php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68637 Segmentation fault in function php_strlcpy
Submitted: 2014-12-23 12:20 UTC Modified: 2021-06-20 04:22 UTC
Votes:3
Avg. Score:3.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:1 (50.0%)
From: xoJIog at inbox dot lv Assigned: cmb (profile)
Status: No Feedback Package: Reproducible crash
PHP Version: 5.5.20 OS: gentoo
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: xoJIog at inbox dot lv
New email:
PHP Version: OS:

 

 [2014-12-23 12:20 UTC] xoJIog at inbox dot lv
Description:
------------
PHP segfaults when src is null in function php_strlcpy

Expected result:
----------------
expected to check src

Actual result:
--------------
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x084e4795 in php_strlcpy (dst=0xbd55f35c "", src=0x0, siz=1024) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/main/strlcpy.c:78
78      /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/main/strlcpy.c: No such file or directory.
(gdb) bt
#0  0x084e4795 in php_strlcpy (dst=0xbd55f35c "", src=0x0, siz=1024) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/main/strlcpy.c:78
#1  0x082085a0 in mm_login (mb=0xbd55efbc, user=0xbd55f35c "", pwd=0xbd55f75c "", trial=0) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/ext/imap/php_imap.c:5098
#2  0xa69a2e0b in imap_login () from /usr/lib/libc-client.so.1
#3  0xa69a1a17 in imap_open () from /usr/lib/libc-client.so.1
#4  0xa696dfd0 in mail_open_work () from /usr/lib/libc-client.so.1
#5  0xa696d943 in mail_open () from /usr/lib/libc-client.so.1
#6  0x081f82a2 in zif_imap_reopen (ht=3, return_value=0xce1ea48, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/ext/imap/php_imap.c:1327
#7  0x085a75db in zend_do_fcall_common_helper_SPEC (execute_data=0xa42d4194) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/Zend/zend_vm_execute.h:550
#8  0x085a7d4f in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xa42d4194) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/Zend/zend_vm_execute.h:685
#9  0x085a6d2b in execute_ex (execute_data=0xa42d4194) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/Zend/zend_vm_execute.h:363
#10 0x085a6db9 in zend_execute (op_array=0xce00274) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/Zend/zend_vm_execute.h:388
#11 0x08554b6d in zend_call_function (fci=0xbd560d74, fci_cache=0xbd560d60) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/Zend/zend_execute_API.c:937
#12 0x0839a748 in zif_call_user_func_array (ht=2, return_value=0xce24148, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/ext/standard/basic_functions.c:4806
#13 0x085a75db in zend_do_fcall_common_helper_SPEC (execute_data=0xa42d409c) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/Zend/zend_vm_execute.h:550
#14 0x085a7d4f in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xa42d409c) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/Zend/zend_vm_execute.h:685
#15 0x085a6d2b in execute_ex (execute_data=0xa42d409c) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/Zend/zend_vm_execute.h:363
#16 0x085a6db9 in zend_execute (op_array=0xccddd4c) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/Zend/zend_vm_execute.h:388
#17 0x08554b6d in zend_call_function (fci=0xbd560f94, fci_cache=0xbd560f80) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/Zend/zend_execute_API.c:937
#18 0x0839a748 in zif_call_user_func_array (ht=2, return_value=0xccfaff0, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/ext/standard/basic_functions.c:4806
#19 0x085a75db in zend_do_fcall_common_helper_SPEC (execute_data=0xa42d3b08) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/Zend/zend_vm_execute.h:550
#20 0x085a7d4f in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xa42d3b08) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/Zend/zend_vm_execute.h:685
#21 0x085a6d2b in execute_ex (execute_data=0xa42d3b08) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/Zend/zend_vm_execute.h:363
#22 0x085a6db9 in zend_execute (op_array=0xa42ef25c) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/Zend/zend_vm_execute.h:388
#23 0x08568228 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/Zend/zend.c:1330
#24 0x084d4ece in php_execute_script (primary_file=0xbd565464) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/main/main.c:2506
#25 0x08626668 in main (argc=5, argv=0xbd5655b4) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/sapi/fpm/fpm/fpm_main.c:1949


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-12-23 15:04 UTC] xoJIog at inbox dot lv
--- main/strlcpy.c.orig 2014-12-23 14:23:25.451809947 +0200
+++ main/strlcpy.c      2014-12-23 14:25:13.439982613 +0200
@@ -73,7 +73,7 @@
        register size_t n = siz;
 
        /* Copy as many bytes as will fit */
-       if (n != 0 && --n != 0) {
+       if (n != 0 && --n != 0 && src) {
                do {
                        if ((*d++ = *s++) == 0)
                                break;
 [2021-06-09 14:40 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2021-06-09 14:40 UTC] cmb@php.net
> expected to check src

No.  strlcpy() must not be called on NULL values.

Anyhow, is this still an issue with any of the actively supported
PHP versions[1]?

[1] <https://www.php.net/supported-versions.php>
 [2021-06-20 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 16:01:28 2024 UTC