PHP :: Bug #68637 :: Segmentation fault in function php

[2014-12-23 12:20 UTC] xoJIog at inbox dot lv

Description:
------------
PHP segfaults when src is null in function php_strlcpy

Expected result:
----------------
expected to check src

Actual result:
--------------
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x084e4795 in php_strlcpy (dst=0xbd55f35c "", src=0x0, siz=1024) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/main/strlcpy.c:78
78      /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/main/strlcpy.c: No such file or directory.
(gdb) bt
#0  0x084e4795 in php_strlcpy (dst=0xbd55f35c "", src=0x0, siz=1024) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/main/strlcpy.c:78
#1  0x082085a0 in mm_login (mb=0xbd55efbc, user=0xbd55f35c "", pwd=0xbd55f75c "", trial=0) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/ext/imap/php_imap.c:5098
#2  0xa69a2e0b in imap_login () from /usr/lib/libc-client.so.1
#3  0xa69a1a17 in imap_open () from /usr/lib/libc-client.so.1
#4  0xa696dfd0 in mail_open_work () from /usr/lib/libc-client.so.1
#5  0xa696d943 in mail_open () from /usr/lib/libc-client.so.1
#6  0x081f82a2 in zif_imap_reopen (ht=3, return_value=0xce1ea48, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/ext/imap/php_imap.c:1327
#7  0x085a75db in zend_do_fcall_common_helper_SPEC (execute_data=0xa42d4194) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/Zend/zend_vm_execute.h:550
#8  0x085a7d4f in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xa42d4194) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/Zend/zend_vm_execute.h:685
#9  0x085a6d2b in execute_ex (execute_data=0xa42d4194) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/Zend/zend_vm_execute.h:363
#10 0x085a6db9 in zend_execute (op_array=0xce00274) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/Zend/zend_vm_execute.h:388
#11 0x08554b6d in zend_call_function (fci=0xbd560d74, fci_cache=0xbd560d60) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/Zend/zend_execute_API.c:937
#12 0x0839a748 in zif_call_user_func_array (ht=2, return_value=0xce24148, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/ext/standard/basic_functions.c:4806
#13 0x085a75db in zend_do_fcall_common_helper_SPEC (execute_data=0xa42d409c) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/Zend/zend_vm_execute.h:550
#14 0x085a7d4f in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xa42d409c) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/Zend/zend_vm_execute.h:685
#15 0x085a6d2b in execute_ex (execute_data=0xa42d409c) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/Zend/zend_vm_execute.h:363
#16 0x085a6db9 in zend_execute (op_array=0xccddd4c) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/Zend/zend_vm_execute.h:388
#17 0x08554b6d in zend_call_function (fci=0xbd560f94, fci_cache=0xbd560f80) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/Zend/zend_execute_API.c:937
#18 0x0839a748 in zif_call_user_func_array (ht=2, return_value=0xccfaff0, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/ext/standard/basic_functions.c:4806
#19 0x085a75db in zend_do_fcall_common_helper_SPEC (execute_data=0xa42d3b08) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/Zend/zend_vm_execute.h:550
#20 0x085a7d4f in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xa42d3b08) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/Zend/zend_vm_execute.h:685
#21 0x085a6d2b in execute_ex (execute_data=0xa42d3b08) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/Zend/zend_vm_execute.h:363
#22 0x085a6db9 in zend_execute (op_array=0xa42ef25c) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/Zend/zend_vm_execute.h:388
#23 0x08568228 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/Zend/zend.c:1330
#24 0x084d4ece in php_execute_script (primary_file=0xbd565464) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/main/main.c:2506
#25 0x08626668 in main (argc=5, argv=0xbd5655b4) at /var/tmp/portage/dev-lang/php-5.5.19/work/sapis-build/fpm/sapi/fpm/fpm/fpm_main.c:1949

[2014-12-23 15:04 UTC] xoJIog at inbox dot lv

--- main/strlcpy.c.orig 2014-12-23 14:23:25.451809947 +0200
+++ main/strlcpy.c      2014-12-23 14:25:13.439982613 +0200
@@ -73,7 +73,7 @@
        register size_t n = siz;
 
        /* Copy as many bytes as will fit */
-       if (n != 0 && --n != 0) {
+       if (n != 0 && --n != 0 && src) {
                do {
                        if ((*d++ = *s++) == 0)
                                break;

[2021-06-09 14:40 UTC] cmb@php.net

-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb

[2021-06-09 14:40 UTC] cmb@php.net

> expected to check src

No.  strlcpy() must not be called on NULL values.

Anyhow, is this still an issue with any of the actively supported
PHP versions[1]?

[1] <https://www.php.net/supported-versions.php>

[2021-06-20 04:22 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.

Patches

Pull Requests

History

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2023 The PHP Group All rights reserved.	Last updated: Mon Mar 27 00:03:38 2023 UTC