php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #49372 Segfault in function php_curl_option_url
Submitted: 2009-08-26 13:30 UTC Modified: 2009-08-26 22:24 UTC
From: sergk at sergk dot org dot ua Assigned: pajoye
Status: Closed Package: cURL related
PHP Version: 5.2.10 OS: Debian GNU/Linux, kernel 2.6.30
Private report: No CVE-ID:
 [2009-08-26 13:30 UTC] sergk at sergk dot org dot ua
Description:
------------
There is segfault in strncasecmp calling from this code:
curl/interface.c:186 :

if (!strncasecmp("file", uri->scheme, sizeof("file"))) {   
...

when URI is without protocol part hence uri->scheme is NULL.
Like in this example of backtrace:
#0  0xb7e20a8b in strncasecmp () from /lib/i686/cmov/libc.so.6
#1  0xb777dd11 in php_curl_option_url (ch=0x856be00, 
    url=0x856e360 "show.setlinks.ru/?host=SCREENEDHOSTNAME&k=WINDOWS-1251&p=b44eff595164745dee4a6a655a57a425", 
    len=<value optimized out>) at /opt/src/build/apache-1-dweb/dbuild/003d/php-5.2.10/ext/curl/interface.c:187

This bug is also present in last 5.2.x development snapshot.



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-08-26 13:35 UTC] sergk at sergk dot org dot ua
this patch will fix bug:

--- php-5.2.10.orig/ext/curl/interface.c        2009-06-15 12:38:11.000000000 +0000
+++ php-5.2.10/ext/curl/interface.c     2009-08-26 11:22:15.000000000 +0000
@@ -183,10 +183,12 @@
                        return 0;
                }
 
-               if (!strncasecmp("file", uri->scheme, sizeof("file"))) {
-                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Protocol 'file' disabled in cURL");
-                       php_url_free(uri);
-                       return 0;
+               if (uri->scheme != NULL) {
+                       if (!strncasecmp("file", uri->scheme, sizeof("file")-1)) {
+                               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Protocol 'file' disabled in cURL");
+                               php_url_free(uri);
+                               return 0;
+                       }
                }
                php_url_free(uri);
 #endif
 [2009-08-26 14:11 UTC] pajoye@php.net
Thanks for the patch.
Do you have a small code to test it? I could quickly use it as phpt.
 [2009-08-26 17:13 UTC] sergk at sergk dot org dot ua
Yes, this one trigger segfault, but only in mod_php mode:

<?PHP
  $curl = curl_init("www.php.net/manual/en/function.curl-init.php");
  curl_exec($curl);
  curl_close($curl);
?>
 [2009-08-26 18:18 UTC] pajoye@php.net
Thanks for the script.

An easy fix would be to update the Curl library to a more recent version (recommended).

I will apply the fix shortly (need to fetch an old curl first).
 [2009-08-26 20:21 UTC] jani@php.net
Please don't apply that patch, you can do it with single line change 
too.. if (uri->scheme && !strncasecmp("file", uri->scheme, 
sizeof("file"))) rather than having several lines changed for nothing.
 [2009-08-26 20:26 UTC] pajoye@php.net
I said the fix, not the patch :)
 [2009-08-26 22:24 UTC] svn@php.net
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=287784
Log: - fix #49372, segfault in php_curl_option_url
 [2009-08-26 22:24 UTC] pajoye@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 00:02:04 2014 UTC