PHP :: Bug #45575 :: [PATCH] Segfault with invalid non-string as event handler callback

Bug #45575	[PATCH] Segfault with invalid non-string as event handler callback
Submitted:	2008-07-21 07:51 UTC	Modified:	2008-10-07 18:25 UTC
From:	chris_se at gmx dot net	Assigned:	felipe (profile)
Status:	Closed	Package:	InterBase related
PHP Version:	5.2.6	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	chris_se at gmx dot net
New email:
PHP Version:		OS:

New Comment:

[2008-07-21 07:51 UTC] chris_se at gmx dot net

Description:
------------
Same problem as with bug #45555 - just for a different extension: The interbase extension accepts arbitrary zvals as callbacks (which is fine) but always uses Z_STRVAL(zval) to display an error message if the callback is invalid. This will cause a segfault if e.g. int(1) is passed as a callback.

The following patch against PHP_5_3 (it also applies against PHP 5.2) solves the problem (there are two places where error messages are generated):

http://www.christian-seiler.de/temp/ibase-5.3.patch

And the same patch ported to HEAD:

http://www.christian-seiler.de/temp/ibase-6.patch

Please note that I only found this bug because I did a source review of all core extensions that call callbacks in order to ensure they are compatible with closures. I have no knowledge or experience whatsoever with Interbase or Firebird so I can't actually test this. But by reading the source it is clear that this will crash PHP (see bug #45555 where the same problem occurred but where I could test the issue).

Reproduce code:
---------------
Probably something like:
ibase_set_event_handler($connection, 1, "whatever");

Expected result:
----------------
Callback argument 1 is not a callable function

Actual result:
--------------
Segmentation fault.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-10-07 18:25 UTC] felipe@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Fixed in 5.2, 5.3 and HEAD.

Thanks for the patch. :)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 11:01:29 2024 UTC