PHP :: Bug #50370 :: 64bit libtdsodbc.so crash because of malloc 4 byte missing

Bug #50370

64bit libtdsodbc.so crash because of malloc 4 byte missing

Submitted:

2009-12-03 08:39 UTC

Modified:

2009-12-04 18:01 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

nalply at gmail dot com

Assigned:

Status:

Closed

Package:

ODBC related

PHP Version:

5.2.6

OS:

Debian Lenny amd64

Private report:

CVE-ID:

None

View Add Comment Developer Edit

[2009-12-03 08:39 UTC] nalply at gmail dot com

Description:
------------
I have a page which reproducibly overwrites non alloc'd memory (a write of 8 bytes instead of 4 bytes at the end of the range). It is caused by the call odbc_fetch_object() and the bad write in libtdsodbc.so.

For more details see: http://serverfault.com/questions/90100/64bit-unixodbc-and-freetds-a-bug-in-libtdsodbc-so, there is a valgrind output.

It crashes in the Apache module only. The PHP command line with Suhosin reports a canary mismatch.

Note, it is version 5.2.6-1+lenny4, that's what Debian Lenny has installed, and not 5.2.11, because the form forced me to enter this version. I won't upgrade my PHP to a newer version. Take this bug report or leave it.

It is not sure whether the bug is in PHP ODBC or in TDS ODBC, so I am going to report this bug thrice: here and there and with Debian.

Reproduce code:
---------------
#!/usr/bin/php5
<?php

$conn = odbc_connect("dsn", "user", "password");
$query = odbc_exec($conn, "SELECT 'alpha' test");

echo "Before odbc_fetch_object(); query=$query\n"; flush();
if ($query) $row = odbc_fetch_object($query);
echo "After odbc_fetch_row();\n"; flush();
echo "Result=" . $row->test . "\n";

?>some static text


Expected result:
----------------
Before odbc_fetch_object(); query=Resource id #5
After odbc_fetch_row();
Result=alpha
some static text
ALERT - canary mismatch on efree() - heap overflow detected (attacker 'REMOTE_ADDR not set', file 'unknown')

Actual result:
--------------
Before odbc_fetch_object(); query=Resource id #5
After odbc_fetch_row();
Result=alpha
some static text

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-12-03 08:41 UTC] nalply at gmail dot com

The link does not work (it is too long). Use this instead: http://bit.ly/7e028s

[2009-12-04 09:47 UTC] freddy77 at gmail dot com

PHP 5.2.6 is the problem, in php_odbc_includes.h a len is declared as SDWORD which is only 32-bit while should be 64-bit (SQLLEN).

[2009-12-04 18:01 UTC] fa@php.net

Thank you for your bug report. This issue has already been fixed
in the latest released version of PHP, which you can download at 
http://www.php.net/downloads.php

Fixed in 5.2.7 - only place to report this would be Debian then.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 13:01:30 2024 UTC