php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #49372 Segfault in function php_curl_option_url
Submitted: 2009-08-26 13:30 UTC Modified: 2009-08-26 22:24 UTC
From: sergk at sergk dot org dot ua Assigned: pajoye (profile)
Status: Closed Package: cURL related
PHP Version: 5.2.10 OS: Debian GNU/Linux, kernel 2.6.30
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: sergk at sergk dot org dot ua
New email:
PHP Version: OS:

 

 [2009-08-26 13:30 UTC] sergk at sergk dot org dot ua 
Description:
------------
There is segfault in strncasecmp calling from this code:
curl/interface.c:186 :

if (!strncasecmp("file", uri->scheme, sizeof("file"))) {   
...

when URI is without protocol part hence uri->scheme is NULL.
Like in this example of backtrace:
#0  0xb7e20a8b in strncasecmp () from /lib/i686/cmov/libc.so.6
#1  0xb777dd11 in php_curl_option_url (ch=0x856be00, 
    url=0x856e360 "show.setlinks.ru/?host=SCREENEDHOSTNAME&k=WINDOWS-1251&p=b44eff595164745dee4a6a655a57a425", 
    len=<value optimized out>) at /opt/src/build/apache-1-dweb/dbuild/003d/php-5.2.10/ext/curl/interface.c:187

This bug is also present in last 5.2.x development snapshot.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-08-26 13:35 UTC] sergk at sergk dot org dot ua 
this patch will fix bug:

--- php-5.2.10.orig/ext/curl/interface.c        2009-06-15 12:38:11.000000000 +0000
+++ php-5.2.10/ext/curl/interface.c     2009-08-26 11:22:15.000000000 +0000
@@ -183,10 +183,12 @@
                        return 0;
                }
 
-               if (!strncasecmp("file", uri->scheme, sizeof("file"))) {
-                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Protocol 'file' disabled in cURL");
-                       php_url_free(uri);
-                       return 0;
+               if (uri->scheme != NULL) {
+                       if (!strncasecmp("file", uri->scheme, sizeof("file")-1)) {
+                               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Protocol 'file' disabled in cURL");
+                               php_url_free(uri);
+                               return 0;
+                       }
                }
                php_url_free(uri);
 #endif
 [2009-08-26 14:11 UTC] pajoye@php.net 
Thanks for the patch.
Do you have a small code to test it? I could quickly use it as phpt.
 [2009-08-26 17:13 UTC] sergk at sergk dot org dot ua 
Yes, this one trigger segfault, but only in mod_php mode:

<?PHP
  $curl = curl_init("www.php.net/manual/en/function.curl-init.php");
  curl_exec($curl);
  curl_close($curl);
?>
 [2009-08-26 18:18 UTC] pajoye@php.net 
Thanks for the script.

An easy fix would be to update the Curl library to a more recent version (recommended).

I will apply the fix shortly (need to fetch an old curl first).
 [2009-08-26 20:21 UTC] jani@php.net 
Please don't apply that patch, you can do it with single line change 
too.. if (uri->scheme && !strncasecmp("file", uri->scheme, 
sizeof("file"))) rather than having several lines changed for nothing.
 [2009-08-26 20:26 UTC] pajoye@php.net 
I said the fix, not the patch :)
 [2009-08-26 22:24 UTC] svn@php.net 
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=287784
Log: - fix #49372, segfault in php_curl_option_url
 [2009-08-26 22:24 UTC] pajoye@php.net 
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Apr 01 03:01:29 2025 UTC