PHP :: Bug #3640 :: memory overwrite in expand_filepath when using include("../somefile.inc")

Bug #3640	memory overwrite in expand_filepath when using include("../somefile.inc")
Submitted:	2000-02-26 23:09 UTC	Modified:	2000-02-27 00:23 UTC
From:	gwh at acm dot org	Assigned:
Status:	Closed	Package:	Reproducible Crash
PHP Version:	4.0 Beta 4 Patch Level 1	OS:	Windows NT 4.0 Server SP 5
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	gwh at acm dot org
New email:
PHP Version:		OS:

New/Additional Comment:

[2000-02-26 23:09 UTC] gwh at acm dot org

modules utilized in this test: (commented out all extensions, recompiled debug non thread safe under VC++5)
php.exe
phpnts.dll

Friends,

It took me a while to figure this out, since I have run the same code on all versions from php3 through the php4 betas and onto php4pl1, without this type of failure. Here is the problem. I may be the only one that uses an include statement of a file in a parent directory, but it's failing now. . I've distilled it down to two simple scripts.

lets say your sites sit under the path: d:\websites\website1

place the script "empty.inc" in the directory d:\websites, containing
<?php
print("empty");
?>

place another script "testempty.php" in the directory d:\websites\websites1, containing
<?php
include("../empty.inc");
print("testempty");
?>

my document root is d:\websites\websites1 and when I reference http:\\website1\testempty.php I get a debug assertion ( rebuilt the modules in debug mode, non threadsafe, compiled in VC5.0 ) in dbgheap.c, line 1017, in the function free_dbg_lk. Here is the backtrace:

dbgheap.c, 1017: _free_dbg_lk(void *,int)
dbgheap.c, 970: _free_dbg(void *,int)
dbgheap.c, 926: free(void *)
fopen-wrappers.c, 989: expand_filepath(char *)
fopen-wrappers.c, 336: php_open_with_path(char *,char *,char *,char *)
...

The problem occurs in expand_filepath() .... It is passed the pathname of "../empty.inc". The parent directory file reference causes this code to execute in line 976:
if(filepath[1] == '.') {
/*erase the last directory name from the path */
while(*cwd_end != '/') { 
  *cwd_end--=0;
}
filepath++;
}
if(cwd_end > cwd && (*cwd_end == '/') {
*cwd_end-- = 0;
}

The problem happens because on windows getcwd() returns "d:\websites\website1". Notice the back slashes. I don't know why this hasn't failed before. The loop while(*cwd_end!='/')  *cwd_end--=0 happily zeros the string going back, back, ba,ba,ba,ba,ba,ba baaaak (chris berman, ESPN) until it finds a forward slash. 

When it gets down to the statement "free(cwd)" in line 989, all of the malloc information is destroyed and it asserts, and would cause an exception if it goes any further.

I modified the code to add another check for the alternate case :

if(filepath[1] == '.') {
/*erase the last directory name from the path */
while(*cwd_end != '/' && *cwd_end != '\\') { 
  *cwd_end--=0;
}
filepath++;
}
if(cwd_end > cwd && (*cwd_end == '/' || *cwd_end=='\\') {
*cwd_end-- = 0;
}

This compiled and worked wonderfully. I scanned the rest of the code for getcwd() andI didn't see another direct exposures due to the slashes on windows.

Regards,
Garfield

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2000-02-27 00:23 UTC] andi at cvs dot php dot net

Thanks for the detailed bug report. I applied your fix.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Mon Jun 03 08:01:30 2024 UTC