php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #58720 canary mismatch on erealloc()
Submitted: 2009-06-11 21:05 UTC Modified: 2009-06-12 09:41 UTC
From: matt dot parlane at gmail dot com Assigned:
Status: Closed Package: mongo (PECL)
PHP Version: 5.2.6 OS: Linux (Ubuntu Jaunty)
Private report: No CVE-ID: None
 [2009-06-11 21:05 UTC] matt dot parlane at gmail dot com
Description:
------------
Driver version: git commit id 9668027

PHP version: 5.2.6-3ubuntu4.1 (comes with Ubuntu Jaunty).

Problem: running the script below produces the following 
error:

ALERT - canary mismatch on erealloc() - heap overflow 
detected (attacker 'REMOTE_ADDR not set', file 
'/home/matt/wg/wg.static/scripts/test2.php', line 14)

The script grabs a file from my site, but feel free to look 
at it in your browser if you don't trust it.

I have been migrating a bunch of data from MySQL to Mongo, 
and there was something in particular about this record.  I 
have done a mb_detect_encoding() on it and it says "ASCII" - 
a hexdump also confirms this.  I have migrated over 3 
million records and this is the only one that has a problem.

I haven't managed to compile my own version of PHP so I 
can't use --enable-debug - If you can't reproduce this, let 
me know and I'll give it another shot.

Cheers!


Reproduce code:
---------------
<?php
$connection = new Mongo();

$db = $connection->selectDB('webgenius');

$tbColl = $db->selectCollection('Text_Block');

$text = file_get_contents('http://webgenius.co.nz/mongo-bug.txt');

$arr = array(
	'text' => $text,
);

$tbColl->insert($arr);
?>


Expected result:
----------------
The array should be inserted into the mongo database.


Actual result:
--------------
canary mismatch on erealloc() - heap overflow detected 
(attacker 'REMOTE_ADDR not set', file 
'/home/matt/wg/wg.static/scripts/test2.php', line 14)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-06-12 09:41 UTC] kristina at 10gen dot com
You can download the fixed version at http://github.com/mongodb/mongo-php-driver/tree/master.  Hopefully I will be releasing a new version in a day or two, but in the meantime you can use the master.

I had a bug where, if the input was x characters longer than the allocated space, I'd double the size of the allocated space, from 4048 to 8096 bytes.  Which doesn't work when the string is longer than 8096 bytes!

That was the best bug report I've ever gotten, thank you!
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Apr 10 21:01:26 2021 UTC