|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68289 wrong strlcpy call
Submitted: 2014-10-23 07:00 UTC Modified: 2014-10-28 08:22 UTC
From: otto at drijf dot net Assigned: alan_k (profile)
Status: Closed Package: dbase (PECL)
PHP Version: 5.6.2 OS: OpenBSD
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: otto at drijf dot net
New email:
PHP Version: OS:


 [2014-10-23 07:00 UTC] otto at drijf dot net
dbf_rec.c uses strlcpy to copy the contents of a record field. These fields are not NUL-terminated in mem. strlcpy only works correctly if the src string *IS NUL-terminated*. While strlcpy reads the buffer to find the ending NUL, it runs out of the buffer in some cases. If the memory beyond the buffer is not mapped, a segfault occurs.

The original code use strncpy + assignment, which is correct.

Test script:
Run dbase extension using OpenBSD. Due to the nature of OpenBSD malloc, it is unforgiving and catches the read beyond the buffer. Likely a tool like valgrind will catch this as well on other platforms.

Expected result:
No segfaults.

Actual result:
Segfault in get_field_val() call of strlcpy.


patchstrlcpy.diff (last revision 2014-10-23 07:00 UTC by otto at drijf dot net)

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2014-10-28 08:21 UTC]
Automatic comment from SVN on behalf of alan_k
Log: fix Bug #68289 - do not assume null terminated strings - by otto at drijf dot net
 [2014-10-28 08:22 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: alan_k
 [2014-10-28 08:22 UTC]
Thanks - applied to svn.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Jul 21 17:01:30 2024 UTC