php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #254 write outside an array
Submitted: 1998-04-07 13:34 UTC Modified: 1998-04-08 00:49 UTC
From: bonnaud at irisa dot fr Assigned:
Status: Closed Package: Reproducible Crash
PHP Version: 3.0 Release Candidate 3 OS: Solaris
Private report: No CVE-ID: None
 [1998-04-07 13:34 UTC] bonnaud at irisa dot fr
Hi,

if you launch PHP3 without arguments, in the following code
len==0 and the marked line may cause a crash.

	if (!cgi) {
		if (!GLOBAL(request_info).query_string) {
			for (i = optind, len = 0; i < argc; i++)
				len += strlen(argv[i]) + 1;

			s = malloc(len + 1);	/* leak - but only for command line version, so ok */
			*s = '\0';			/* we are pretending it came from the environment  */
-> bug here		s[len - 1] = '\0';
			for (i = optind, len = 0; i < argc; i++) {
				strcat(s, argv[i]);
				if (i < (argc - 1))
					strcat(s, "+");
			}
			GLOBAL(request_info).query_string = s;
		}
		if (!GLOBAL(request_info).filename && argc > optind)
			GLOBAL(request_info).filename = estrdup(argv[optind]);
	}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [1998-04-08 00:49 UTC] jaakko
That line is completely unnecessary.  I removed it from the current CVS.
If it had been needed, the correct form would have been

  s[len] = '\0';


 [2011-05-16 17:50 UTC] dtajchreber@php.net
Automatic comment from SVN on behalf of dtajchreber
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=311094
Log: Doc Bug #54753 - Missing default value in msg_get_queue prototype - added default value for perms in signature

http://lxr.php.net/opengrok/xref/PHP_5_3/ext/sysvmsg/sysvmsg.c#254
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Dec 22 06:01:30 2024 UTC