php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72716 php_stream_ftp_stream_close leaks stack memory
Submitted: 2016-07-31 05:18 UTC Modified: 2016-08-04 05:58 UTC
From: fernando at null-life dot com Assigned:
Status: Closed Package: FTP related
PHP Version: 5.6.24 OS: *
Private report: No CVE-ID:
 [2016-07-31 05:18 UTC] fernando at null-life dot com
Description:
------------
Description
===========
tmp_line is never assigned a value in this scope, so if an error occurs it will log information from the stack on php_error_docref .

https://github.com/php/php-src/blob/PHP-7.0.9/ext/standard/ftp_fopen_wrapper.c#L111-L117


Code
====

char tmp_line[512];
int result;

/* For write modes close data stream first to signal EOF to server */
result = GET_FTP_RESULT(controlstream);
if (result != 226 && result != 250) {
	php_error_docref(NULL, E_WARNING, "FTP server error %d:%s", result, tmp_line);

Fix
===
There's probably a missing call to php_stream_notify_error here. 



Test script:
---------------
Not available 

Expected result:
----------------
No warnings

Actual result:
--------------
valgrind output

==22586== Use of uninitialised value of size 4        
==22586==    at 0x4DC528B: ____strtol_l_internal (strtol_l.c:435)                                                                                                                                          ==22586==    by 0x4DC4EFF: strtol (strtol.c:106)                                                                                                                                                           ==22586==    by 0x28082C: ??? (in /usr/bin/php7.0)                                                                                                                                                         ==22586==    by 0x2B0493: _php_stream_free (in /usr/bin/php7.0)                                                                                                                                            ==22586==    by 0x242CC6: zif_file_get_contents (in /usr/bin/php7.0)                                                                                                                                       ==22586==    by 0x776011A: ??? (in /usr/lib/php/20151012/phar.so)                                                                                                                                          ==22586==    by 0x38E621: execute_internal (in /usr/bin/php7.0)                                                                                                                                            ==22586==    by 0x2E9A8D: dtrace_execute_internal (in /usr/bin/php7.0)                                                                                                                                     ==22586==    by 0x380704: ??? (in /usr/bin/php7.0)                                                                                                                                                         ==22586==    by 0x339719: execute_ex (in /usr/bin/php7.0)                                                                                                                                                  ==22586==    by 0x2E98F4: dtrace_execute_ex (in /usr/bin/php7.0)                                                                                                                                           ==22586==    by 0x390175: zend_execute (in /usr/bin/php7.0)                                                                                                                                                ==22586==                                                                                                                                                                                                  ==22586== Conditional jump or move depends on uninitialised value(s)                                                                                                                                       ==22586==    at 0x4DC52CE: ____strtol_l_internal (strtol_l.c:437)                                                                                                                                          ==22586==    by 0x4DC4EFF: strtol (strtol.c:106)                                                                                                                                                           ==22586==    by 0x28082C: ??? (in /usr/bin/php7.0)                                                                                                                                                         ==22586==    by 0x2B0493: _php_stream_free (in /usr/bin/php7.0)                                                                                                                                            ==22586==    by 0x242CC6: zif_file_get_contents (in /usr/bin/php7.0)                                                                                                                                       ==22586==    by 0x776011A: ??? (in /usr/lib/php/20151012/phar.so)                                                                                                                                          ==22586==    by 0x38E621: execute_internal (in /usr/bin/php7.0)                                                                                                                                            ==22586==    by 0x2E9A8D: dtrace_execute_internal (in /usr/bin/php7.0)                                                                                                                                     ==22586==    by 0x380704: ??? (in /usr/bin/php7.0)                                                                                                                                                         ==22586==    by 0x339719: execute_ex (in /usr/bin/php7.0)                                                                                                                                                  ==22586==    by 0x2E98F4: dtrace_execute_ex (in /usr/bin/php7.0)                                                                                                                                           ==22586==    by 0x390175: zend_execute (in /usr/bin/php7.0)                                                                                                                                                ==22586==                                                                                                                                                                                                  ==22586== Use of uninitialised value of size 4                                                                                                                                                             ==22586==    at 0x4DC5394: ____strtol_l_internal (strtol_l.c:461)                                                                                                                                          ==22586==    by 0x4DC4EFF: strtol (strtol.c:106)                                                                                                                                                           ==22586==    by 0x28082C: ??? (in /usr/bin/php7.0)                                                                                                                                                         ==22586==    by 0x2B0493: _php_stream_free (in /usr/bin/php7.0)                                                                                                                                            ==22586==    by 0x242CC6: zif_file_get_contents (in /usr/bin/php7.0)                                                                                                                                       ==22586==    by 0x776011A: ??? (in /usr/lib/php/20151012/phar.so)                                                                                                                                          ==22586==    by 0x38E621: execute_internal (in /usr/bin/php7.0)                                                                                                                                            ==22586==    by 0x2E9A8D: dtrace_execute_internal (in /usr/bin/php7.0)                                                                                                                                     ==22586==    by 0x380704: ??? (in /usr/bin/php7.0)                                                                                                                                                         ==22586==    by 0x339719: execute_ex (in /usr/bin/php7.0)                                                                                                                                                  ==22586==    by 0x2E98F4: dtrace_execute_ex (in /usr/bin/php7.0)                                                                                                                                           ==22586==    by 0x390175: zend_execute (in /usr/bin/php7.0)                                                                                                                                                ==22586==                                                                                                                                                                                                  ==22586== Conditional jump or move depends on uninitialised value(s)                                                                                                                                       ==22586==    at 0x4DC5327: ____strtol_l_internal (strtol_l.c:479)                                                                                                                                          ==22586==    by 0x4DC4EFF: strtol (strtol.c:106)                                                                                                                                                           ==22586==    by 0x28082C: ??? (in /usr/bin/php7.0)                                                                                                                                                         ==22586==    by 0x2B0493: _php_stream_free (in /usr/bin/php7.0)                                                                                                                                            ==22586==    by 0x242CC6: zif_file_get_contents (in /usr/bin/php7.0)                                                                                                                                       ==22586==    by 0x776011A: ??? (in /usr/lib/php/20151012/phar.so)                                                                                                                                          ==22586==    by 0x38E621: execute_internal (in /usr/bin/php7.0)                                                                                                                                            ==22586==    by 0x2E9A8D: dtrace_execute_internal (in /usr/bin/php7.0)                                                                                                                                     ==22586==    by 0x380704: ??? (in /usr/bin/php7.0)                                                                                                                                                         ==22586==    by 0x339719: execute_ex (in /usr/bin/php7.0)                                                                                                                                                  ==22586==    by 0x2E98F4: dtrace_execute_ex (in /usr/bin/php7.0)                                                                                                                                           ==22586==    by 0x390175: zend_execute (in /usr/bin/php7.0)                                                                                                                                                ==22586==                                                                   
==22586== Conditional jump or move depends on uninitialised value(s) 
==22586==    at 0x4830387: strlen (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)                                                                                                                   ==22586==    by 0x29BC3E: ??? (in /usr/bin/php7.0)                                                                                                                                                         ==22586==    by 0x29CC57: vspprintf (in /usr/bin/php7.0)                                                                                                                                                   ==22586==    by 0x16FC9E: ??? (in /usr/bin/php7.0)                                                                                                                                                         ==22586==    by 0x1719A1: zend_error (in /usr/bin/php7.0)                                                                                                                                                  ==22586==    by 0x1709ED: php_verror (in /usr/bin/php7.0)                                                                                                                                                  ==22586==    by 0x170A82: php_error_docref0 (in /usr/bin/php7.0)                                                                                                                                           ==22586==    by 0x28085F: ??? (in /usr/bin/php7.0)                                                                                                                                                         ==22586==    by 0x2B0493: _php_stream_free (in /usr/bin/php7.0)                                                                                                                                            ==22586==    by 0x242CC6: zif_file_get_contents (in /usr/bin/php7.0)                                                                                                                                       ==22586==    by 0x776011A: ??? (in /usr/lib/php/20151012/phar.so)                                                                                                                                          ==22586==    by 0x38E621: execute_internal (in /usr/bin/php7.0)                     


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-04 05:58 UTC] stas@php.net
-Type: Security +Type: Bug -PHP Version: 7.0.9 +PHP Version: 5.6.24
 [2016-08-04 05:58 UTC] stas@php.net
Doesn't look like security issue - error messages should not be displayed in production.
 [2016-08-04 06:04 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4f861b60710639557635e9f3cf13bf9cbf8872cd
Log: Fix bug #72716 - initialize buffer before read
 [2016-08-04 06:04 UTC] stas@php.net
-Status: Open +Status: Closed
 [2016-08-18 11:15 UTC] tyrael@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9c291f0fa0c8b8c6994f521f5863c407494eb1dc
Log: Fix bug #72716 - initialize buffer before read
 [2016-10-17 10:10 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4f861b60710639557635e9f3cf13bf9cbf8872cd
Log: Fix bug #72716 - initialize buffer before read
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Apr 28 02:01:36 2017 UTC