php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #45575 [PATCH] Segfault with invalid non-string as event handler callback
Submitted: 2008-07-21 07:51 UTC Modified: 2008-10-07 18:25 UTC
From: chris_se at gmx dot net Assigned: felipe
Status: Closed Package: InterBase related
PHP Version: 5.2.6 OS: *
Private report: No CVE-ID:
 [2008-07-21 07:51 UTC] chris_se at gmx dot net
Description:
------------
Same problem as with bug #45555 - just for a different extension: The interbase extension accepts arbitrary zvals as callbacks (which is fine) but always uses Z_STRVAL(zval) to display an error message if the callback is invalid. This will cause a segfault if e.g. int(1) is passed as a callback.

The following patch against PHP_5_3 (it also applies against PHP 5.2) solves the problem (there are two places where error messages are generated):

http://www.christian-seiler.de/temp/ibase-5.3.patch

And the same patch ported to HEAD:

http://www.christian-seiler.de/temp/ibase-6.patch

Please note that I only found this bug because I did a source review of all core extensions that call callbacks in order to ensure they are compatible with closures. I have no knowledge or experience whatsoever with Interbase or Firebird so I can't actually test this. But by reading the source it is clear that this will crash PHP (see bug #45555 where the same problem occurred but where I could test the issue).

Reproduce code:
---------------
Probably something like:
ibase_set_event_handler($connection, 1, "whatever");

Expected result:
----------------
Callback argument 1 is not a callable function

Actual result:
--------------
Segmentation fault.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-10-07 18:25 UTC] felipe@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Fixed in 5.2, 5.3 and HEAD.

Thanks for the patch. :)
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 18:01:53 2014 UTC