PHP :: Bug #54680 :: missing TRACK_VARS

Bug #54680	missing TRACK_VARS_SERVER check
Submitted:	2011-05-07 00:44 UTC	Modified:	2011-06-12 04:48 UTC
From:	cxib at securityreason dot com	Assigned:	felipe (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	5.3.6	OS:	NetBSD
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	cxib at securityreason dot com
New email:
PHP Version:		OS:

New Comment:

[2011-05-07 00:44 UTC] cxib at securityreason dot com

Description:
------------
./work/php-5.3.6/ext/standard/basic_functions.c:        if
((zend_hash_find(HASH_OF(PG(http_globals)[TRACK_VARS_SERVER]), "argv",
sizeof("argv"), (void **) &args) != FAILURE ||

Some 'if' condition is missing here. In all others [TRACK_VARS SERVER]
calls, we can see used if condition like

if (!PG(http_globals)[TRACK_VARS_SERVER]) {

Only in basic_function.c is missing. Please see..

# find . -name "*.c"|xargs grep '\[TRACK_VARS_SERVER\]'
./work/php-5.3.6/ext/phar/phar_object.c:        if
(!PG(http_globals)[TRACK_VARS_SERVER]) {
./work/php-5.3.6/ext/phar/phar_object.c:        _SERVER =
Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER]);
./work/php-5.3.6/ext/phar/phar_object.c:                if
(PG(http_globals)[TRACK_VARS_SERVER]) {
./work/php-5.3.6/ext/phar/phar_object.c:
HashTable *_server = Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER]);
./work/php-5.3.6/ext/soap/soap.c:       if
(PG(http_globals)[TRACK_VARS_SERVER] &&
./work/php-5.3.6/ext/soap/soap.c:
zend_hash_find(PG(http_globals)[TRACK_VARS_SERVER]->value.ht,
"HTTP_USER_AGENT", sizeof("HTTP_USER_AGENT"), (void **) &agent_name) ==
SUCCESS &&
./work/php-5.3.6/ext/zlib/zlib.c:       if
(!PG(http_globals)[TRACK_VARS_SERVER]
./work/php-5.3.6/ext/zlib/zlib.c:               ||
zend_hash_find(PG(http_globals)[TRACK_VARS_SERVER]->value.ht,
"HTTP_ACCEPT_ENCODING", sizeof("HTTP_ACCEPT_ENCODING"), (void **)
&a_encoding) == FAILURE
./work/php-5.3.6/ext/zlib/zlib.c:       if
(!PG(http_globals)[TRACK_VARS_SERVER]
./work/php-5.3.6/ext/zlib/zlib.c:               ||
zend_hash_find(PG(http_globals)[TRACK_VARS_SERVER]->value.ht,
"HTTP_ACCEPT_ENCODING", sizeof("HTTP_ACCEPT_ENCODING"), (void **)
&a_encoding) == FAILURE
./work/php-5.3.6/ext/session/session.c: if (!PS(use_only_cookies) &&
!PS(id) && PG(http_globals)[TRACK_VARS_SERVER] &&
./work/php-5.3.6/ext/session/session.c:
zend_hash_find(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER]),
"REQUEST_URI", sizeof("REQUEST_URI"), (void **) &data) == SUCCESS &&
./work/php-5.3.6/ext/session/session.c:
PG(http_globals)[TRACK_VARS_SERVER] &&
./work/php-5.3.6/ext/session/session.c:
zend_hash_find(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER]),
"HTTP_REFERER", sizeof("HTTP_REFERER"), (void **) &data) == SUCCESS &&
./work/php-5.3.6/ext/standard/basic_functions.c:        if
((zend_hash_find(HASH_OF(PG(http_globals)[TRACK_VARS_SERVER]), "argv",
sizeof("argv"), (void **) &args) != FAILURE ||
./work/php-5.3.6/ext/standard/browscap.c:               if
(!PG(http_globals)[TRACK_VARS_SERVER] ||
./work/php-5.3.6/ext/standard/browscap.c:
zend_hash_find(HASH_OF(PG(http_globals)[TRACK_VARS_SERVER]),
"HTTP_USER_AGENT", sizeof("HTTP_USER_AGENT"), (void **)
&http_user_agent) == FAILURE
./work/php-5.3.6/main/php_variables.c:  if
(PG(http_globals)[TRACK_VARS_SERVER]) {
./work/php-5.3.6/main/php_variables.c:
zval_ptr_dtor(&PG(http_globals)[TRACK_VARS_SERVER]);
./work/php-5.3.6/main/php_variables.c:
PG(http_globals)[TRACK_VARS_SERVER] = array_ptr;
