PHP :: Bug #76085 :: Segmentation fault in buildFromIterator when directory name contains a \n

Bug #76085	Segmentation fault in buildFromIterator when directory name contains a \n
Submitted:	2018-03-12 22:17 UTC	Modified:	-
From:	andygrunwald at gmail dot com	Assigned:
Status:	Closed	Package:	PHAR related
PHP Version:	7.2.3	OS:	macOS (10.13.3) & FreeBSD 11.1
Private report:	No	CVE-ID:	None

View Developer Edit

[2018-03-12 22:17 UTC] andygrunwald at gmail dot com

Description:
------------
This bug was found while packaging the v1.5.3 tag of https://github.com/Codeception/Codeception/tree/1.5.3 with Satis (https://github.com/composer/satis).

In the "Dumping" step (packaging a repository into a tar file", Satis segfaulted.
Tracing down the bug showed that the git tag v1.5.3 of Codeception/Codeception had two "tests" folders. See https://github.com/Codeception/Codeception/tree/1.5.3

1. tests (https://github.com/Codeception/Codeception/tree/1.5.3/tests)
2. tests\n (https://github.com/Codeception/Codeception/tree/1.5.3/tests%0A)

The second test folder is the root cause for a segmentation fault while using \PharData and buildFromIterator.

This was tested on two setups.
Setup #1

# uname -a
FreeBSD package0.trivago.com 11.1-RELEASE-p4 FreeBSD 11.1-RELEASE-p4 #0: Tue Nov 14 06:12:40 UTC 2017     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

# php -v
PHP 7.2.3 (cli) (built: Mar  5 2018 09:35:26) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.2.3, Copyright (c) 1999-2018, by Zend Technologies

# php -m
[PHP Modules]
amqp
apcu
Core
ctype
curl
date
dom
fileinfo
filter
ftp
gd
hash
iconv
intl
json
libxml
mbstring
mcrypt
memcached
mysqli
mysqlnd
openssl
pcre
PDO
Phar
posix
redis
Reflection
session
SimpleXML
soap
SPL
standard
tokenizer
xml
xmlreader
xmlwriter
Zend OPcache
zip
zlib

[Zend Modules]
Zend OPcache

# php -r 'var_dump(phpversion("phar"));'
string(5) "2.0.2"


Setup #2 (macOS High Sierra 10.13.3)

➜ uname -a
Darwin NAME 17.4.0 Darwin Kernel Version 17.4.0: Sun Dec 17 09:19:54 PST 2017; root:xnu-4570.41.2~1/RELEASE_X86_64 x86_64

➜ php -v
PHP 7.2.3 (cli) (built: Mar  8 2018 10:30:06) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.2.3, Copyright (c) 1999-2018, by Zend Technologies

➜ php -m
[PHP Modules]
apcu
ast
bcmath
bz2
calendar
Core
ctype
curl
date
dba
dom
exif
fileinfo
filter
ftp
gd
gettext
gmp
hash
iconv
igbinary
imap
intl
json
ldap
libxml
mbstring
memcached
mysqli
mysqlnd
odbc
openssl
pcntl
pcre
PDO
pdo_dblib
pdo_mysql
PDO_ODBC
pdo_pgsql
pdo_sqlite
pgsql
Phar
phpdbg_webhelper
posix
pspell
readline
redis
Reflection
session
shmop
SimpleXML
snmp
soap
sockets
sodium
SPL
sqlite3
standard
sysvmsg
sysvsem
sysvshm
tidy
tokenizer
wddx
xml
xmlreader
xmlrpc
xmlwriter
xsl
Zend OPcache
zip
zlib

[Zend Modules]
Zend OPcache

➜ php -r 'var_dump(phpversion("phar"));'
string(5) "2.0.2"


Anything else needed?


Test script:
---------------
<?php

/**
 * 1. Create a crash.php and add the code written below into the file
 * 2. Go into the directory where the crash.php is located and execute the commands
 *      $ mkdir -p package-me/tests$'\n'
 *      $ touch package-me/tests$'\n'/Test.php
 * 3. Execute `php crash.php`
 * 
 * Current result:
 *      $ [1]    1487 segmentation fault  php crash.php
 */

$target = __DIR__ . DIRECTORY_SEPARATOR . 'target.tar';
$source = __DIR__ . DIRECTORY_SEPARATOR . 'package-me';

$phar = new \PharData($target, null, null, \Phar::TAR);
$phar->buildFromIterator(
    new RecursiveIteratorIterator(
        new RecursiveDirectoryIterator($source, FilesystemIterator::SKIP_DOTS)
    ),
    $source);

Expected result:
----------------
No segmentation fault

Actual result:
--------------
#0  0x000000080b71e159 in phar_path_check () from /usr/local/lib/php/20170718/phar.so
#1  0x000000080b6f7ce1 in phar_get_entry_info_dir () from /usr/local/lib/php/20170718/phar.so
#2  0x000000080b6f7738 in phar_get_entry_data () from /usr/local/lib/php/20170718/phar.so
#3  0x000000080b6f8df1 in phar_get_or_create_entry_data () from /usr/local/lib/php/20170718/phar.so
#4  0x000000080b716c77 in zim_Phar_buildFromDirectory () from /usr/local/lib/php/20170718/phar.so
#5  0x0000000000471a72 in spl_iterator_apply ()
#6  0x000000080b717071 in zim_Phar_buildFromIterator () from /usr/local/lib/php/20170718/phar.so
#7  0x0000000000602e11 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER ()
#8  0x00000000005c6228 in execute_ex ()
#9  0x00000000005c63b0 in zend_execute ()
#10 0x0000000000583643 in zend_execute_scripts ()
#11 0x000000000051f9fe in php_execute_script ()
#12 0x00000000006535d0 in do_cli ()
#13 0x00000000006526d4 in main ()
#14 0x000000000041fc7f in _start ()
#15 0x0000000800a32000 in ?? ()
#16 0x0000000000000000 in ?? ()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-03-13 04:58 UTC] laruence@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4ee9098514bcc4e56dfd9cb444283739c36cb6e3
Log: Fixed bug #76085 (Segmentation fault in buildFromIterator when directory name contains a \n)

[2018-03-13 04:58 UTC] laruence@php.net

-Status: Open +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 08:01:29 2024 UTC