php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #42365 glob() crashes with invalid flags
Submitted: 2007-08-21 18:59 UTC Modified: 2007-08-22 15:00 UTC
From: crrodriguez at suse dot de Assigned: jani
Status: Closed Package: Reproducible crash
PHP Version: 5CVS-2007-08-21 (CVS) OS: Linux
Private report: No CVE-ID:
 [2007-08-21 18:59 UTC] crrodriguez at suse dot de
Description:
------------
the glob() function crashes when you pass GLOB_ALTDIRFUNC (512) as a a flag, in short glob should only accept the flags it really supports . 

Reproduce code:
---------------
./php5/sapi/cli/php -r 'var_dump(glob("*",512));'

Expected result:
----------------
only the supported options whitelisted and/or at least GLOB_ALTDIRFUNC and GLOB_APPEND blacklisted.

Actual result:
--------------
gdb --args ./php5/sapi/cli/php -r 'var_dump(glob("*",512));'
GNU gdb 6.5
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "x86_64-suse-linux"...Using host libthread_db library "/lib64/libthread_db.so.1".

(gdb) run
Starting program: /home/cristian/php5/sapi/cli/php -r var_dump\(glob\(\"\*\",512\)\)\;

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
(gdb) bt full
#0  0x0000000000000000 in ?? ()
No symbol table info available.
#1  0x00002b8a1b81ad62 in glob_in_dir () from /lib64/libc.so.6
No symbol table info available.
#2  0x00002b8a1b81b9bd in glob64 () from /lib64/libc.so.6
No symbol table info available.
#3  0x000000000060fff1 in zif_glob (ht=2, return_value=0xc968d8, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at /home/cristian/php5/ext/standard/dir.c:417
        cwd_skip = 0
        pattern = 0xc96880 "*"
        pattern_len = 1
        flags = 512
        globbuf = {gl_pathc = 0, gl_pathv = 0x0, gl_offs = 0, gl_flags = 0, gl_closedir = 0, gl_readdir = 0, gl_opendir = 0, gl_lstat = 0, gl_stat = 0}
        n = 0
        ret = -1877809728
#4  0x00000000007319d6 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff9012e640) at /home/cristian/php5/Zend/zend_vm_execute.h:200
        return_reference = 0 '\0'
        opline = (zend_op *) 0xc965d0
        original_return_value = (zval **) 0xb208d0
        current_scope = (zend_class_entry *) 0x0
        current_this = (zval *) 0x0
        return_value_used = 1
        should_change_scope = 0 '\0'
        ctor_opline = (zend_op *) 0x50072fb1b
#5  0x0000000000738190 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7fff9012e640) at /home/cristian/php5/Zend/zend_vm_execute.h:1681
        opline = (zend_op *) 0xc965d0
        fname = (zval *) 0xc96600
#6  0x000000000073141e in execute (op_array=0xc96288) at /home/cristian/php5/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0xc965d0, function_state = {function_symbol_table = 0x0, function = 0xb208f0, reserved = {0x7fff9012e690, 0x0, 0x0, 0x0}}, fbc = 0x0,
---Type <return> to continue, or q <return> to quit---
  op_array = 0xc96288, object = 0x0, Ts = 0x7fff9012e5c0, CVs = 0x7fff9012e5b0, original_in_execution = 0 '\0', symbol_table = 0xadc528, prev_execute_data = 0x0,
  old_error_reporting = 0x0}
#7  0x00000000006f87dd in zend_eval_string (str=0x7fff90130f4b "var_dump(glob(\"*\",512));", retval_ptr=0x0, string_name=0x84052c "Command line code")
    at /home/cristian/php5/Zend/zend_execute_API.c:1171
        local_retval_ptr = (zval *) 0x0
        original_return_value_ptr_ptr = (zval **) 0x0
        original_opline_ptr = (zend_op **) 0x0
        pv = {value = {lval = 13194888, dval = 6.5191408615229139e-317, str = {val = 0xc95688 "var_dump(glob(\"*\",512));", len = 24}, ht = 0xc95688, obj = {handle = 13194888,
      handlers = 0x18}}, refcount = 13384816, type = 6 '\006', is_ref = 0 '\0'}
        new_op_array = (zend_op_array *) 0xc96288
        original_active_op_array = (zend_op_array *) 0x0
        original_function_state_ptr = (zend_function_state *) 0x0
        original_handle_op_arrays = 1 '\001'
        retval = 0
#8  0x00000000006f8981 in zend_eval_string_ex (str=0x7fff90130f4b "var_dump(glob(\"*\",512));", retval_ptr=0x0, string_name=0x84052c "Command line code", handle_exceptions=1)
    at /home/cristian/php5/Zend/zend_execute_API.c:1205
        result = 0
#9  0x000000000078e8dd in main (argc=3, argv=0x7fff9012ec18) at /home/cristian/php5/sapi/cli/php_cli.c:1179
        __orig_bailout = (jmp_buf *) 0x0
        __bailout = {{__jmpbuf = {47872153828320, -69669401190941675, 0, 140735610547216, 0, 0, -69669401190944539, -69801448083912037}, __mask_was_saved = 0, __saved_mask = {
      __val = {0, 0, 140735610546528, 0, 0, 0, 0, 0, 47872151728128, 47872171956992, 47872153830976, 47872153832832, 281474976710656, 0, 0, 0}}}}
        exit_status = 0
        c = -1
        file_handle = {type = 2 '\002', filename = 0x8404d5 "-", opened_path = 0x0, handle = {fd = 464262784, fp = 0x2b8a1bac1680, stream = {handle = 0x2b8a1bac1680,
      reader = 0x2b8a1b794d80 <data.7078+64800>, closer = 0x40e9e0, fteller = 0x100000000, interactive = 1955}}, free_filename = 0 '\0'}
        behavior = 6
        reflection_what = 0x0
        orig_optind = 1
---Type <return> to continue, or q <return> to quit---
        orig_optarg = 0x0
        arg_free = 0x7fff90130f4b "var_dump(glob(\"*\",512));"
        arg_excp = (char **) 0x7fff9012ec28
        script_file = 0x0
        interactive = 0
        module_started = 1
        request_started = 1
        lineno = 0
        exec_direct = 0x7fff90130f4b "var_dump(glob(\"*\",512));"
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
        param_error = 0x0
        hide_argv = 0
        ini_entries_len = 110



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-08-22 09:36 UTC] jani@php.net
Verified. Patch under construction.
 [2007-08-22 14:07 UTC] jani@php.net
This is the patch I cooked up:
http://pecl.php.net/~jani/patches/bug42365.patch

Waiting for someone else (tm) to check it out first before committing to CVS. :)
 [2007-08-22 15:00 UTC] jani@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 10:02:10 2014 UTC