php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #50370 64bit libtdsodbc.so crash because of malloc 4 byte missing
Submitted: 2009-12-03 08:39 UTC Modified: 2009-12-04 18:01 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: nalply at gmail dot com Assigned:
Status: Closed Package: ODBC related
PHP Version: 5.2.6 OS: Debian Lenny amd64
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: nalply at gmail dot com
New email:
PHP Version: OS:

 

 [2009-12-03 08:39 UTC] nalply at gmail dot com
Description:
------------
I have a page which reproducibly overwrites non alloc'd memory (a write of 8 bytes instead of 4 bytes at the end of the range). It is caused by the call odbc_fetch_object() and the bad write in libtdsodbc.so.

For more details see: http://serverfault.com/questions/90100/64bit-unixodbc-and-freetds-a-bug-in-libtdsodbc-so, there is a valgrind output.

It crashes in the Apache module only. The PHP command line with Suhosin reports a canary mismatch.

Note, it is version 5.2.6-1+lenny4, that's what Debian Lenny has installed, and not 5.2.11, because the form forced me to enter this version. I won't upgrade my PHP to a newer version. Take this bug report or leave it.

It is not sure whether the bug is in PHP ODBC or in TDS ODBC, so I am going to report this bug thrice: here and there and with Debian.

Reproduce code:
---------------
#!/usr/bin/php5
<?php

$conn = odbc_connect("dsn", "user", "password");
$query = odbc_exec($conn, "SELECT 'alpha' test");

echo "Before odbc_fetch_object(); query=$query\n"; flush();
if ($query) $row = odbc_fetch_object($query);
echo "After odbc_fetch_row();\n"; flush();
echo "Result=" . $row->test . "\n";

?>some static text


Expected result:
----------------
Before odbc_fetch_object(); query=Resource id #5
After odbc_fetch_row();
Result=alpha
some static text
ALERT - canary mismatch on efree() - heap overflow detected (attacker 'REMOTE_ADDR not set', file 'unknown')

Actual result:
--------------
Before odbc_fetch_object(); query=Resource id #5
After odbc_fetch_row();
Result=alpha
some static text


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-12-03 08:41 UTC] nalply at gmail dot com
The link does not work (it is too long). Use this instead: http://bit.ly/7e028s
 [2009-12-04 09:47 UTC] freddy77 at gmail dot com
PHP 5.2.6 is the problem, in php_odbc_includes.h a len is declared as SDWORD which is only 32-bit while should be 64-bit (SQLLEN).
 [2009-12-04 18:01 UTC] fa@php.net
Thank you for your bug report. This issue has already been fixed
in the latest released version of PHP, which you can download at 
http://www.php.net/downloads.php

Fixed in 5.2.7 - only place to report this would be Debian then.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved.
Last updated: Sat Mar 15 09:01:28 2025 UTC