php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61584 when using readline_info to set line_buffer, it causes memory corruption
Submitted: 2012-03-31 19:08 UTC Modified: 2021-03-04 11:43 UTC
From: osama dot sorour at eformations dot net Assigned:
Status: Open Package: Readline related
PHP Version: 5.4.0 OS: Linux
Private report: No CVE-ID: None
 [2012-03-31 19:08 UTC] osama dot sorour at eformations dot net
Description:
------------
Using the function readline_info to set the property "line_buffer" performs a 
direct setting of readline rl_line_buffer. It works for short lived scripts but 
for longer ones, they start to crash randomly with sig violations.
The proper way for libreadline is to use rl_replace_line to set the line buffer.

In addition, readline_info does not allow you to set "point" and "end" properties 
that are needed when changing line_buffer.

I've included a patch that fixes the setting of "line_buffer" and adds the 
ability to set both "point" and "end" properties.

Test script:
---------------
None. Random crashes.

Expected result:
----------------
None.


Actual result:
--------------
None.

Patches

line_buffer-fix-end-point-set (last revision 2012-03-31 19:57 UTC by osama dot sorour at eformations dot net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-05-20 23:32 UTC] felipe@php.net
-Status: Open +Status: Feedback
 [2012-05-20 23:32 UTC] felipe@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.


 [2012-05-22 14:23 UTC] osama dot sorour at eformations dot net
-Status: Feedback +Status: Open
 [2012-05-22 14:23 UTC] osama dot sorour at eformations dot net
It is almost impossible to make it happen on purpose. It happened in my code, 
which was thousands of lines long with about 30 classes. In addition, when it 
used to happen, it used to happen randomly at different locations.

Please note that regardless of reproduction, the method used in the current code 
to set the readline buffer is wrong. Please refer to the patch and readline 
documentation:

Variable: char * rl_line_buffer
This is the line gathered so far. You are welcome to modify the contents of the 
line, but see 2.4.5 Allowing Undoing. The function rl_extend_line_buffer is 
available to increase the memory allocated to rl_line_buffer.

which clearly indicates that you are only allowed to change it, not replace the 
buffer pointer as it is done in the current code.

From the readline documentation, here is the correct way of completely replacing 
the buffer:

Function: void rl_replace_line (const char *text, int clear_undo)
Replace the contents of rl_line_buffer with text. The point and mark are 
preserved, if possible. If clear_undo is non-zero, the undo list associated with 
the current line is cleared.
 [2021-03-04 11:43 UTC] cmb@php.net
According to the official documentation[1] of readline, this is
indeed an API misuse on our behalf (but these docs *might* just be
misleading).  However, I found some older docs which do not even
mention rl_extend_line_buffer(), so we may need to conditionally
use that function (assuming those old versions are still
relevant).  Also we would need to check whether
rl_extend_line_buffer() is supported by editline (which often
serves as replacement for readline).  It is apparently not
supported by windeditline which is used for Windows builds, and
I'm not sure whether changing rl_line_buffer there is supported,
or if there is an alternative mechanism.

So the attached patch would need to be revised.

[1] <https://tiswww.cwru.edu/php/chet/readline/readline.html#SEC28>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 13:01:29 2024 UTC