PHP :: Bug #41353 :: openssl_pkcs12_read() does not verify the type of the first arg

Bug #41353	openssl_pkcs12_read() does not verify the type of the first arg
Submitted:	2007-05-10 13:23 UTC	Modified:	2007-05-13 17:37 UTC
From:	tony2001@php.net	Assigned:
Status:	Closed	Package:	OpenSSL related
PHP Version:	5CVS-2007-05-10 (CVS)	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

[2007-05-10 13:23 UTC] tony2001@php.net

Description:
------------
Function openssl_pkcs12_read() does not check the type of the first argument and uses it as a string in the call to BIO_write().
So if you pass a number as the first parameter, BIO_write() is called with a garbage params and segfaults.

Reproduce code:
---------------
$a = 2;
openssl_pkcs12_read(1, $a, 1);

Actual result:
--------------
(gdb) r -r '$a = 2; openssl_pkcs12_read(1, $a, 1);'
Starting program: /home/tony/php-src_5_2/sapi/cli/php -r '$a = 1; openssl_pkcs12_read(1, $a, 1);'
[Thread debugging using libthread_db enabled]
[New Thread 182900459904 (LWP 1209)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 182900459904 (LWP 1209)]
0x00000031aef70bc0 in memcpy () from /lib64/tls/libc.so.6
(gdb) bt
#0  0x00000031aef70bc0 in memcpy () from /lib64/tls/libc.so.6
#1  0x0000000000ac9f4b in mem_write ()
#2  0x0000000000ac9136 in BIO_write ()
#3  0x0000000000499009 in zif_openssl_pkcs12_read (ht=3, return_value=0x2a95b92fe8, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0, tsrm_ls=0x1080450)
    at /home/tony/php-src_5_2/ext/openssl/openssl.c:1565
#4  0x0000000000a1693e in zend_do_fcall_common_helper_SPEC (execute_data=0x7fbffff1b0, tsrm_ls=0x1080450) at zend_vm_execute.h:200
#5  0x0000000000a1c49a in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7fbffff1b0, tsrm_ls=0x1080450) at zend_vm_execute.h:1681
#6  0x0000000000a16246 in execute (op_array=0x2a95b928a0, tsrm_ls=0x1080450) at zend_vm_execute.h:92
#7  0x00000000009cc67e in zend_eval_string (str=0x7fbffffbf9 "$a = 1; openssl_pkcs12_read(1, $a, 1);", retval_ptr=0x0, string_name=0xdfa8fc "Command line code",
    tsrm_ls=0x1080450) at /home/tony/php-src_5_2/Zend/zend_execute_API.c:1148
#8  0x00000000009cc8ca in zend_eval_string_ex (str=0x7fbffffbf9 "$a = 1; openssl_pkcs12_read(1, $a, 1);", retval_ptr=0x0, string_name=0xdfa8fc "Command line code",
    handle_exceptions=1, tsrm_ls=0x1080450) at /home/tony/php-src_5_2/Zend/zend_execute_API.c:1182
#9  0x0000000000a92527 in main (argc=3, argv=0x7fbffff9e8) at /home/tony/php-src_5_2/sapi/cli/php_cli.c:1177

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-05-13 17:37 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Oct 26 08:00:02 2025 UTC