php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #26615 exec crash on long input lines
Submitted: 2003-12-13 12:59 UTC Modified: 2003-12-13 13:52 UTC
From: runekl at opoint dot com Assigned:
Status: Closed Package: *General Issues
PHP Version: 5CVS-2003-12-13 (dev) OS: All
Private report: No CVE-ID:
 [2003-12-13 12:59 UTC] runekl at opoint dot com
Description:
------------
If the command ran by exec outputs a line that is 2*EXEC_INPUT_BUF longer than the previous line a segfault may occur.  It is not difficult to see why this happens just by reading the source code.

In exec.c, line 118, reads

if (buflen < (bufl + EXEC_INPUT_BUF)) {

This condition is correct only the first time, e.g when b=buf.  I think the like should be

if (buflen < (bufl + (b - buf) + EXEC_INPUT_BUF)) {


Reproduce code:
---------------
#!/usr/local/bin/php
<?php
$out = array();
$status = -1;
exec('/usr/bin/seq 5000 | tr \'\n\' \' \'', $out, $status);
print_r($out);
?>

Expected result:
----------------
Numbers from 1 to 5000 separated by blanks on one line.

Actual result:
--------------
segfault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-12-13 13:52 UTC] derick@php.net
Thank you for your bug report. This issue has already been fixed
in the latest released version of PHP, which you can download at 
http://www.php.net/downloads.php

Thanks for the "patch"!
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 22:02:05 2014 UTC