php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #63700 Buffer overrun in mysqlnd_reverse_api_register_api
Submitted: 2012-12-05 20:01 UTC Modified: 2017-04-20 11:31 UTC
Votes:1
Avg. Score:2.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: slangley at google dot com Assigned: mysql (profile)
Status: Not a bug Package: MySQL related
PHP Version: 5.4.9 OS: N/A
Private report: No CVE-ID: None
 [2012-12-05 20:01 UTC] slangley at google dot com
Description:
------------
Address sanitizer detected a buffer over run.

ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff149259af at pc 
0x7f3cfb7b1840 bp 0x7fff149258d0 sp 0x7fff149258c8
READ of size 1 at 0x7fff149259af thread T0
    #0 0x7f3cfb7b183f php/v5_4_8/Zend/zend_hash.c:261 _zend_hash_add_or_update
    #1 0x7f3cfba67ea1 php/v5_4_8/ext/mysqlnd/mysqlnd_reverse_api.c:63 
mysqlnd_reverse_api_register_api
    #2 0x7f3cfbb64bd3 php/v5_4_8/ext/pdo_mysql/pdo_mysql.c:123 
zm_startup_pdo_mysql
    #3 0x7f3cfb55af8d php/v5_4_8/Zend/zend_API.c:1661 zend_startup_module_ex
    #4 0x7f3cfb7b5041 php/v5_4_8/Zend/zend_hash.c:716 zend_hash_apply
    #5 0x7f3cfb55ba8e php/v5_4_8/Zend/zend_API.c:1788 zend_startup_modules
    #6 0x7f3cfbf3b447 php/v5_4_8/main/main.c:2205 php_module_startup

Here's the patch to fix it

--- v5_4_8/ext/mysqlnd/mysqlnd_reverse_api.c.orig	2012-12-05 
11:50:33.000000000 -0800
+++ v5_4_8/ext/mysqlnd/mysqlnd_reverse_api.c	2012-12-05 11:50:52.000000000 
-0800
@@ -61,7 +61,7 @@
 mysqlnd_reverse_api_register_api(MYSQLND_REVERSE_API * apiext TSRMLS_DC)
 {
 	zend_hash_add(&mysqlnd_api_ext_ht, apiext->module->name, strlen(apiext-
>module->name) + 1, &apiext,
-				  sizeof(MYSQLND_REVERSE_API), NULL);
+				  sizeof(void*), NULL);
 }
 /* }}} */
 



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-12-05 22:52 UTC] johannes@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: mysql
 [2017-04-20 11:18 UTC] fjanisze@php.net
-Status: Assigned +Status: Not a bug
 [2017-04-20 11:18 UTC] fjanisze@php.net
Thank you for taking the time to report a problem with PHP.
Unfortunately you are not using a current version of PHP -- 
the problem might already be fixed. Please download a new
PHP version from http://www.php.net/downloads.php

If you are able to reproduce the bug with one of the latest
versions of PHP, please change the PHP version on this bug report
to the version you tested and change the status back to "Open".
Again, thank you for your continued support of PHP.


 [2017-04-20 11:31 UTC] andrey@php.net
Through source code inspection:
5.5 is affected
5.6 is fixed
7.0/7.1 uses different code.
PHP 5.5 is past end of life support, which ended Jul, 21st 2016
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 06 23:01:26 2024 UTC