PHP :: Bug #16940 :: openssl_private

Bug #16940	openssl_private_decrypt segsev
Submitted:	2002-05-01 03:14 UTC	Modified:	2002-05-01 04:20 UTC
From:	isilva at -NOSPAM-iis dot com dot br	Assigned:
Status:	Closed	Package:	OpenSSL related
PHP Version:	4.2.0	OS:	Slackware Linux 2.4.18
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	isilva at -NOSPAM-iis dot com dot br
New email:
PHP Version:		OS:

New Comment:

[2002-05-01 03:14 UTC] isilva at -NOSPAM-iis dot com dot br

When trying to decrypt a wrong cypher php sigsev's. As far as I could analyse, when decrypting if something goes wrong the actual code leave just garbage on the memory area where should some data. The backtrace folows.

'./configure' '--with-apache=../apache_1.3.24' '--with-config-file-path=/var/lib/apache/conf' '--enable-sysvsem' '--enable-sysvshm' '--enable-sigchild' '--enable-shmop' '--enable-mailparse' '--enable-magic-quotes' '--enable-bcmath' '--enable-trans-sid' '--enable-track-vars' '--enable-sockets' '--enable-calendar' '--enable-dbase' '--enable-ftp' '--with-zip=../zziplib-0.10.27' '--with-zlib' '--with-bz2' '--with-gzip' '--with-db' '--with-db2' '--with-gdbm' '--with-mysql=/usr/local' '--with-xml' '--with-expat-dir=../expat-1.95.2' '--with-gd=../gd-1.8.4' '--with-png-dir=/usr' '--with-jpeg-dir=/usr' '--with-imap=../c-client' '--with-imap-ssl=/etc/ssl' '--with-mcrypt=../libmcrypt-2.5.0' '--with-openssl=/usr' '--with-gettext=/usr' '--with-mcal=../libmcal' '--enable-debug'


Program received signal SIGSEGV, Segmentation fault.
0x08192395 in _efree (ptr=0x17, __zend_filename=0x829a43a "openssl.c",
    __zend_lineno=2413, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at zend_alloc.c:222
222       CALCULATE_REAL_SIZE_AND_CACHE_INDEX(p->size);
(gdb) bt
#0  0x08192395 in _efree (ptr=0x17, __zend_filename=0x829a43a "openssl.c",
    __zend_lineno=2413, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at zend_alloc.c:222
#1  0x0811de8a in zif_openssl_private_decrypt (ht=4, return_value=0x84c3e4c,
    this_ptr=0x0, return_value_used=0) at openssl.c:2413
#2  0x081c9023 in execute (op_array=0x84c1c1c) at ./zend_execute.c:1598
#3  0x081a3c90 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at zend.c:810
#4  0x080cc4d6 in php_execute_script (primary_file=0xbffff3d0) at main.c:1381
#5  0x081aee57 in apache_php_module_main (r=0x847d334, display_source_mode=0)
    at sapi_apache.c:90
#6  0x080c8c26 in send_php ()
#7  0x080c8c83 in send_parsed_php ()
#8  0x081d31f3 in ap_invoke_handler ()
#9  0x081e7ba1 in process_request_internal ()
#10 0x081e7fcc in ap_internal_redirect ()
#11 0x0808ba4b in mod_gzip_redir1_handler ()
#12 0x0808a3d5 in mod_gzip_handler ()
#13 0x081d31f3 in ap_invoke_handler ()
#14 0x081e7ba1 in process_request_internal ()
#15 0x081e7c00 in ap_process_request ()
#16 0x081def65 in child_main ()
#17 0x081df114 in make_child ()
#18 0x081df26f in startup_children ()
#19 0x081df8c0 in standalone_main ()
#20 0x081e0087 in main ()
#21 0x4033d74f in __libc_start_main () from /lib/libc.so.6

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-05-01 03:15 UTC] isilva at -NOSPAM-iis dot com dot br

will try to fix.

[2002-05-01 03:34 UTC] wez@php.net

Please include a short script that reproduces this error.

[2002-05-01 03:58 UTC] wez@php.net

I believe that I have found the problem; the zend_error call uses a %s format specifier, but does not provide a string to print out.
I've committed a fix; please try a stable snapshot from snaps.php.net created some time after this report is dated (to make sure you have one with the fix).

[2002-05-01 03:59 UTC] isilva at -NOSPAM-iis dot com dot br

I did found the error.

cryptedbuf should be initialized as NULL, but was being initialized as a normal, out of bounds pointer.

lines 2362 and 2483, where is written

unsigned char *cryptedbuf;

should be

unsigned char *cryptedbuf = NULL;

That solve the problem.

[2002-05-01 04:01 UTC] isilva at -NOSPAM-iis dot com dot br

I did saw that error and thought that that was the error at first, but was not successfull. initializing cryptedbuf as NULL did solve the problem.

Thanks for the help.

[2002-05-01 04:20 UTC] wez@php.net

I was just about to write what you mentioned but my connection dropped.  The fix was already in CVS HEAD,
but not in 4.2.
Thanks for your help in reporting this: the fix will be
in 4.2.1.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Dec 22 01:01:30 2024 UTC