php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #81563 SIGSEGV reading dbase file with few data
Submitted: 2021-10-28 20:54 UTC Modified: 2021-10-29 12:17 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: ckoinig at codegraft dot com Assigned: cmb (profile)
Status: Closed Package: dbase (PECL)
PHP Version: Irrelevant OS: any
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: ckoinig at codegraft dot com
New email:
PHP Version: OS:

 

 [2021-10-28 20:54 UTC] ckoinig at codegraft dot com 
Description:
------------
The dbf included in the testscript below causes a SIGSEGV (null pointer de-reference) in php_dbase_get_record. 

On cursory debugging it appears that EOF is encountered while reading the file which leaves db_format as NULL.

It's possible that the dbase is invalid, however it opens fine in various applications, for example dbview.



Test script:
---------------
// write temp. dbase file
$data = base64_decode('A3cBEAEAAACBAB0AAAAAAAAAAAAAAAAAAAAAAAAAAABTQ0hMQUdOUgAAAE4AAAAACgAAAAAAAAAAAAAAAAAAAFRFSUxTQ0hMQUcAQwAAAAACAAAAAAAAAAAAAAAAAAAARkxJSwAAAAAAAABDAAAAABAAAAAAAAAAAAAAAAAAAAANICAgICAgMTIzNDVhIERFTldMSTA1NDYxMzI3Nzca');
$tmpFile = tmpfile();
fwrite($tmpFile, $data);
fflush($tmpFile);
$path = stream_get_meta_data($tmpFile)['uri'];

$db = dbase_open($path, 0);

$n = dbase_numrecords($db);
for ($index=1; $index<=$n; $index++) {
    // crash here
    $record = dbase_get_record_with_names($db, $index);
    print_r($record);
}
dbase_close($db);

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff561cb4c in php_dbase_get_record (return_value=0x7ffff5414ec0, assoc=1, execute_data=<optimized out>)
    at /tmp/pecl-database-dbase/dbase.c:456
456			if (*cur_f->db_format) {
(gdb) bt
#0  0x00007ffff561cb4c in php_dbase_get_record (return_value=0x7ffff5414ec0, assoc=1, execute_data=<optimized out>)
    at /tmp/pecl-database-dbase/dbase.c:456
#1  0x00007ffff563607d in xdebug_execute_internal (current_execute_data=0x7ffff5415020, return_value=0x7ffff5414ec0) at ./build-7.4/src/base/base.c:897
#2  0x0000555555883ebb in execute_ex ()
#3  0x00007ffff56357d2 in xdebug_execute_ex (execute_data=0x7ffff5414cd0) at ./build-7.4/src/base/base.c:779
#4  0x00005555557ee5df in zend_call_function ()
#5  0x0000555555731dff in ?? ()
#6  0x00007ffff563607d in xdebug_execute_internal (current_execute_data=0x7ffff5414c60, return_value=0x7ffff5414c50) at ./build-7.4/src/base/base.c:897
#7  0x0000555555883ebb in execute_ex ()
#8  0x00007ffff56357d2 in xdebug_execute_ex (execute_data=0x7ffff5414980) at ./build-7.4/src/base/base.c:779
#9  0x0000555555883e08 in execute_ex ()
#10 0x00007ffff56357d2 in xdebug_execute_ex (execute_data=0x7ffff54148f0) at ./build-7.4/src/base/base.c:779
#11 0x0000555555883e08 in execute_ex ()
#12 0x00007ffff56357d2 in xdebug_execute_ex (execute_data=0x7ffff5414840) at ./build-7.4/src/base/base.c:779
#13 0x0000555555883e08 in execute_ex ()
#14 0x00007ffff56357d2 in xdebug_execute_ex (execute_data=0x7ffff5414770) at ./build-7.4/src/base/base.c:779
#15 0x0000555555883e08 in execute_ex ()
#16 0x00007ffff56357d2 in xdebug_execute_ex (execute_data=0x7ffff54145c0) at ./build-7.4/src/base/base.c:779
#17 0x0000555555883e08 in execute_ex ()
#18 0x00007ffff56357d2 in xdebug_execute_ex (execute_data=0x7ffff54141b0) at ./build-7.4/src/base/base.c:779
#19 0x0000555555883e08 in execute_ex ()
#20 0x00007ffff56357d2 in xdebug_execute_ex (execute_data=0x7ffff5413350) at ./build-7.4/src/base/base.c:779
#21 0x0000555555883c8e in execute_ex ()
#22 0x00007ffff56357d2 in xdebug_execute_ex (execute_data=0x7ffff54131f0) at ./build-7.4/src/base/base.c:779
#23 0x0000555555883c8e in execute_ex ()
#24 0x00007ffff56357d2 in xdebug_execute_ex (execute_data=0x7ffff5413020) at ./build-7.4/src/base/base.c:779
#25 0x0000555555886cab in zend_execute ()
#26 0x00005555557fd1fc in zend_execute_scripts ()
#27 0x000055555579c930 in php_execute_script ()
#28 0x0000555555888dea in ?? ()
#29 0x0000555555661ec8 in ?? ()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-10-29 12:17 UTC] cmb@php.net
-Summary: SIGSEGV reading dbase file +Summary: SIGSEGV reading dbase file with few data -Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2021-10-29 12:17 UTC] cmb@php.net 
Thanks for reporting this issue!  The .dbf is perfectly fine, but
the actual data are just so few that it triggers an erroneous
edge-case of the fix for bug #78668.
 [2021-10-29 15:37 UTC] git@php.net 
Automatic comment on behalf of cmb69
Revision: https://github.com/php/pecl-database-dbase/commit/4259c681c11fe60c9347d79a573b95c7ea2c5b4e
Log: Fix #81563: SIGSEGV reading dbase file with few data
 [2021-10-29 15:37 UTC] git@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Dec 22 10:01:28 2024 UTC