php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68289 wrong strlcpy call
Submitted: 2014-10-23 07:00 UTC Modified: 2014-10-28 08:22 UTC
From: otto at drijf dot net Assigned: alan_k (profile)
Status: Closed Package: dbase (PECL)
PHP Version: 5.6.2 OS: OpenBSD
Private report: No CVE-ID: None
 [2014-10-23 07:00 UTC] otto at drijf dot net
Description:
------------
dbf_rec.c uses strlcpy to copy the contents of a record field. These fields are not NUL-terminated in mem. strlcpy only works correctly if the src string *IS NUL-terminated*. While strlcpy reads the buffer to find the ending NUL, it runs out of the buffer in some cases. If the memory beyond the buffer is not mapped, a segfault occurs.

The original code use strncpy + assignment, which is correct.

Test script:
---------------
Run dbase extension using OpenBSD. Due to the nature of OpenBSD malloc, it is unforgiving and catches the read beyond the buffer. Likely a tool like valgrind will catch this as well on other platforms.

Expected result:
----------------
No segfaults.

Actual result:
--------------
Segfault in get_field_val() call of strlcpy.

Patches

patchstrlcpy.diff (last revision 2014-10-23 07:00 UTC by otto at drijf dot net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-10-28 08:21 UTC] alan_k@php.net
Automatic comment from SVN on behalf of alan_k
Revision: http://svn.php.net/viewvc/?view=revision&revision=335148
Log: fix Bug #68289 - do not assume null terminated strings - by otto at drijf dot net
 [2014-10-28 08:22 UTC] alan_k@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: alan_k
 [2014-10-28 08:22 UTC] alan_k@php.net
Thanks - applied to svn.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sun Jan 26 00:01:25 2020 UTC