php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #47252 Memory corruption bug in extract()
Submitted: 2009-01-30 18:31 UTC Modified: 2009-02-07 01:00 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: a dot boykov at timeweb dot ru Assigned:
Status: No Feedback Package: Arrays related
PHP Version: 5.2.8 OS: Gentoo Linux 2008.0
Private report: No CVE-ID: None
View Developer Edit
 [2009-01-30 18:31 UTC] a dot boykov at timeweb dot ru 
Description:
------------
In function extract() not the length of a line key always is correctly defined. 

Sometimes it is calculated incorrectly and any following operation with this string leads to memory corruption. 

Here an example which has been received at debugging.

name: bDescPageNumbering, len: 6276448

[Fri Jan 30 21:18:08 2009] [notice] child pid 19801 exit signal Segmentation fault (11)

We are used this patch to fix problem:

--- php-5.2.8/ext/standard/array.c  2009-01-30 21:23:25.000000000 +0300
+++ php-5.2.8/ext/standard/array.c  2009-01-30 21:24:35.000000000 +0300
@@ -1397,6 +1397,9 @@
    key_type = zend_hash_get_current_key_ex(Z_ARRVAL_PP(var_array), &var_name, &var_name_len, &num_key, 0, &pos);
    var_exists = 0;

+    if (key_type == HASH_KEY_IS_STRING)
+      var_name_len = strlen(var_name);
+
    if (key_type == HASH_KEY_IS_STRING) {
      var_name_len--;
      var_exists = zend_hash_exists(EG(active_symbol_table), var_name, var_name_len + 1);


With this patch all works well, but I think it does not exclude a problem source.

name: bDescPageNumbering, len: 18

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-01-30 20:59 UTC] felipe@php.net 
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.
 [2009-02-03 15:36 UTC] a dot boykov at timeweb dot ru 
To create a simple example, unfortunately, it will not turn out. 

On a simple example all works correctly. 

And in a ready product already there is such error. 

It was possible to spend debugging with the help gdb:

...
0x00007f8b8c8c9073 in select () from /lib/libc.so.6
(gdb) continue
Continuing.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f8b8d8bd6f0 (LWP 9423)]
zend_hash_exists (ht=0xb37b98, arKey=0x213f000 <Address 0x213f000 out of bounds>, nKeyLength=4620568) at /usr/src/php-5.2.8/Zend/zend_hash.h:260
260			hash = ((hash << 5) + hash) + *arKey++;

(gdb) info program
	Using the running image of attached Thread 0x7f8b8d8bd6f0 (LWP 9423).
Program stopped at 0x7f8b8b856590.
It stopped with signal SIGSEGV, Segmentation fault.

(gdb) info registers
rax            0xef6512c00c2f6985	-1196529509949544059
rbx            0x1faabb8	33205176
rcx            0xeca2580185ed30a0	-1395456170966306656
rdx            0x0	0
rsi            0x213f000	34861056
rdi            0xb37b98	11762584
rbp            0x7f8b8bed55c0	0x7f8b8bed55c0
rsp            0x7fff959d94a0	0x7fff959d94a0
r8             0x468118	4620568
r9             0xdc076ac1921c9a25	-2591985680915850715
r10            0xa	10
r11            0x5fc560	6276448
r12            0x0	0
r13            0x7f8b8beb72a8	140237324645032
r14            0xac47a0	11290528
r15            0x1faabe8	33205224
rip            0x7f8b8b856590	0x7f8b8b856590 <zend_hash_exists+32>
eflags         0x10206	[ PF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
fctrl          Couldn't get floating point status: No such process.

(gdb) info line
Line 260 of "/usr/src/php-5.2.8/Zend/zend_hash.h" starts at address 0x7f8b8b8557c0 <zend_hash_func+16> and ends at 0x7f8b8b8557c4 <zend_hash_func+20>.

If you tell me how to make core dump of process (PHP working as the module) - I also will give it.
 [2009-02-07 01:00 UTC] php-bugs at lists dot php dot net 
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Oct 31 13:00:01 2025 UTC