PHP :: Bug #63700 :: Buffer overrun in mysqlnd_reverse_api_register

Bug #63700

Buffer overrun in mysqlnd_reverse_api_register_api

Submitted:

2012-12-05 20:01 UTC

Modified:

2017-04-20 11:31 UTC

Votes:	1
Avg. Score:	2.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

slangley at google dot com

Assigned:

mysql (profile)

Status:

Not a bug

Package:

MySQL related

PHP Version:

5.4.9

OS:

N/A

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	slangley at google dot com
New email:
PHP Version:		OS:

New Comment:

[2012-12-05 20:01 UTC] slangley at google dot com

Description:
------------
Address sanitizer detected a buffer over run.

ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff149259af at pc 
0x7f3cfb7b1840 bp 0x7fff149258d0 sp 0x7fff149258c8
READ of size 1 at 0x7fff149259af thread T0
    #0 0x7f3cfb7b183f php/v5_4_8/Zend/zend_hash.c:261 _zend_hash_add_or_update
    #1 0x7f3cfba67ea1 php/v5_4_8/ext/mysqlnd/mysqlnd_reverse_api.c:63 
mysqlnd_reverse_api_register_api
    #2 0x7f3cfbb64bd3 php/v5_4_8/ext/pdo_mysql/pdo_mysql.c:123 
zm_startup_pdo_mysql
    #3 0x7f3cfb55af8d php/v5_4_8/Zend/zend_API.c:1661 zend_startup_module_ex
    #4 0x7f3cfb7b5041 php/v5_4_8/Zend/zend_hash.c:716 zend_hash_apply
    #5 0x7f3cfb55ba8e php/v5_4_8/Zend/zend_API.c:1788 zend_startup_modules
    #6 0x7f3cfbf3b447 php/v5_4_8/main/main.c:2205 php_module_startup

Here's the patch to fix it

--- v5_4_8/ext/mysqlnd/mysqlnd_reverse_api.c.orig	2012-12-05 
11:50:33.000000000 -0800
+++ v5_4_8/ext/mysqlnd/mysqlnd_reverse_api.c	2012-12-05 11:50:52.000000000 
-0800
@@ -61,7 +61,7 @@
 mysqlnd_reverse_api_register_api(MYSQLND_REVERSE_API * apiext TSRMLS_DC)
 {
 	zend_hash_add(&mysqlnd_api_ext_ht, apiext->module->name, strlen(apiext-
>module->name) + 1, &apiext,
-				  sizeof(MYSQLND_REVERSE_API), NULL);
+				  sizeof(void*), NULL);
 }
 /* }}} */

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-12-05 22:52 UTC] johannes@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: mysql

[2017-04-20 11:18 UTC] fjanisze@php.net

-Status: Assigned +Status: Not a bug

[2017-04-20 11:18 UTC] fjanisze@php.net

Thank you for taking the time to report a problem with PHP.
Unfortunately you are not using a current version of PHP -- 
the problem might already be fixed. Please download a new
PHP version from http://www.php.net/downloads.php

If you are able to reproduce the bug with one of the latest
versions of PHP, please change the PHP version on this bug report
to the version you tested and change the status back to "Open".
Again, thank you for your continued support of PHP.

[2017-04-20 11:31 UTC] andrey@php.net

Through source code inspection:
5.5 is affected
5.6 is fixed
7.0/7.1 uses different code.
PHP 5.5 is past end of life support, which ended Jul, 21st 2016

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 17:01:58 2024 UTC