[output_buffer_len++] = c;
} while(0);
in_chinese = false;
}
ptrlen--; cur_ptr++;
}
if (ptrlen <= 0) break;
j = ptrlen;
if (j > chunk_size) j = chunk_size;
output_buffer_size += 2 * j;
output_buffer = (char*)erealloc(output_buffer, output_buffer_size);
if (output_buffer == NULL) RETURN_LONG(3);
}
if (in_chinese) {
output_buffer[output_buffer_len++] = ' ';
}
strncpy(output_buffer + output_buffer_len, "');", 3);
output_buffer_len += 3;
if (ptrlen < 0) { //attachment
char *attachfilename, *attachptr;
char buf[1024]; //filename, attach_len, and attach_pos
char *startbufptr, *bufptr;
long attach_len, attach_pos, newlen;
int l;
ptrlen = -ptrlen;
strcpy(buf, "attach('");
startbufptr = buf + strlen(buf);
while(ptrlen > 0) {
if (((attachfilename = checkattach(cur_ptr, ptrlen,
&attach_len, &attachptr)) == NULL)) {
break;
}
attach_pos = attachfilename - ptr;
newlen = attachptr - cur_ptr + attach_len;
cur_ptr += newlen;
ptrlen -= newlen;
if (ptrlen < 0) break;
bufptr = startbufptr;
while(*attachfilename != '\0') {
switch(*attachfilename) {
case '\'':
case '\"':
case '\\':
*bufptr++ = '\\'; /* TODO: boundary check */
/* break is missing *intentionally* */
default:
*bufptr++ = *attachfilename++; /* TODO: boundary check */
}
}
sprintf(bufptr, "', %ld, %ld);", attach_len, attach_pos);
/* TODO: boundary check */
l = strlen(buf);
if (output_buffer_len + l > output_buffer_size) {
output_buffer_size = output_buffer_size + sizeof(buf) * 10;
output_buffer = (char*)erealloc(output_buffer, output_buffer_size);
if (output_buffer == NULL) RETURN_LONG(3);
}
strcpy(output_buffer + output_buffer_len, buf);
output_buffer_len += l;
}
}
end_mmapfile(ptr, mmap_ptrlen, -1);
fclose(logs);
RETVAL_STRINGL(output_buffer, output_buffer_len, 0);
}
【 在 atppp (Big Mouse) 的大作中提到: 】
: 机器什么系统?x86? x64?
--
FROM 202.112.11.*