|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2014-09-30 00:27 UTC] stas@php.net
[2014-10-28 02:11 UTC] stas@php.net
[2014-10-28 02:11 UTC] stas@php.net
-Status: Open
+Status: Closed
[2014-11-18 20:34 UTC] ab@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 12:01:29 2024 UTC |
Description: ------------ It also affects 5.6.0 Please note I was not able to reproduce it on a Windows system. PoC =============================== php -c -i -ini Result =============================== ================================================================= ==19849== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb2900613 at pc 0x8e7c77e bp 0xbfdeb138 sp 0xbfdeb12c READ of size 1 at 0xb2900613 thread T0 #0 0x8e7c77d in php_getopt getopt.c:135 #1 0x92c38a6 in do_cli php_cli.c:682 (discriminator 1) #2 0x92c7c1d in main php_cli.c:1378 #3 0xb504ca82 in __libc_start_main libc-start.c:287 #4 0x807be20 in _start ??:? 0xb2900613 is located 0 bytes to the right of 3-byte region [0xb2900610,0xb2900613) allocated by thread T0 here: #0 0xb6147854 in malloc ??:? #1 0xb50ae257 in __GI___strdup strdup.c:42 #2 0x92e7ef7 in save_ps_args ps_title.c:222 #3 0x92c66f6 in main php_cli.c:1225 #4 0xb504ca82 in __libc_start_main libc-start.c:287 Shadow bytes around the buggy address: 0x36520070: fa fa 00 01 fa fa 00 01 fa fa 00 fa fa fa 00 02 0x36520080: fa fa 00 fa fa fa 00 fa fa fa 04 fa fa fa fd fd 0x36520090: fa fa fd fd fa fa 00 00 fa fa fd fd fa fa fd fa 0x365200a0: fa fa fd fa fa fa 03 fa fa fa fd fa fa fa 00 00 0x365200b0: fa fa fd fd fa fa 04 fa fa fa 05 fa fa fa 03 fa =>0x365200c0: fa fa[03]fa fa fa 04 fa fa fa 00 03 fa fa 00 02 0x365200d0: fa fa 00 05 fa fa 00 07 fa fa 00 00 fa fa 00 07 0x365200e0: fa fa 00 fa fa fa 00 07 fa fa 00 01 fa fa 00 02 0x365200f0: fa fa 00 03 fa fa 00 00 fa fa 00 07 fa fa 00 03 0x36520100: fa fa 00 fa fa fa 00 03 fa fa 00 07 fa fa 00 fa 0x36520110: fa fa 00 fa fa fa fd fd fa fa 00 fa fa fa fd fd ==19849== ABORTING or triggering it with valgrind: $ valgrind --tool=memcheck --num-callers=30 --log-file=php.log ~/Desktop/php-5.5.17/sapi/cli/php -c -i -ini user@ubuntuvm:~/Desktop$ cat php.log ==19859== Memcheck, a memory error detector ==19859== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==19859== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright info ==19859== Command: /home/user/Desktop/php-5.5.17/sapi/cli/php -c -i -ini ==19859== Parent PID: 2142 ==19859== ==19859== Invalid read of size 1 ==19859== at 0x856FA95: php_getopt (getopt.c:135) ==19859== by 0x869D76D: do_cli (php_cli.c:682) ==19859== by 0x869F278: main (php_cli.c:1378) ==19859== Address 0x6ee709b is 0 bytes after a block of size 3 alloc'd ==19859== at 0x402A17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==19859== by 0x5000257: strdup (strdup.c:42) ==19859== by 0x86A98F9: save_ps_args (ps_title.c:222) ==19859== by 0x869EADE: main (php_cli.c:1225) ==19859== ==19859== ==19859== HEAP SUMMARY: ==19859== in use at exit: 14,843 bytes in 30 blocks ==19859== total heap usage: 34,740 allocs, 34,710 frees, 2,668,162 bytes allocated ==19859== ==19859== LEAK SUMMARY: ==19859== definitely lost: 0 bytes in 0 blocks ==19859== indirectly lost: 0 bytes in 0 blocks ==19859== possibly lost: 0 bytes in 0 blocks ==19859== still reachable: 14,843 bytes in 30 blocks ==19859== suppressed: 0 bytes in 0 blocks ==19859== Rerun with --leak-check=full to see details of leaked memory ==19859== ==19859== For counts of detected and suppressed errors, rerun with: -v ==19859== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)