php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67231 geoip_record_by_name and geoip_region_by_name may segfault with libGeoIP 1.5.0+
Submitted: 2014-05-08 03:41 UTC Modified: 2014-11-20 20:58 UTC
Votes:3
Avg. Score:5.0 ± 0.0
Reproduced:3 of 3 (100.0%)
Same Version:2 (66.7%)
Same OS:1 (33.3%)
From: anthon at piwik dot org Assigned:
Status: Duplicate Package: geoip (PECL)
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
 [2014-05-08 03:41 UTC] anthon at piwik dot org
Description:
------------
In libGeoIP 1.5.0, the GeoIP_open_type() function checks the database type matches.

https://github.com/maxmind/geoip-api-c/commit/ae949673a7f3c96cf754880ef4e61ec312b3fb71

As a result, the function can now return NULL.

Since GEOIP_CITY_EDITON_REV0 and GEOIP_CITY_EDITION_REV1 both use the same filenames (similarly for the region database types), GeoIP_db_avail() may be lying (as it only checks to see if the file exists; it doesn't open the database to see if the type matches).


Test script:
---------------
Installing a rev 0 city database, and then calling geoip_record_by_name(''); will cause a Segmentation fault.



Patches

geoip.patch (last revision 2014-05-08 03:46 UTC by anthon at piwik dot org)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-11-20 20:58 UTC] ohill@php.net
-Status: Open +Status: Duplicate
 [2014-11-20 20:58 UTC] ohill@php.net
Dups #68277
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Nov 27 09:03:13 2021 UTC