PHP :: Bug #45575 :: [PATCH] Segfault with invalid non-string as event handler callback

Bug #45575	[PATCH] Segfault with invalid non-string as event handler callback
Submitted:	2008-07-21 07:51 UTC	Modified:	2008-10-07 18:25 UTC
From:	chris_se at gmx dot net	Assigned:	felipe (profile)
Status:	Closed	Package:	InterBase related
PHP Version:	5.2.6	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

[2008-07-21 07:51 UTC] chris_se at gmx dot net

Description:
------------
Same problem as with bug #45555 - just for a different extension: The interbase extension accepts arbitrary zvals as callbacks (which is fine) but always uses Z_STRVAL(zval) to display an error message if the callback is invalid. This will cause a segfault if e.g. int(1) is passed as a callback.

The following patch against PHP_5_3 (it also applies against PHP 5.2) solves the problem (there are two places where error messages are generated):

http://www.christian-seiler.de/temp/ibase-5.3.patch

And the same patch ported to HEAD:

http://www.christian-seiler.de/temp/ibase-6.patch

Please note that I only found this bug because I did a source review of all core extensions that call callbacks in order to ensure they are compatible with closures. I have no knowledge or experience whatsoever with Interbase or Firebird so I can't actually test this. But by reading the source it is clear that this will crash PHP (see bug #45555 where the same problem occurred but where I could test the issue).

Reproduce code:
---------------
Probably something like:
ibase_set_event_handler($connection, 1, "whatever");

Expected result:
----------------
Callback argument 1 is not a callable function

Actual result:
--------------
Segmentation fault.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-10-07 18:25 UTC] felipe@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Fixed in 5.2, 5.3 and HEAD.

Thanks for the patch. :)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Oct 27 10:00:01 2025 UTC