php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66481 Calls to session_name() segfault when session.name is null.
Submitted: 2014-01-13 23:52 UTC Modified: -
From: cmcdermottroe at engineyard dot com Assigned:
Status: Closed Package: Session related
PHP Version: master-Git-2014-01-13 (Git) OS: Ubuntu 12.04 LTS
Private report: No CVE-ID:
 [2014-01-13 23:52 UTC] cmcdermottroe at engineyard dot com
Description:
------------
I first noticed this bug when using the PHP 5.4 and 5.5 packages in Ondřej Surý's PPAs (https://launchpad.net/~ondrej/+archive/php5 and https://launchpad.net/~ondrej/+archive/php5-oldstable) but I've been able to replicate them from a git checkout.

Reproduction steps from packages:

$ php -d session.name= -r 'session_name("foo");'
Segmentation fault (core dumped)

Reproduction steps from git:

$ git clone https://github.com/php/php-src.git
$ cd php-src
$ ./buildconf
$ ./configure
$ make
$ ./sapi/cli/php -d session.name= -r 'session_name("foo");'
Segmentation fault (core dumped)

Test script:
---------------
<?php

/* This will segfault if session.name is configured to be blank. */
session_name("foo");

?>

Expected result:
----------------
No segmentation faults. (I would expect that if the prior value of session.name is null then session_name("something") would return null)

Actual result:
--------------
#0  0x00007f88e81a4b91 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00000000005888cf in zif_session_name (ht=<optimized out>, return_value=0x7f88e9158440, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>)
    at /home/vagrant/php-src/ext/session/session.c:1687
#2  0x0000000000733cf1 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f88e91260a8) at /home/vagrant/php-src/Zend/zend_vm_execute.h:554
#3  0x00000000006fd6e8 in execute_ex (execute_data=0x7f88e91260a8) at /home/vagrant/php-src/Zend/zend_vm_execute.h:363
#4  0x0000000000688eb2 in zend_eval_stringl (str=<optimized out>, str_len=<optimized out>, retval_ptr=0x0, string_name=0xa7ed60 "Command line code") at /home/vagrant/php-src/Zend/zend_execute_API.c:1200
#5  0x0000000000688f99 in zend_eval_stringl_ex (str=<optimized out>, str_len=<optimized out>, retval_ptr=<optimized out>, string_name=<optimized out>, handle_exceptions=1) at /home/vagrant/php-src/Zend/zend_execute_API.c:1247
#6  0x0000000000736c62 in do_cli (argc=5, argv=0x23fd890) at /home/vagrant/php-src/sapi/cli/php_cli.c:1034
#7  0x00000000004273c7 in main (argc=5, argv=0x23fd890) at /home/vagrant/php-src/sapi/cli/php_cli.c:1378

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-01-16 06:42 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b777248ded69289b84d645ba2f36dbc207c77ff7
Log: Re-fixed Bug #66481 (Calls to session_name() segfault when session.name is null)
 [2014-01-16 06:42 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2014-01-16 12:39 UTC] ab@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b777248ded69289b84d645ba2f36dbc207c77ff7
Log: Re-fixed Bug #66481 (Calls to session_name() segfault when session.name is null)
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 23 18:01:55 2014 UTC