./work/php-5.3.6/main/php_variables.c:
        php_autoglobal_merge(&EG(symbol_table),
Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER]) TSRMLS_CC);
./work/php-5.3.6/main/php_variables.c:
php_build_argv(SG(request_info).query_string,
PG(http_globals)[TRACK_VARS_SERVER] TSRMLS_CC);
./work/php-5.3.6/main/php_variables.c:
zend_hash_update(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER]),
"argv", sizeof("argv"), argv, sizeof(zval *), NULL);
./work/php-5.3.6/main/php_variables.c:
zend_hash_update(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER]),
"argc", sizeof("argc"), argc, sizeof(zval *), NULL);
./work/php-5.3.6/main/php_variables.c:
php_build_argv(SG(request_info).query_string,
PG(http_globals)[TRACK_VARS_SERVER] TSRMLS_CC);
./work/php-5.3.6/main/php_variables.c:          if
(PG(http_globals)[TRACK_VARS_SERVER]) {
./work/php-5.3.6/main/php_variables.c:
zval_ptr_dtor(&PG(http_globals)[TRACK_VARS_SERVER]);
./work/php-5.3.6/main/php_variables.c:
PG(http_globals)[TRACK_VARS_SERVER] = server_vars;
./work/php-5.3.6/main/php_variables.c:
zend_hash_update(&EG(symbol_table), name, name_len + 1,
&PG(http_globals)[TRACK_VARS_SERVER], sizeof(zval *), NULL);
./work/php-5.3.6/main/php_variables.c:
Z_ADDREF_P(PG(http_globals)[TRACK_VARS_SERVER]);
./work/php-5.3.6/main/php_variables.c:
zend_hash_update(&EG(symbol_table), "HTTP_SERVER_VARS",
sizeof("HTTP_SERVER_VARS"), &PG(http_globals)[TRACK_VARS_SERVER],
sizeof(zval *), NULL);
./work/php-5.3.6/main/php_variables.c:
Z_ADDREF_P(PG(http_globals)[TRACK_VARS_SERVER]);
./work/php-5.3.6/sapi/cgi/cgi_main.c:   } else if
(PG(http_globals)[TRACK_VARS_SERVER] &&
./work/php-5.3.6/sapi/cgi/cgi_main.c:           array_ptr !=
PG(http_globals)[TRACK_VARS_SERVER] &&
./work/php-5.3.6/sapi/cgi/cgi_main.c:
Z_TYPE_P(PG(http_globals)[TRACK_VARS_SERVER]) == IS_ARRAY &&
./work/php-5.3.6/sapi/cgi/cgi_main.c:
zend_hash_num_elements(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER])) > 0
./work/php-5.3.6/sapi/cgi/cgi_main.c:           *array_ptr =
*PG(http_globals)[TRACK_VARS_SERVER];
./work/php-5.3.6/sapi/fpm/fpm/fpm_main.c:       } else if
(PG(http_globals)[TRACK_VARS_SERVER] &&
./work/php-5.3.6/sapi/fpm/fpm/fpm_main.c:               array_ptr !=
PG(http_globals)[TRACK_VARS_SERVER] &&
./work/php-5.3.6/sapi/fpm/fpm/fpm_main.c:
Z_TYPE_P(PG(http_globals)[TRACK_VARS_SERVER]) == IS_ARRAY &&
./work/php-5.3.6/sapi/fpm/fpm/fpm_main.c:
zend_hash_num_elements(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER])) > 0
./work/php-5.3.6/sapi/fpm/fpm/fpm_main.c:               *array_ptr =
*PG(http_globals)[TRACK_VARS_SERVER];
./work/php-5.3.6/sapi/apache_hooks/sapi_apache.c:
php_register_variable_ex("request", req,
PG(http_globals)[TRACK_VARS_SERVER] TSRMLS_CC);
./work/php-5.3.6/sapi/apache_hooks/sapi_apache.c:
php_register_variable("PHP_SELF_HOOK", handler->name,
PG(http_globals)[TRACK_VARS_SERVER] TSRMLS_CC);
#




Test script:
---------------
127# php -v && uname -a
PHP 5.3.6 (cli) (built: Mar 16 2011 10:00:59) (DEBUG)
Copyright (c) 1997-2011 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies
NetBSD 127 5.1 NetBSD 5.1 (GENERIC) #0: Sun Nov  7 14:39:56 UTC 2010  builds@b6.netbsd.org:/home/builds/ab/netbsd-5-1-RELEASE/i386/201011061943Z-obj/home/builds/ab/netbsd-5-1-RELEASE/src/sys/arch/i386/compile/GENERIC i386
127# curl http://127.0.0.1/getopt.php 
curl: (52) Empty reply from server

error_log:
[Sat May 07 02:29:20 2011] [notice] child pid 970 exit signal Segmentation fault (11)

