php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72039 Use of uninitialised value on mssql_guid_string
Submitted: 2016-04-17 04:51 UTC Modified: 2016-08-06 08:18 UTC
From: fernando at null-life dot com Assigned: kalle (profile)
Status: Closed Package: MSSQL related
PHP Version: 5.6.20 OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: fernando at null-life dot com
New email:
PHP Version: OS:

 

 [2016-04-17 04:51 UTC] fernando at null-life dot com
Description:
------------
Tested under PHP 5.6.20 but should affect 5.5.34 too

https://github.com/php/php-src/blob/PHP-5.5.34/ext/mssql/php_mssql.c#L2278


Steps
1) Compile PHP 5.6.20 with debugging symbols.
2) Run PHP under valgrind  with the test case
   $ valgrind /home/fmunozs/phpgit/php56dbg/sapi/cli/php -n -dextension=/home/fmunozs/phpgit/php56dbg/modules/mssql.so mssql.php

Test script:
---------------
<?php

var_dump(mssql_guid_string(0));

Expected result:
----------------
No warnings

Actual result:
--------------
fmunozs@fuzzilla:/ramdisk/ww$ valgrind /home/fmunozs/phpgit/php56dbg/sapi/cli/php -n -dextension=/home/fmunozs/phpgit/php56dbg/modules/mssql.so mssql.php
==2099== Memcheck, a memory error detector
==2099== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==2099== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==2099== Command: /home/fmunozs/phpgit/php56dbg/sapi/cli/php -n -dextension=/home/fmunozs/phpgit/php56dbg/modules/mssql.so mssql.php
==2099== 
==2099== Conditional jump or move depends on uninitialised value(s)
==2099==    at 0x42F807B: toupper (ctype.c:52)
==2099==    by 0x8353579: php_strtoupper (string.c:1360)
==2099==    by 0x4049C7D: zif_mssql_guid_string (php_mssql.c:2278)
==2099==    by 0x849351E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:558)
==2099==    by 0x849846A: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2602)
==2099==    by 0x8492CBE: execute_ex (zend_vm_execute.h:363)
==2099==    by 0x8492D43: zend_execute (zend_vm_execute.h:388)
==2099==    by 0x8454594: zend_execute_scripts (zend.c:1341)
==2099==    by 0x83C9A40: php_execute_script (main.c:2613)
==2099==    by 0x84FCD29: do_cli (php_cli.c:994)
==2099==    by 0x84FE0C3: main (php_cli.c:1378)
==2099== 
==2099== Use of uninitialised value of size 4
==2099==    at 0x42F8092: toupper (ctype.c:52)
==2099==    by 0x8353579: php_strtoupper (string.c:1360)
==2099==    by 0x4049C7D: zif_mssql_guid_string (php_mssql.c:2278)
==2099==    by 0x849351E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:558)
==2099==    by 0x849846A: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2602)
==2099==    by 0x8492CBE: execute_ex (zend_vm_execute.h:363)
==2099==    by 0x8492D43: zend_execute (zend_vm_execute.h:388)
==2099==    by 0x8454594: zend_execute_scripts (zend.c:1341)
==2099==    by 0x83C9A40: php_execute_script (main.c:2613)
==2099==    by 0x84FCD29: do_cli (php_cli.c:994)
==2099==    by 0x84FE0C3: main (php_cli.c:1378)
==2099== 
string(2) "�"


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-06 05:14 UTC] kalle@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: kalle
 [2016-08-06 08:19 UTC] kalle@php.net
-Status: Assigned +Status: Closed
 [2016-08-06 08:19 UTC] kalle@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

Should be fixed in 5.6.26, thanks for helping to make PHP even greater!
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Oct 03 20:01:28 2024 UTC