php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72039 Use of uninitialised value on mssql_guid_string
Submitted: 2016-04-17 04:51 UTC Modified: 2016-08-06 08:18 UTC
From: fernando at null-life dot com Assigned: kalle
Status: Closed Package: MSSQL related
PHP Version: 5.6.20 OS: Linux
Private report: No CVE-ID:
 [2016-04-17 04:51 UTC] fernando at null-life dot com
Description:
------------
Tested under PHP 5.6.20 but should affect 5.5.34 too

https://github.com/php/php-src/blob/PHP-5.5.34/ext/mssql/php_mssql.c#L2278


Steps
1) Compile PHP 5.6.20 with debugging symbols.
2) Run PHP under valgrind  with the test case
   $ valgrind /home/fmunozs/phpgit/php56dbg/sapi/cli/php -n -dextension=/home/fmunozs/phpgit/php56dbg/modules/mssql.so mssql.php

Test script:
---------------
<?php

var_dump(mssql_guid_string(0));

Expected result:
----------------
No warnings

Actual result:
--------------
fmunozs@fuzzilla:/ramdisk/ww$ valgrind /home/fmunozs/phpgit/php56dbg/sapi/cli/php -n -dextension=/home/fmunozs/phpgit/php56dbg/modules/mssql.so mssql.php
==2099== Memcheck, a memory error detector
==2099== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==2099== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==2099== Command: /home/fmunozs/phpgit/php56dbg/sapi/cli/php -n -dextension=/home/fmunozs/phpgit/php56dbg/modules/mssql.so mssql.php
==2099== 
==2099== Conditional jump or move depends on uninitialised value(s)
==2099==    at 0x42F807B: toupper (ctype.c:52)
==2099==    by 0x8353579: php_strtoupper (string.c:1360)
==2099==    by 0x4049C7D: zif_mssql_guid_string (php_mssql.c:2278)
==2099==    by 0x849351E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:558)
==2099==    by 0x849846A: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2602)
==2099==    by 0x8492CBE: execute_ex (zend_vm_execute.h:363)
==2099==    by 0x8492D43: zend_execute (zend_vm_execute.h:388)
==2099==    by 0x8454594: zend_execute_scripts (zend.c:1341)
==2099==    by 0x83C9A40: php_execute_script (main.c:2613)
==2099==    by 0x84FCD29: do_cli (php_cli.c:994)
==2099==    by 0x84FE0C3: main (php_cli.c:1378)
==2099== 
==2099== Use of uninitialised value of size 4
==2099==    at 0x42F8092: toupper (ctype.c:52)
==2099==    by 0x8353579: php_strtoupper (string.c:1360)
==2099==    by 0x4049C7D: zif_mssql_guid_string (php_mssql.c:2278)
==2099==    by 0x849351E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:558)
==2099==    by 0x849846A: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2602)
==2099==    by 0x8492CBE: execute_ex (zend_vm_execute.h:363)
==2099==    by 0x8492D43: zend_execute (zend_vm_execute.h:388)
==2099==    by 0x8454594: zend_execute_scripts (zend.c:1341)
==2099==    by 0x83C9A40: php_execute_script (main.c:2613)
==2099==    by 0x84FCD29: do_cli (php_cli.c:994)
==2099==    by 0x84FE0C3: main (php_cli.c:1378)
==2099== 
string(2) "�"


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-06 05:14 UTC] kalle@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: kalle
 [2016-08-06 08:19 UTC] kalle@php.net
-Status: Assigned +Status: Closed
 [2016-08-06 08:19 UTC] kalle@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

Should be fixed in 5.6.26, thanks for helping to make PHP even greater!
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Thu Jul 20 18:01:35 2017 UTC