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0xbaf5506c in zif_getopt (ht=2, return_value=0xba60e4c4,
return_value_ptr=0x0,
    this_ptr=0x0, return_value_used=0, tsrm_ls=0xba939980)
    at
/usr/pkgsrc/www/ap-php/work/php-5.3.6/ext/standard/basic_functions.c:4260
4260            if
((zend_hash_find(HASH_OF(PG(http_globals)[TRACK_VARS_SERVER]), "argv",
sizeof("argv"), (void **) &args) != FAILURE ||
(gdb)

#0  0xbaf5506c in zif_getopt (ht=2, return_value=0xba60e4c4,
    return_value_ptr=0x0, this_ptr=0x0, return_value_used=0,
    tsrm_ls=0xba939980)
    at
/usr/pkgsrc/www/ap-php/work/php-5.3.6/ext/standard/basic_functions.c:4260
#1  0xbb0aa13d in zend_do_fcall_common_helper_SPEC
(execute_data=0xba6a7044,
    tsrm_ls=0xba939980)
    at /usr/pkgsrc/www/ap-php/work/php-5.3.6/Zend/zend_vm_execute.h:316
#2  0xbb0affa9 in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0xba6a7044,
    tsrm_ls=0xba939980)
    at /usr/pkgsrc/www/ap-php/work/php-5.3.6/Zend/zend_vm_execute.h:1602
#3  0xbb0a8f54 in execute (op_array=0xba60e128, tsrm_ls=0xba939980)
    at /usr/pkgsrc/www/ap-php/work/php-5.3.6/Zend/zend_vm_execute.h:96
#4  0xbb079d8a in zend_execute_scripts (type=8, tsrm_ls=0xba939980,
    retval=0x0, file_count=3)
    at /usr/pkgsrc/www/ap-php/work/php-5.3.6/Zend/zend.c:1194
#5  0xbaff56f9 in php_execute_script (primary_file=0xbfbfe81c,
    tsrm_ls=0xba939980)
    at /usr/pkgsrc/www/ap-php/work/php-5.3.6/main/main.c:2266
#6  0xbb15729d in php_handler (r=0xba718058)
    at
/usr/pkgsrc/www/ap-php/work/php-5.3.6/sapi/apache2handler/sapi_apache2.c:666
#7  0x0807894a in ap_run_handler ()
(gdb) i r
eax            0x0      0
ecx            0xbfbfcfa4       -1077948508
edx            0xba88b0cc       -1165446964
ebx            0xbb5e66d8       -1151441192
esp            0xbfbfcfb0       0xbfbfcfb0
ebp            0xbfbfd0e8       0xbfbfd0e8
esi            0xbb6069c8       -1151309368
edi            0xba60e4d4       -1168055084
eip            0xbaf5506c       0xbaf5506c <zif_getopt+218>
eflags         0x10216  [ PF AF IF RF ]
cs             0x17     23
ss             0x1f     31
ds             0x1f     31
es             0x1f     31
fs             0x0      0
gs             0x0      0
(gdb) x/i $eip
0xbaf5506c <zif_getopt+218>:    mov    0xc(%eax),%al
(gdb) x/i $eax
0x0:    Cannot access memory at address 0x0

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2011-06-12 04:47 UTC] felipe@php.net

Automatic comment from SVN on behalf of felipe
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=312079
Log: - Fixed bug #54680 (missing TRACK_VARS_SERVER check)

[2011-06-12 04:47 UTC] felipe@php.net

-Summary: missing TRACK_VARS_SERVER +Summary: missing TRACK_VARS_SERVER check -Status: Open +Status: Closed -Assigned To: +Assigned To: felipe

[2011-06-12 04:47 UTC] felipe@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

[2011-06-12 04:48 UTC] felipe@php.net

-Package: *General Issues +Package: Reproducible crash

[2012-04-18 09:50 UTC] laruence@php.net

Automatic comment on behalf of felipe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8d4a35f3e94e9b7ad6c4d0d6c097aebee1ac5362
Log: - Fixed bug #54680 (missing TRACK_VARS_SERVER check)

[2012-07-24 23:41 UTC] rasmus@php.net

Automatic comment on behalf of felipe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8d4a35f3e94e9b7ad6c4d0d6c097aebee1ac5362
Log: - Fixed bug #54680 (missing TRACK_VARS_SERVER check)

[2013-11-17 09:37 UTC] laruence@php.net

Automatic comment on behalf of felipe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8d4a35f3e94e9b7ad6c4d0d6c097aebee1ac5362
Log: - Fixed bug #54680 (missing TRACK_VARS_SERVER check)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Jul 04 11:01:37 2025 UTC