PHP :: Bug #58871 :: Segmentation Fault on OAuth::fetch() using GET

Bug #58871	Segmentation Fault on OAuth::fetch() using GET
Submitted:	2009-10-02 06:45 UTC	Modified:	2009-10-04 15:20 UTC
From:	shiplu dot net at gmail dot com	Assigned:	jawed (profile)
Status:	Closed	Package:	oauth (PECL)
PHP Version:	5.2.6	OS:	Ubuntu 8.10
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2009-10-02 06:45 UTC] shiplu dot net at gmail dot com

Description:
------------
In my application I call OAuth::fetch() several times. some of them never causes segfault. And some them _always_ causes segfault. I am running php from cli. Here is a usefull gdb backtrace

#0  0xb79452fb in strlen () from /lib/tls/i686/cmov/libc.so.6
#1  0xb71ad45c in oauth_url_encode (url=0xffffffff <Address 0xffffffff out of bounds>) at /tmp/pear/temp/oauth/oauth.c:397
#2  0xb71ae25c in oauth_http_build_query (s=0xbfc421b4, args=0x874c320, prepend_amp=0 '\0', filter=0) at /tmp/pear/temp/oauth/oauth.c:432
#3  0xb71b2a1d in oauth_fetch (soo=0x874ab90, url=0x874c404 "http://twitter.com/followers/ids.json", method=0x8712558 "GET", request_params=0x874c398, request_headers=0x0,
    init_oauth_args=0x0, fetch_flags=1) at /tmp/pear/temp/oauth/oauth.c:1060
#4  0xb71b3784 in zim_oauth_fetch (ht=3, return_value=0x874c484, return_value_ptr=0x0, this_ptr=0x870eeb0, return_value_used=0) at /tmp/pear/temp/oauth/oauth.c:1777
#5  0x082fb8d1 in execute_internal ()

I think "<Address 0xffffffff out of bounds>" is causing the problem.

Reproduce code:
---------------
<?php
$oauth = new OAuth('8X5OMIyjnqmGiWmiGPw4Jg','Jy8S6TT1JXtS6mUBlOg0b0I6SOoya7mXfm5ADBGTw',OAUTH_SIG_METHOD_HMACSHA1,OAUTH_AUTH_TYPE_AUTHORIZATION);
$oauth->setToken('39469703-nqrXqjB7Vz1CE3dzd9PKqYiCzLozBS5otvsp63g1U','osIx9jLlcouXSZxnX4vo0OvNsNZR07vJDH0VC6Bqg');
$oauth->enableDebug();
$params['cursor'] = -1;
$data = $oauth->fetch("http://twitter.com/followers/ids.json",$params,OAUTH_HTTP_METHOD_GET); // this call causes segmentation fault 
$json = json_decode($data);
var_dump($json);
?>

Expected result:
----------------
No segfault. 
It will just return the protected resource to $data variable.

Actual result:
--------------
A segmentation fault. PHP dies.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-10-04 15:20 UTC] jawed@php.net

This bug has been fixed in CVS.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.

One can cast $params['cursor'] to a string for a workaround in 
older versions:

$params['cursor'] = (string)-1;

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2023 The PHP Group All rights reserved.	Last updated: Sun May 28 13:03:46 2023 UTC