PHP :: Bug #74983 :: SIGABRT when function put_dbf_field is called due to a possible buffer overflow

Bug #74983	SIGABRT when function put_dbf_field is called due to a possible buffer overflow
Submitted:	2017-07-24 20:59 UTC	Modified:	2019-03-31 15:48 UTC
From:	enekochan at gmail dot com	Assigned:	cmb (profile)
Status:	Closed	Package:	dbase (PECL)
PHP Version:	7.0	OS:	Mac OS X
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	enekochan at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2017-07-24 20:59 UTC] enekochan at gmail dot com

Description:
------------
Whe using dbase package in Mac OS X this error is raised when a record is written to disk, for example using dbase_replace_record.


Magick: abort due to signal 6 (SIGABRT) "Abort"...
Abort trap: 6

The problem (AFAIK) is due to a buffer overflow when copying the data to the disk in the put_dbf_field function in dbf_head.c file. If I change this in line 193 of dbf_head.c:

strlcpy(dbfield.dbf_name, dbf->db_fname, DBF_NAMELEN + 1);

To this:

strlcpy(dbfield.dbf_name, dbf->db_fname, DBF_NAMELEN);

Everything works fine.

I've tested this patch also in Ubuntu and CentOS and works fine even if the error does not happen there.

Test script:
---------------
<?php
// Increase by 1 the value of NFACCLI_A column for the first row in Claves table
$field = 'NFACCLI_A'; // Column name
$recordNumber = 1;
$value = 0;
$tablePath = realpath(sprintf('./%s.dbf', 'Claves')); // Set the table name
$resource = dbase_open($tablePath, 2);
$header = dbase_get_header_info($resource);

$record = dbase_get_record_with_names($resource, $recordNumber);
if (!is_null($record) && $record) {
    if (array_key_exists($field, $record)) {
        $value = $record[$field];
    }
}

$record[$field] = $value + 1;
$result = dbase_replace_record($resource, array_values($record), $recordNumber);
dbase_close($resource);

Expected result:
----------------
No errors

Actual result:
--------------
A SIGABORT

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-07-24 21:02 UTC] enekochan at gmail dot com

I forgot to say that even 'make' gives a warning for that buffer overflow when compiling the module:

/Users/enekochan/Downloads/dbase-7.0.0beta1/dbf_head.c:193:2: warning:
      '__builtin___strlcpy_chk' will always overflow destination buffer
      [-Wbuiltin-memcpy-chk-size]
        strlcpy(dbfield.dbf_name, dbf->db_fname, DBF_NAMELEN + 1);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/include/secure/_string.h:105:3: note: expanded from macro 'strlcpy'
  __builtin___strlcpy_chk (dest, src, len, __darwin_obsz (dest))
  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.

[2017-07-24 21:08 UTC] enekochan at gmail dot com

-PHP Version: Irrelevant +PHP Version: 7.0

[2017-07-24 21:08 UTC] enekochan at gmail dot com

Affects PHP 7.0 version module

[2017-08-07 04:14 UTC] alan_k@php.net

A patch is needed - I'm not sure there are any active developers for dbase at present.

[2019-03-31 15:40 UTC] cmb@php.net

-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb

[2019-03-31 15:40 UTC] cmb@php.net

Indeed, this is obviously an off-by-one error, and can lead to
overflow the `dbfield.dbf_name` buffer by one char, which would be
completely harmless, though, since in this case a zero would be
written into `dbfield.dbf_type`, which already holds a zero.

[2019-03-31 15:43 UTC] cmb@php.net

Automatic comment from SVN on behalf of cmb
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=347106
Log: Fix #74983: SIGABRT when function put_dbf_field is called

We fix the harmless off-by-one error to make analyzers and checkers
happy.  Unfortunately, we cannot add a reasonable test case, since the
bug would not cause malfunctions, or even be detectable by valgrind.

[2019-03-31 15:48 UTC] cmb@php.net

-Status: Verified +Status: Closed

[2021-04-06 10:18 UTC] git@php.net

Automatic comment on behalf of 
Revision: https://github.com/php/pecl-database-dbase/commit/7bf9d87634765727417a2b402cb5e7abbb78e5c2
Log: Fix #74983: SIGABRT when function put_dbf_field is called

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 14:01:32 2024 UTC