php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #45580 levenshtein() crashes with invalid arguments (PHP_5_2 only!)
Submitted: 2008-07-21 13:08 UTC Modified: 2008-09-14 05:15 UTC
From: victor dot stinner at haypocalc dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 5.2CVS-2008-07-21 OS: *
Private report: No CVE-ID:
 [2008-07-21 13:08 UTC] victor dot stinner at haypocalc dot com
Description:
------------
Using my fuzzer, I found a bug in levenshtein() function with random 
arguments. The crash occurs in:

#0  0x08297319 in reference_levdist (s1=0x85486f8 "�3[W\217�W\221�", 
l1=9, s2=0x2a <Address 0x2a out of bounds>, l2=2, cost_ins=42,
    cost_rep=0, cost_del=42) 
at /home/haypo/php-5.2.6/ext/standard/levenshtein.c:54
#1  0x08297bee in zif_levenshtein (ht=5, return_value=0x8548680, 
return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
    at /home/haypo/php-5.2.6/ext/standard/levenshtein.c:112
#2  0x083452b5 in zend_do_fcall_common_helper_SPEC 
(execute_data=0xbfddb6a0) 
at /home/haypo/php-5.2.6/Zend/zend_vm_execute.h:200
#3  0x0834ac85 in ZEND_DO_FCALL_SPEC_CONST_HANDLER 
(execute_data=0xbfddb6a0) 
at /home/haypo/php-5.2.6/Zend/zend_vm_execute.h:1679
#4  0x08344e05 in execute (op_array=0x85480b0) 
at /home/haypo/php-5.2.6/Zend/zend_vm_execute.h:92
#5  0x0831fd69 in zend_execute_scripts (type=8, retval=0x0, 
file_count=3) at /home/haypo/php-5.2.6/Zend/zend.c:1134
#6  0x082cb708 in php_execute_script (primary_file=0xbfddda20) 
at /home/haypo/php-5.2.6/main/main.c:2005

The bug may comes from "s2=0x2a <Address 0x2a out of bounds>" error.

Reproduce code:
---------------
<?php
$a = 42;
levenshtein("test", &$a, &$a, null, &$a);
?>



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-07-21 16:03 UTC] jani@php.net
Can not reproduce in PHP_5_3 branch, does crash in current PHP_5_2 branch.
 [2008-09-14 05:15 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 16:02:22 2014 UTC