PHP :: Bug #50370 :: 64bit libtdsodbc.so crash because of malloc 4 byte missing

Bug #50370

64bit libtdsodbc.so crash because of malloc 4 byte missing

Submitted:

2009-12-03 08:39 UTC

Modified:

2009-12-04 18:01 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

nalply at gmail dot com

Assigned:

Status:

Closed

Package:

ODBC related

PHP Version:

5.2.6

OS:

Debian Lenny amd64

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	nalply at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2009-12-03 08:39 UTC] nalply at gmail dot com

Description:
------------
I have a page which reproducibly overwrites non alloc'd memory (a write of 8 bytes instead of 4 bytes at the end of the range). It is caused by the call odbc_fetch_object() and the bad write in libtdsodbc.so.

For more details see: http://serverfault.com/questions/90100/64bit-unixodbc-and-freetds-a-bug-in-libtdsodbc-so, there is a valgrind output.

It crashes in the Apache module only. The PHP command line with Suhosin reports a canary mismatch.

Note, it is version 5.2.6-1+lenny4, that's what Debian Lenny has installed, and not 5.2.11, because the form forced me to enter this version. I won't upgrade my PHP to a newer version. Take this bug report or leave it.

It is not sure whether the bug is in PHP ODBC or in TDS ODBC, so I am going to report this bug thrice: here and there and with Debian.

Reproduce code:
---------------
#!/usr/bin/php5
<?php

$conn = odbc_connect("dsn", "user", "password");
$query = odbc_exec($conn, "SELECT 'alpha' test");

echo "Before odbc_fetch_object(); query=$query\n"; flush();
if ($query) $row = odbc_fetch_object($query);
echo "After odbc_fetch_row();\n"; flush();
echo "Result=" . $row->test . "\n";

?>some static text


Expected result:
----------------
Before odbc_fetch_object(); query=Resource id #5
After odbc_fetch_row();
Result=alpha
some static text
ALERT - canary mismatch on efree() - heap overflow detected (attacker 'REMOTE_ADDR not set', file 'unknown')

Actual result:
--------------
Before odbc_fetch_object(); query=Resource id #5
After odbc_fetch_row();
Result=alpha
some static text

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-12-03 08:41 UTC] nalply at gmail dot com

The link does not work (it is too long). Use this instead: http://bit.ly/7e028s

[2009-12-04 09:47 UTC] freddy77 at gmail dot com

PHP 5.2.6 is the problem, in php_odbc_includes.h a len is declared as SDWORD which is only 32-bit while should be 64-bit (SQLLEN).

[2009-12-04 18:01 UTC] fa@php.net

Thank you for your bug report. This issue has already been fixed
in the latest released version of PHP, which you can download at 
http://www.php.net/downloads.php

Fixed in 5.2.7 - only place to report this would be Debian then.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Mar 15 10:01:29 2025 UTC