PHP :: Bug #72716 :: php_stream_ftp_stream

Bug #72716	php_stream_ftp_stream_close leaks stack memory
Submitted:	2016-07-31 05:18 UTC	Modified:	2016-08-04 05:58 UTC
From:	fernando at null-life dot com	Assigned:
Status:	Closed	Package:	FTP related
PHP Version:	5.6.24	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	fernando at null-life dot com
New email:
PHP Version:		OS:

New Comment:

[2016-07-31 05:18 UTC] fernando at null-life dot com

Description:
------------
Description
===========
tmp_line is never assigned a value in this scope, so if an error occurs it will log information from the stack on php_error_docref .

https://github.com/php/php-src/blob/PHP-7.0.9/ext/standard/ftp_fopen_wrapper.c#L111-L117


Code
====

char tmp_line[512];
int result;

/* For write modes close data stream first to signal EOF to server */
result = GET_FTP_RESULT(controlstream);
if (result != 226 && result != 250) {
	php_error_docref(NULL, E_WARNING, "FTP server error %d:%s", result, tmp_line);

Fix
===
There's probably a missing call to php_stream_notify_error here. 



Test script:
---------------
Not available 

Expected result:
----------------
No warnings

Actual result:
--------------
valgrind output

==22586== Use of uninitialised value of size 4        
==22586==    at 0x4DC528B: ____strtol_l_internal (strtol_l.c:435)                                                                                                                                          ==22586==    by 0x4DC4EFF: strtol (strtol.c:106)                                                                                                                                                           ==22586==    by 0x28082C: ??? (in /usr/bin/php7.0)                                                                                                                                                         ==22586==    by 0x2B0493: _php_stream_free (in /usr/bin/php7.0)                                                                                                                                            ==22586==    by 0x242CC6: zif_file_get_contents (in /usr/bin/php7.0)                                                                                                                                       ==22586==    by 0x776011A: ??? (in /usr/lib/php/20151012/phar.so)                                                                                                                                          ==22586==    by 0x38E621: execute_internal (in /usr/bin/php7.0)                                                                                                                                            ==22586==    by 0x2E9A8D: dtrace_execute_internal (in /usr/bin/php7.0)                                                                                                                                     ==22586==    by 0x380704: ??? (in /usr/bin/php7.0)                                                                                                                                                         ==22586==    by 0x339719: execute_ex (in /usr/bin/php7.0)                                                                                                                                                  ==22586==    by 0x2E98F4: dtrace_execute_ex (in /usr/bin/php7.0)                                                                                                                                           ==22586==    by 0x390175: zend_execute (in /usr/bin/php7.0)                                                                                                                                                ==22586==                                                                                                                                                                                                  ==22586== Conditional jump or move depends on uninitialised value(s)                                                                                                                                       ==22586==    at 0x4DC52CE: ____strtol_l_internal (strtol_l.c:437)                                                                                                                                          ==22586==    by 0x4DC4EFF: strtol (strtol.c:106)                                                                                                                                                           ==22586==    by 0x28082C: ??? (in /usr/bin/php7.0)                                                                                                                                                         ==22586==    by 0x2B0493: _php_stream_free (in /usr/bin/php7.0)                                                                                                                                            ==22586==    by 0x242CC6: zif_file_get_contents (in /usr/bin/php7.0)                                                                                                                                       ==22586==    by 0x776011A: ??? (in /usr/lib/php/20151012/phar.so)                                                                                                                                          ==22586==    by 0x38E621: execute_internal (in /usr/bin/php7.0)                                                                                                                                            ==22586==    by 0x2E9A8D: dtrace_execute_internal (in /usr/bin/php7.0)                                                                                                                                     ==22586==    by 0x380704: ??? (in /usr/bin/php7.0)                                                                                                                                                         ==22586==    by 0x339719: execute_ex (in /usr/bin/php7.0)                                                                                                                                                  ==22586==    by 0x2E98F4: dtrace_execute_ex (in /usr/bin/php7.0)                                                                                                                                           ==22586==    by 0x390175: zend_execute (in /usr/bin/php7.0)                                                                                                                                                ==22586==                                                                                                                                                                                                  ==22586== Use of uninitialised value of size 4                                                                                                                                                             ==22586==    at 0x4DC5394: ____strtol_l_internal (strtol_l.c:461)                                                                                                                                          ==22586==    by 0x4DC4EFF: strtol (strtol.c:106)                                                                                                                                                           ==22586==    by 0x28082C: ??? (in /usr/bin/php7.0)                                                                                                                                                         ==22586==    by 0x2B0493: _php_stream_free (in /usr/bin/php7.0)                                                                                                                                            ==22586==    by 0x242CC6: zif_file_get_contents (in /usr/bin/php7.0)                                                                                                                                       ==22586==    by 0x776011A: ??? (in /usr/lib/php/20151012/phar.so)                                                                                                                                          ==22586==    by 0x38E621: execute_internal (in /usr/bin/php7.0)                                                                                                                                            ==22586==    by 0x2E9A8D: dtrace_execute_internal (in /usr/bin/php7.0)                                                                                                                                     ==22586==    by 0x380704: ??? (in /usr/bin/php7.0)                                                                                                                                                         ==22586==    by 0x339719: execute_ex (in /usr/bin/php7.0)                                                                                                                                                  ==22586==    by 0x2E98F4: dtrace_execute_ex (in /usr/bin/php7.0)                                                                                                                                           ==22586==    by 0x390175: zend_execute (in /usr/bin/php7.0)                                                                                                                                                ==22586==                                                                                                                                                                                                  ==22586== Conditional jump or move depends on uninitialised value(s)                                                                                                                                       ==22586==    at 0x4DC5327: ____strtol_l_internal (strtol_l.c:479)                                                                                                                                          ==22586==    by 0x4DC4EFF: strtol (strtol.c:106)                                                                                                                                                           ==22586==    by 0x28082C: ??? (in /usr/bin/php7.0)                                                                                                                                                         ==22586==    by 0x2B0493: _php_stream_free (in /usr/bin/php7.0)                                                                                                                                            ==22586==    by 0x242CC6: zif_file_get_contents (in /usr/bin/php7.0)                                                                                                                                       ==22586==    by 0x776011A: ??? (in /usr/lib/php/20151012/phar.so)                                                                                                                                          ==22586==    by 0x38E621: execute_internal (in /usr/bin/php7.0)                                                                                                                                            ==22586==    by 0x2E9A8D: dtrace_execute_internal (in /usr/bin/php7.0)                                                                                                                                     ==22586==    by 0x380704: ??? (in /usr/bin/php7.0)                                                                                                                                                         ==22586==    by 0x339719: execute_ex (in /usr/bin/php7.0)                                                                                                                                                  ==22586==    by 0x2E98F4: dtrace_execute_ex (in /usr/bin/php7.0)                                                                                                                                           ==22586==    by 0x390175: zend_execute (in /usr/bin/php7.0)                                                                                                                                                ==22586==                                                                   
==22586== Conditional jump or move depends on uninitialised value(s) 
==22586==    at 0x4830387: strlen (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)                                                                                                                   ==22586==    by 0x29BC3E: ??? (in /usr/bin/php7.0)                                                                                                                                                         ==22586==    by 0x29CC57: vspprintf (in /usr/bin/php7.0)                                                                                                                                                   ==22586==    by 0x16FC9E: ??? (in /usr/bin/php7.0)                                                                                                                                                         ==22586==    by 0x1719A1: zend_error (in /usr/bin/php7.0)                                                                                                                                                  ==22586==    by 0x1709ED: php_verror (in /usr/bin/php7.0)                                                                                                                                                  ==22586==    by 0x170A82: php_error_docref0 (in /usr/bin/php7.0)                                                                                                                                           ==22586==    by 0x28085F: ??? (in /usr/bin/php7.0)                                                                                                                                                         ==22586==    by 0x2B0493: _php_stream_free (in /usr/bin/php7.0)                                                                                                                                            ==22586==    by 0x242CC6: zif_file_get_contents (in /usr/bin/php7.0)                                                                                                                                       ==22586==    by 0x776011A: ??? (in /usr/lib/php/20151012/phar.so)                                                                                                                                          ==22586==    by 0x38E621: execute_internal (in /usr/bin/php7.0)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-08-04 05:58 UTC] stas@php.net

-Type: Security +Type: Bug -PHP Version: 7.0.9 +PHP Version: 5.6.24

[2016-08-04 05:58 UTC] stas@php.net

Doesn't look like security issue - error messages should not be displayed in production.

[2016-08-04 06:04 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4f861b60710639557635e9f3cf13bf9cbf8872cd
Log: Fix bug #72716 - initialize buffer before read

[2016-08-04 06:04 UTC] stas@php.net

-Status: Open +Status: Closed

[2016-08-18 11:15 UTC] tyrael@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9c291f0fa0c8b8c6994f521f5863c407494eb1dc
Log: Fix bug #72716 - initialize buffer before read

[2016-10-17 10:10 UTC] bwoebi@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4f861b60710639557635e9f3cf13bf9cbf8872cd
Log: Fix bug #72716 - initialize buffer before read

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Dec 03 17:01:29 2024 UTC