php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #58952 Module segfaults on readFrame if Frame > STOMP_BUFSIZE
Submitted: 2009-11-16 08:59 UTC Modified: 2009-11-16 09:54 UTC
From: pop3 at flachtaucher dot de Assigned:
Status: Closed Package: stomp (PECL)
PHP Version: 5.3.0 OS: Linux 64-bit
Private report: No CVE-ID: None
 [2009-11-16 08:59 UTC] pop3 at flachtaucher dot de
Description:
------------
If I do readFrame on a packet that is bigger than 4096 bytes (= STOMP_BUFSIZE) module segfaults. 

This is due to invalid handling of this case in stomp_read_buffer and stomp_read_line: Code contains sizeof()-call onto a char *hi variable. sizeof will always return the same value (i.e. 8 bytes on 64-bit systems since the pointer itself uses 8 bytes).


Expected result:
----------------
Program gets the big frame

Actual result:
--------------
Program segfaults


Here is my patch:

--- trunk/stomp.c.sik   2009-11-16 08:04:08.000000000 +0100
+++ trunk/stomp.c       2009-11-16 14:55:00.000000000 +0100
@@ -277,6 +277,7 @@
 {
     int rc = 0;
     size_t i = 0;
+    size_t bufsize = STOMP_BUFSIZE + 1;
     char *buffer = (char *) emalloc(STOMP_BUFSIZE + 1);

     while (1) {
@@ -300,8 +301,9 @@
                 break;
             }

-            if (i >= sizeof(buffer)) {
-                buffer = (char *) erealloc(buffer, sizeof(buffer) + STOMP_BUFSIZE);
+            if (i >= bufsize) {
+                buffer = (char *) erealloc(buffer, bufsize + STOMP_BUFSIZE);
+                bufsize += STOMP_BUFSIZE;
             }

         }
@@ -329,6 +331,7 @@
 {
     int rc = 0;
     size_t i = 0;
+    size_t bufsize = STOMP_BUFSIZE + 1;
     char *buffer = (char *) emalloc(STOMP_BUFSIZE + 1);

     while (1) {
@@ -351,8 +354,9 @@
                 return 0;
             }

-            if (i >= sizeof(buffer)) {
-                buffer = (char *) erealloc(buffer, sizeof(buffer) + STOMP_BUFSIZE);
+            if (i >= bufsize) {
+                buffer = (char *) erealloc(buffer, bufsize + STOMP_BUFSIZE);
+                bufsize += STOMP_BUFSIZE;
             }
         }


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-11-16 09:54 UTC] pierrick@php.net
Bug fixed in revision 290822.

You can checkout the last version and test it again.

Thanks for reporting this issue and for the patch :)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Dec 22 06:01:30 2024 UTC