php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #66481 Calls to session_name() segfault when session.name is null.
Submitted: 2014-01-13 23:52 UTC Modified: -
From: cmcdermottroe at engineyard dot com Assigned:
Status: Closed Package: Session related
PHP Version: master-Git-2014-01-13 (Git) OS: Ubuntu 12.04 LTS
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: cmcdermottroe at engineyard dot com
New email:
PHP Version: OS:

 

 [2014-01-13 23:52 UTC] cmcdermottroe at engineyard dot com 
Description:
------------
I first noticed this bug when using the PHP 5.4 and 5.5 packages in Ondřej Surý's PPAs (https://launchpad.net/~ondrej/+archive/php5 and https://launchpad.net/~ondrej/+archive/php5-oldstable) but I've been able to replicate them from a git checkout.

Reproduction steps from packages:

$ php -d session.name= -r 'session_name("foo");'
Segmentation fault (core dumped)

Reproduction steps from git:

$ git clone https://github.com/php/php-src.git
$ cd php-src
$ ./buildconf
$ ./configure
$ make
$ ./sapi/cli/php -d session.name= -r 'session_name("foo");'
Segmentation fault (core dumped)

Test script:
---------------
<?php

/* This will segfault if session.name is configured to be blank. */
session_name("foo");

?>

Expected result:
----------------
No segmentation faults. (I would expect that if the prior value of session.name is null then session_name("something") would return null)

Actual result:
--------------
#0  0x00007f88e81a4b91 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00000000005888cf in zif_session_name (ht=<optimized out>, return_value=0x7f88e9158440, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>)
    at /home/vagrant/php-src/ext/session/session.c:1687
#2  0x0000000000733cf1 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f88e91260a8) at /home/vagrant/php-src/Zend/zend_vm_execute.h:554
#3  0x00000000006fd6e8 in execute_ex (execute_data=0x7f88e91260a8) at /home/vagrant/php-src/Zend/zend_vm_execute.h:363
#4  0x0000000000688eb2 in zend_eval_stringl (str=<optimized out>, str_len=<optimized out>, retval_ptr=0x0, string_name=0xa7ed60 "Command line code") at /home/vagrant/php-src/Zend/zend_execute_API.c:1200
#5  0x0000000000688f99 in zend_eval_stringl_ex (str=<optimized out>, str_len=<optimized out>, retval_ptr=<optimized out>, string_name=<optimized out>, handle_exceptions=1) at /home/vagrant/php-src/Zend/zend_execute_API.c:1247
#6  0x0000000000736c62 in do_cli (argc=5, argv=0x23fd890) at /home/vagrant/php-src/sapi/cli/php_cli.c:1034
#7  0x00000000004273c7 in main (argc=5, argv=0x23fd890) at /home/vagrant/php-src/sapi/cli/php_cli.c:1378

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-01-16 06:42 UTC] laruence@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b777248ded69289b84d645ba2f36dbc207c77ff7
Log: Re-fixed Bug #66481 (Calls to session_name() segfault when session.name is null)
 [2014-01-16 06:42 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2014-01-16 12:39 UTC] ab@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b777248ded69289b84d645ba2f36dbc207c77ff7
Log: Re-fixed Bug #66481 (Calls to session_name() segfault when session.name is null)
 [2014-10-07 23:16 UTC] stas@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=b777248ded69289b84d645ba2f36dbc207c77ff7
Log: Re-fixed Bug #66481 (Calls to session_name() segfault when session.name is null)
 [2014-10-07 23:27 UTC] stas@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=b777248ded69289b84d645ba2f36dbc207c77ff7
Log: Re-fixed Bug #66481 (Calls to session_name() segfault when session.name is null)
 [2015-07-10 13:21 UTC] spam2 at rhsoft dot net 
Related To: Bug #70039
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Dec 21 16:01:28 2024 UTC