php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #63581 Possible null dereference and buffer overflow
Submitted: 2012-11-22 13:43 UTC Modified: 2012-11-28 09:16 UTC
From: remi@php.net Assigned: remi (profile)
Status: Closed Package: FPM related
PHP Version: 5.4.8 OS: GNU/Linux (Fedora 18)
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: remi@php.net
New email:
PHP Version: OS:

 

 [2012-11-22 13:43 UTC] remi@php.net
Description:
------------
1. possible null dereference

   => fpm/fpm/fpm_events.c|435|

I'm not familiar with the code, but it seems to be possible NULL dereference.  Please, consider the situation (on line 425) when the 'q' item is the latest one on the list --  q->next does not exist (== NULL). Next, if the 'q' is also fpm_event_queue_timer (I'm not sure if this may occur?), program will crash on NULL dereference.


2. Same situation -> null dereference

   => fpm/fpm/fpm_events.c|191|

Consider the queue length of 1.  Than the condition (q == *queue) (line 189) must be true ~~> *queue = q->next (this is NULL) ~~> NULL->prev = NULL

Again, I'm not sure if there may exist queue of single item.


3. off-by-one(two) (low prio)

   => fpm/fpm/fpm_log.c|459|

The 'len' may be up to 1025 on this line.  On line 149, consider 'len' to be equal to 1024 - program then continues down to line 453 where the 'len' is incremented.

The problem could only occurs if, after increment (ligne 453), loop is
not entered again. So when produced buffer is "exactly" 1024" or "1025".


Test script:
---------------
This issues where found from by static code analysis tool and, so, I can't provide any reproducer.



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-11-22 13:47 UTC] remi@php.net
I have forget, affected branches: 5.3, 5.4 and 5.5
 [2012-11-23 01:47 UTC] aharvey@php.net
-Assigned To: +Assigned To: fat
 [2012-11-23 01:47 UTC] aharvey@php.net
Jérôme, are you able to have a look at this, please?
 [2012-11-28 09:16 UTC] remi@php.net
-Assigned To: fat +Assigned To: remi
 [2012-11-28 09:30 UTC] remi@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f08060a48fadf079e860be73584ac87747dc59d6
Log: Fixed Bug #63581 Possible null dereference
 [2012-11-28 09:30 UTC] remi@php.net
-Status: Assigned +Status: Closed
 [2012-11-28 09:36 UTC] remi@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bc492007da8c8614545a32560c445ab4e02baed0
Log: Fixed Bug #63581 Possible buffer overflow
 [2012-11-28 09:37 UTC] remi@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bc492007da8c8614545a32560c445ab4e02baed0
Log: Fixed Bug #63581 Possible buffer overflow
 [2012-11-28 09:37 UTC] remi@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f08060a48fadf079e860be73584ac87747dc59d6
Log: Fixed Bug #63581 Possible null dereference
 [2012-11-28 09:38 UTC] remi@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bc492007da8c8614545a32560c445ab4e02baed0
Log: Fixed Bug #63581 Possible buffer overflow
 [2012-11-28 09:38 UTC] remi@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f08060a48fadf079e860be73584ac87747dc59d6
Log: Fixed Bug #63581 Possible null dereference
 [2012-11-28 09:39 UTC] remi@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bc492007da8c8614545a32560c445ab4e02baed0
Log: Fixed Bug #63581 Possible buffer overflow
 [2012-11-28 09:39 UTC] remi@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f08060a48fadf079e860be73584ac87747dc59d6
Log: Fixed Bug #63581 Possible null dereference
 [2012-12-19 17:55 UTC] derick@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bc492007da8c8614545a32560c445ab4e02baed0
Log: Fixed Bug #63581 Possible buffer overflow
 [2012-12-19 17:55 UTC] derick@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f08060a48fadf079e860be73584ac87747dc59d6
Log: Fixed Bug #63581 Possible null dereference
 [2014-10-07 23:21 UTC] stas@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=bc492007da8c8614545a32560c445ab4e02baed0
Log: Fixed Bug #63581 Possible buffer overflow
 [2014-10-07 23:21 UTC] stas@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=f08060a48fadf079e860be73584ac87747dc59d6
Log: Fixed Bug #63581 Possible null dereference
 [2014-10-07 23:32 UTC] stas@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=bc492007da8c8614545a32560c445ab4e02baed0
Log: Fixed Bug #63581 Possible buffer overflow
 [2014-10-07 23:32 UTC] stas@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=f08060a48fadf079e860be73584ac87747dc59d6
Log: Fixed Bug #63581 Possible null dereference
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 20:01:28 2024 UTC