php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #68289 wrong strlcpy call
Submitted: 2014-10-23 07:00 UTC Modified: 2014-10-28 08:22 UTC
From: otto at drijf dot net Assigned: alan_k (profile)
Status: Closed Package: dbase (PECL)
PHP Version: 5.6.2 OS: OpenBSD
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: otto at drijf dot net
New email:
PHP Version: OS:

 

 [2014-10-23 07:00 UTC] otto at drijf dot net 
Description:
------------
dbf_rec.c uses strlcpy to copy the contents of a record field. These fields are not NUL-terminated in mem. strlcpy only works correctly if the src string *IS NUL-terminated*. While strlcpy reads the buffer to find the ending NUL, it runs out of the buffer in some cases. If the memory beyond the buffer is not mapped, a segfault occurs.

The original code use strncpy + assignment, which is correct.

Test script:
---------------
Run dbase extension using OpenBSD. Due to the nature of OpenBSD malloc, it is unforgiving and catches the read beyond the buffer. Likely a tool like valgrind will catch this as well on other platforms.

Expected result:
----------------
No segfaults.

Actual result:
--------------
Segfault in get_field_val() call of strlcpy.

Patches

patchstrlcpy.diff (last revision 2014-10-23 07:00 UTC by otto at drijf dot net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-10-28 08:21 UTC] alan_k@php.net 
Automatic comment from SVN on behalf of alan_k
Revision: http://svn.php.net/viewvc/?view=revision&revision=335148
Log: fix Bug #68289 - do not assume null terminated strings - by otto at drijf dot net
 [2014-10-28 08:22 UTC] alan_k@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: alan_k
 [2014-10-28 08:22 UTC] alan_k@php.net 
Thanks - applied to svn.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Dec 22 10:01:28 2024 UTC