php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #58871 Segmentation Fault on OAuth::fetch() using GET
Submitted: 2009-10-02 06:45 UTC Modified: 2009-10-04 15:20 UTC
From: shiplu dot net at gmail dot com Assigned: jawed (profile)
Status: Closed Package: oauth (PECL)
PHP Version: 5.2.6 OS: Ubuntu 8.10
Private report: No CVE-ID: None
 [2009-10-02 06:45 UTC] shiplu dot net at gmail dot com
Description:
------------
In my application I call OAuth::fetch() several times. some of them never causes segfault. And some them _always_ causes segfault. I am running php from cli. Here is a usefull gdb backtrace

#0  0xb79452fb in strlen () from /lib/tls/i686/cmov/libc.so.6
#1  0xb71ad45c in oauth_url_encode (url=0xffffffff <Address 0xffffffff out of bounds>) at /tmp/pear/temp/oauth/oauth.c:397
#2  0xb71ae25c in oauth_http_build_query (s=0xbfc421b4, args=0x874c320, prepend_amp=0 '\0', filter=0) at /tmp/pear/temp/oauth/oauth.c:432
#3  0xb71b2a1d in oauth_fetch (soo=0x874ab90, url=0x874c404 "http://twitter.com/followers/ids.json", method=0x8712558 "GET", request_params=0x874c398, request_headers=0x0,
    init_oauth_args=0x0, fetch_flags=1) at /tmp/pear/temp/oauth/oauth.c:1060
#4  0xb71b3784 in zim_oauth_fetch (ht=3, return_value=0x874c484, return_value_ptr=0x0, this_ptr=0x870eeb0, return_value_used=0) at /tmp/pear/temp/oauth/oauth.c:1777
#5  0x082fb8d1 in execute_internal ()

I think "<Address 0xffffffff out of bounds>" is causing the problem.

Reproduce code:
---------------
<?php
$oauth = new OAuth('8X5OMIyjnqmGiWmiGPw4Jg','Jy8S6TT1JXtS6mUBlOg0b0I6SOoya7mXfm5ADBGTw',OAUTH_SIG_METHOD_HMACSHA1,OAUTH_AUTH_TYPE_AUTHORIZATION);
$oauth->setToken('39469703-nqrXqjB7Vz1CE3dzd9PKqYiCzLozBS5otvsp63g1U','osIx9jLlcouXSZxnX4vo0OvNsNZR07vJDH0VC6Bqg');
$oauth->enableDebug();
$params['cursor'] = -1;
$data = $oauth->fetch("http://twitter.com/followers/ids.json",$params,OAUTH_HTTP_METHOD_GET); // this call causes segmentation fault 
$json = json_decode($data);
var_dump($json);
?>

Expected result:
----------------
No segfault. 
It will just return the protected resource to $data variable.

Actual result:
--------------
A segmentation fault. PHP dies.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-10-04 15:20 UTC] jawed@php.net
This bug has been fixed in CVS.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.

One can cast $params['cursor'] to a string for a workaround in 
older versions:

$params['cursor'] = (string)-1;
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Fri Sep 17 08:03:36 2021 UTC