PHP :: Bug #58952 :: Module segfaults on readFrame if Frame > STOMP

Bug #58952	Module segfaults on readFrame if Frame > STOMP_BUFSIZE
Submitted:	2009-11-16 08:59 UTC	Modified:	2009-11-16 09:54 UTC
From:	pop3 at flachtaucher dot de	Assigned:
Status:	Closed	Package:	stomp (PECL)
PHP Version:	5.3.0	OS:	Linux 64-bit
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	pop3 at flachtaucher dot de
New email:
PHP Version:		OS:

New Comment:

[2009-11-16 08:59 UTC] pop3 at flachtaucher dot de

Description:
------------
If I do readFrame on a packet that is bigger than 4096 bytes (= STOMP_BUFSIZE) module segfaults. 

This is due to invalid handling of this case in stomp_read_buffer and stomp_read_line: Code contains sizeof()-call onto a char *hi variable. sizeof will always return the same value (i.e. 8 bytes on 64-bit systems since the pointer itself uses 8 bytes).


Expected result:
----------------
Program gets the big frame

Actual result:
--------------
Program segfaults


Here is my patch:

--- trunk/stomp.c.sik   2009-11-16 08:04:08.000000000 +0100
+++ trunk/stomp.c       2009-11-16 14:55:00.000000000 +0100
@@ -277,6 +277,7 @@
 {
     int rc = 0;
     size_t i = 0;
+    size_t bufsize = STOMP_BUFSIZE + 1;
     char *buffer = (char *) emalloc(STOMP_BUFSIZE + 1);

     while (1) {
@@ -300,8 +301,9 @@
                 break;
             }

-            if (i >= sizeof(buffer)) {
-                buffer = (char *) erealloc(buffer, sizeof(buffer) + STOMP_BUFSIZE);
+            if (i >= bufsize) {
+                buffer = (char *) erealloc(buffer, bufsize + STOMP_BUFSIZE);
+                bufsize += STOMP_BUFSIZE;
             }

         }
@@ -329,6 +331,7 @@
 {
     int rc = 0;
     size_t i = 0;
+    size_t bufsize = STOMP_BUFSIZE + 1;
     char *buffer = (char *) emalloc(STOMP_BUFSIZE + 1);

     while (1) {
@@ -351,8 +354,9 @@
                 return 0;
             }

-            if (i >= sizeof(buffer)) {
-                buffer = (char *) erealloc(buffer, sizeof(buffer) + STOMP_BUFSIZE);
+            if (i >= bufsize) {
+                buffer = (char *) erealloc(buffer, bufsize + STOMP_BUFSIZE);
+                bufsize += STOMP_BUFSIZE;
             }
         }

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-11-16 09:54 UTC] pierrick@php.net

Bug fixed in revision 290822.

You can checkout the last version and test it again.

Thanks for reporting this issue and for the patch :)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Dec 22 11:01:30 2024 UTC