php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61162 Passing and using tainted data in specific way crashes
Submitted: 2012-02-20 16:02 UTC Modified: 2012-02-22 14:37 UTC
From: mathieuk at gmail dot com Assigned:
Status: Duplicate Package: taint (PECL)
PHP Version: 5.3.6 OS: OS X
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: mathieuk at gmail dot com
New email:
PHP Version: OS:

 

 [2012-02-20 16:02 UTC] mathieuk at gmail dot com
Description:
------------
Was running into some whitescreens with the taint module on. 
Turns out I was appending to a variable that didn't exist yet 
in a function. This crashes PHP from the taint module. 



Reproduce code:
---------------
<?php

function test($test)
{
$data .= $test; // $data doesn't exist yet.
}

test($_GET['test']);

?>

Expected result:
----------------
Proper execution of code, with an E_NOTICE error message 
reported. 


Actual result:
--------------
crash.


Program received signal EXC_BAD_ACCESS, Could not access 
memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000004
0x00000001011e5afc in zend_hash_quick_find ()
(gdb) bt
#0  0x00000001011e5afc in zend_hash_quick_find ()
#1  0x0000000101e96990 in php_taint_assign_concat_handler ()
#2  0x00000001011fca8d in ZEND_USER_OPCODE_SPEC_HANDLER ()
#3  0x00000001011fdaeb in execute ()
#4  0x00000001011d8ffb in zend_execute_scripts ()
#5  0x0000000101181732 in php_execute_script ()
#6  0x0000000101268dbc in php_handler ()
#7  0x000000010000127b in ap_run_handler ()
#8  0x000000010000311d in ap_invoke_handler ()
#9  0x0000000100024c18 in ap_process_request ()
#10 0x00000001000217c8 in ap_process_http_connection ()
#11 0x000000010000e9bb in ap_run_process_connection ()
#12 0x00000001000294cd in child_main ()
#13 0x00000001000296ff in make_child ()
#14 0x000000010002a389 in ap_mpm_run ()
#15 0x0000000100007c18 in main ()


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-02-22 14:37 UTC] laruence@php.net
-Status: Open +Status: Duplicate
 [2012-02-22 14:37 UTC] laruence@php.net
dup to #61163
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Oct 05 09:01:27 2024 UTC