php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69872 uninitialised value in strtr with array
Submitted: 2015-06-18 12:50 UTC Modified: -
From: arjen at react dot com Assigned:
Status: Closed Package: Strings related
PHP Version: 7.0Git-2015-06-18 (Git) OS: Linux
Private report: No CVE-ID:
 [2015-06-18 12:50 UTC] arjen at react dot com
Description:
------------
Array contains some non-ascii chars, so I put some serialize/base64_encode around it.

USE_ZEND_ALLOC=0 valgrind --tool=memcheck --smc-check=all --error-limit=no --num-callers=30 --track-origins=yes --num-callers=30 --leak-check=full php-src/sapi/cli/php uninitialize_var_strtr.php

Test script:
---------------
<?php


$replace = unserialize(base64_decode('YTo1NTp7czoxOiIAIjtzOjE6IjIiO3M6MToiASI7czoxOiIzIjtzOjE6IgIiO3M6MToiNCI7czoxOiIDIjtzOjE6IjUiO3M6MToiBCI7czoxOiI2IjtzOjE6IgUiO3M6MToiNyI7czoxOiIGIjtzOjE6IjgiO3M6MToiByI7czoxOiI5IjtzOjE6IggiO3M6MToiYSI7czoxOiIJIjtzOjE6ImIiO3M6MToiCiI7czoxOiJkIjtzOjE6IgsiO3M6MToiZSI7czoxOiIMIjtzOjE6ImYiO3M6MToiDSI7czoxOiJnIjtzOjE6Ig4iO3M6MToiaCI7czoxOiIPIjtzOjE6ImkiO3M6MToiECI7czoxOiJqIjtzOjE6IhEiO3M6MToiayI7czoxOiISIjtzOjE6Im0iO3M6MToiEyI7czoxOiJuIjtzOjE6IhQiO3M6MToicCI7czoxOiIVIjtzOjE6InEiO3M6MToiFiI7czoxOiJyIjtzOjE6IhciO3M6MToicyI7czoxOiIYIjtzOjE6InQiO3M6MToiGSI7czoxOiJ1IjtzOjE6IhoiO3M6MToidiI7czoxOiIbIjtzOjE6InciO3M6MToiHCI7czoxOiJ4IjtzOjE6Ih0iO3M6MToieSI7czoxOiIeIjtzOjE6InoiO3M6MToiHyI7czoxOiJBIjtzOjE6IiAiO3M6MToiQiI7czoxOiIhIjtzOjE6IkMiO3M6MToiIiI7czoxOiJEIjtzOjE6IiMiO3M6MToiRSI7czoxOiIkIjtzOjE6IkYiO3M6MToiJSI7czoxOiJHIjtzOjE6IiYiO3M6MToiSCI7czoxOiInIjtzOjE6IkoiO3M6MToiKCI7czoxOiJLIjtzOjE6IikiO3M6MToiTCI7czoxOiIqIjtzOjE6Ik0iO3M6MToiKyI7czoxOiJOIjtzOjE6IiwiO3M6MToiUCI7czoxOiItIjtzOjE6IlEiO3M6MToiLiI7czoxOiJSIjtzOjE6Ii8iO3M6MToiUyI7aTowO3M6MToiVCI7aToxO3M6MToiVSI7aToyO3M6MToiViI7aTozO3M6MToiVyI7aTo0O3M6MToiWCI7aTo1O3M6MToiWSI7aTo2O3M6MToiWiI7fQ=='));

$search = hex2bin('02250724281413111027360315340632360c1422');

$result = strtr($search, $replace);
var_dump($result);


Expected result:
----------------
Non valgrind errors.

Actual result:
--------------
==4820== Conditional jump or move depends on uninitialised value(s)
==4820==    at 0x84CF89: php_strtr_array (string.c:3057)
==4820==    by 0x84EA67: zif_strtr (string.c:3485)
==4820==    by 0x99FD3D: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:576)
==4820==    by 0x99F77A: execute_ex (zend_vm_execute.h:403)
==4820==    by 0x99F88B: zend_execute (zend_vm_execute.h:447)
==4820==    by 0x947253: zend_execute_scripts (zend.c:1389)
==4820==    by 0x8B88B0: php_execute_script (main.c:2475)
==4820==    by 0xA04966: do_cli (php_cli.c:967)
==4820==    by 0xA0592E: main (php_cli.c:1334)
==4820==  Uninitialised value was created by a stack allocation
==4820==    at 0x84CAD8: php_strtr_array (string.c:2981)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-18 14:33 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=20f34166829a6f6c4b4f5f05b10ca296e3742f1c
Log: Fixed bug #69872 (uninitialised value in strtr with array)
 [2015-06-18 14:33 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2015-06-23 18:04 UTC] ab@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=20f34166829a6f6c4b4f5f05b10ca296e3742f1c
Log: Fixed bug #69872 (uninitialised value in strtr with array)
 [2016-07-20 11:38 UTC] davey@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=20f34166829a6f6c4b4f5f05b10ca296e3742f1c
Log: Fixed bug #69872 (uninitialised value in strtr with array)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC