Bug 47215

Summary: mod_substitute doesn't work if more than one substitute is specified with default options
Product: Apache httpd-2 Reporter: avpauls
Component: mod_substituteAssignee: Apache HTTPD Bugs Mailing List <bugs>
Severity: blocker    
Priority: P2    
Version: 2.2.11   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Attachments: httpd.conf
strace result

Description avpauls 2009-05-18 04:20:51 UTC
OS: RHEL5.3 i386/x86_64

From httpd.conf:
LoadModule substitute_module modules/mod_substitute.so
<Location />
        AddOutputFilterByType SUBSTITUTE text/html
        Substitute "s|you|you+|"
        Substitute "s|HTTP|HTTP+|"

[root@test-el5-x86_64 apache]# wget
Connecting to connected.
HTTP request sent, awaiting response... No data received.

httpd process eats all available memory and exit with segmentation fault:
[Mon May 18 16:30:33 2009] [notice] child pid 13757 exit signal Segmentation fault (11), possible coredump in /tmp

If I use 'q' flag all works fine:
LoadModule substitute_module modules/mod_substitute.so
<Location />
        AddOutputFilterByType SUBSTITUTE text/html
        Substitute "s|you|you+|q"
        Substitute "s|HTTP|HTTP+|q"

httpd.conf, strace log, core file will be attached.
Comment 1 avpauls 2009-05-18 04:21:38 UTC
Created attachment 23679 [details]
Comment 2 avpauls 2009-05-18 04:33:33 UTC
Created attachment 23680 [details]
Comment 3 avpauls 2009-05-18 04:34:38 UTC
Created attachment 23681 [details]

httpd was built using attached spec file
Comment 4 avpauls 2009-05-18 04:35:44 UTC
Created attachment 23682 [details]
strace result
Comment 5 Ruediger Pluem 2009-05-18 09:37:34 UTC
Can you please also supply the html file that can be found at
Comment 6 avpauls 2009-05-18 21:14:17 UTC
Created attachment 23686 [details]

Really every file with substituted strings will cause described behavior.
Comment 7 Ruediger Pluem 2009-05-21 12:19:46 UTC
Sorry but I cannot reproduce this. What is the contents of /var/www/error/noindex.html?
The core dump isn't really helpful as it is very machine specific. Could you please analyse it on the machine where the crash happened and provide a backtrace?
Comment 8 avpauls 2009-05-21 21:07:14 UTC
Backtrace is not very informative (and all this information can be taken from "strace result"):
Loaded symbols for /lib64/libwrap.so.0
Reading symbols from /usr/lib64/php4/xmlrpc.so...done.
Loaded symbols for /usr/lib64/php4/xmlrpc.so
Core was generated by `/usr/sbin/httpd'.
Program terminated with signal 11, Segmentation fault.
[New process 21731]
#0  0x00002b0a07f59477 in memcpy () from /lib64/libc.so.6
(gdb) bt
#0  0x00002b0a07f59477 in memcpy () from /lib64/libc.so.6
Cannot access memory at address 0x7fffa4aeec78

backtrace for RHEL5 i386, RHES4 i386 looks the same.
What other info can I provide ?
Comment 9 avpauls 2009-05-21 21:10:05 UTC
Created attachment 23704 [details]

as requested, but i've already said that for me this issue is reproduced on every file with substituted strings
Comment 10 avpauls 2009-06-02 00:17:53 UTC
Is some other info required ?
Comment 11 Tom Donovan 2010-01-23 07:18:40 UTC
Reproduced problem on httpd 2.2.11
This was fixed by r766001 (httpd 2.2.12)