php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #16940 openssl_private_decrypt segsev
Submitted: 2002-05-01 03:14 UTC Modified: 2002-05-01 04:20 UTC
From: isilva at -NOSPAM-iis dot com dot br Assigned:
Status: Closed Package: OpenSSL related
PHP Version: 4.2.0 OS: Slackware Linux 2.4.18
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: isilva at -NOSPAM-iis dot com dot br
New email:
PHP Version: OS:

 

 [2002-05-01 03:14 UTC] isilva at -NOSPAM-iis dot com dot br
When trying to decrypt a wrong cypher php sigsev's. As far as I could analyse, when decrypting if something goes wrong the actual code leave just garbage on the memory area where should some data. The backtrace folows.

'./configure' '--with-apache=../apache_1.3.24' '--with-config-file-path=/var/lib/apache/conf' '--enable-sysvsem' '--enable-sysvshm' '--enable-sigchild' '--enable-shmop' '--enable-mailparse' '--enable-magic-quotes' '--enable-bcmath' '--enable-trans-sid' '--enable-track-vars' '--enable-sockets' '--enable-calendar' '--enable-dbase' '--enable-ftp' '--with-zip=../zziplib-0.10.27' '--with-zlib' '--with-bz2' '--with-gzip' '--with-db' '--with-db2' '--with-gdbm' '--with-mysql=/usr/local' '--with-xml' '--with-expat-dir=../expat-1.95.2' '--with-gd=../gd-1.8.4' '--with-png-dir=/usr' '--with-jpeg-dir=/usr' '--with-imap=../c-client' '--with-imap-ssl=/etc/ssl' '--with-mcrypt=../libmcrypt-2.5.0' '--with-openssl=/usr' '--with-gettext=/usr' '--with-mcal=../libmcal' '--enable-debug'


Program received signal SIGSEGV, Segmentation fault.
0x08192395 in _efree (ptr=0x17, __zend_filename=0x829a43a "openssl.c",
    __zend_lineno=2413, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at zend_alloc.c:222
222       CALCULATE_REAL_SIZE_AND_CACHE_INDEX(p->size);
(gdb) bt
#0  0x08192395 in _efree (ptr=0x17, __zend_filename=0x829a43a "openssl.c",
    __zend_lineno=2413, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at zend_alloc.c:222
#1  0x0811de8a in zif_openssl_private_decrypt (ht=4, return_value=0x84c3e4c,
    this_ptr=0x0, return_value_used=0) at openssl.c:2413
#2  0x081c9023 in execute (op_array=0x84c1c1c) at ./zend_execute.c:1598
#3  0x081a3c90 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at zend.c:810
#4  0x080cc4d6 in php_execute_script (primary_file=0xbffff3d0) at main.c:1381
#5  0x081aee57 in apache_php_module_main (r=0x847d334, display_source_mode=0)
    at sapi_apache.c:90
#6  0x080c8c26 in send_php ()
#7  0x080c8c83 in send_parsed_php ()
#8  0x081d31f3 in ap_invoke_handler ()
#9  0x081e7ba1 in process_request_internal ()
#10 0x081e7fcc in ap_internal_redirect ()
#11 0x0808ba4b in mod_gzip_redir1_handler ()
#12 0x0808a3d5 in mod_gzip_handler ()
#13 0x081d31f3 in ap_invoke_handler ()
#14 0x081e7ba1 in process_request_internal ()
#15 0x081e7c00 in ap_process_request ()
#16 0x081def65 in child_main ()
#17 0x081df114 in make_child ()
#18 0x081df26f in startup_children ()
#19 0x081df8c0 in standalone_main ()
#20 0x081e0087 in main ()
#21 0x4033d74f in __libc_start_main () from /lib/libc.so.6

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-05-01 03:15 UTC] isilva at -NOSPAM-iis dot com dot br
will try to fix.
 [2002-05-01 03:34 UTC] wez@php.net
Please include a short script that reproduces this error.
 [2002-05-01 03:58 UTC] wez@php.net
I believe that I have found the problem; the zend_error call uses a %s format specifier, but does not provide a string to print out.
I've committed a fix; please try a stable snapshot from snaps.php.net created some time after this report is dated (to make sure you have one with the fix).

 [2002-05-01 03:59 UTC] isilva at -NOSPAM-iis dot com dot br
I did found the error.

cryptedbuf should be initialized as NULL, but was being initialized as a normal, out of bounds pointer.

lines 2362 and 2483, where is written

unsigned char *cryptedbuf;

should be

unsigned char *cryptedbuf = NULL;

That solve the problem.
 [2002-05-01 04:01 UTC] isilva at -NOSPAM-iis dot com dot br
I did saw that error and thought that that was the error at first, but was not successfull. initializing cryptedbuf as NULL did solve the problem.

Thanks for the help.
 [2002-05-01 04:20 UTC] wez@php.net
I was just about to write what you mentioned but my connection dropped.  The fix was already in CVS HEAD,
but not in 4.2.
Thanks for your help in reporting this: the fix will be
in 4.2.1.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Dec 02 04:01:24 2020 UTC