php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70862 Several functions do not check return code of php_stream_copy_to_mem()
Submitted: 2015-11-05 15:20 UTC Modified: 2015-11-05 21:51 UTC
From: fabian at tag1consulting dot com Assigned: ab
Status: Closed Package: Streams related
PHP Version: 7.0Git-2015-11-05 (Git) OS: Linux / Ubuntu
Private report: No CVE-ID:
 [2015-11-05 15:20 UTC] fabian at tag1consulting dot com
Description:
------------
Follow-up to https://bugs.php.net/bug.php?id=70861 which had the same problem.

./ext/mbstring/mb_gpc.c
./ext/pdo_firebird/firebird_statement.c
./ext/pdo_mysql/mysql_statement.c
./ext/pdo_sqlite/sqlite_statement.c
./ext/sqlite3/sqlite3.c
./ext/standard/image.c

all have code similar to:

  ZVAL_STR(parameter, php_stream_copy_to_mem(stm, PHP_STREAM_COPY_ALL, 0));

in various variations.

However php_stream_copy_to_mem() can return NULL, which will make this code fail under certain circumstances.

./ext/pdo/pdo_stmt.c has probably the best code for the problem to solve in a generic way:

                                        buf = php_stream_copy_to_mem((php_stream*)value, PHP_STREAM_COPY_ALL, 0);
                                        if (buf == NULL) {
                                                ZVAL_EMPTY_STRING(dest);
                                        } else {
                                                ZVAL_STR(dest, buf);
                                        }

and this likely should be made into a macro:

ZVAL_STR_OR_EMPTY(dest, buf, stream);

Expected result:
----------------
All functions should check the return value of php_stream_copy_to_mem()

Actual result:
--------------
Some function do not yet check the return value. This could lead to bugs.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-11-05 15:30 UTC] laruence@php.net
-Assigned To: +Assigned To: ab
 [2015-11-05 21:50 UTC] ab@php.net
-Status: Assigned +Status: Closed
 [2015-11-05 21:51 UTC] ab@php.net
All the vulnerable places are covered now, multiple revisions :)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Jul 25 22:01:35 2017 UTC