|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75775 readline_read_history segfaults with empty file
Submitted: 2018-01-08 02:06 UTC Modified: 2018-01-12 15:41 UTC
From: fernando at null-life dot com Assigned: ab (profile)
Status: Closed Package: Readline related
PHP Version: 7.1.13 OS: Windows
Private report: No CVE-ID: None
 [2018-01-08 02:06 UTC] fernando at null-life dot com
I believe the bug is caused by using strlen with null, fgets (probably) returns NULL on empty files.

    eof = fgets(&line[s], _EL_BUF_LEN, file);
    line_len = (int)strlen(line);

Test script:

Expected result:

Actual result:
(227c.1c20): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
00007ff9`d89bb8c3 40383413        cmp     byte ptr [rbx+rdx],sil ds:00000223`0ea15000=??
0:000> k
Child-SP          RetAddr           Call Site
000000ac`d79fbc20 00007ff9`d884d87a php7!read_history+0xe3 [e:\repo\winlibs_wineditline\src\history.c @ 270]
000000ac`d79fbc70 00007ff9`d872b875 php7!zif_readline_read_history+0x5a [c:\php-snap-build\php71\vc14\x64\php-7.1.13\ext\readline\readline.c @ 420]
000000ac`d79fbca0 00007ff9`d8708aa0 php7!ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER+0x55 [c:\php-snap-build\php71\vc14\x64\php-7.1.13\zend\zend_vm_execute.h @ 638]
000000ac`d79fbce0 00007ff9`d8751c7d php7!execute_ex+0x80 [c:\php-snap-build\php71\vc14\x64\php-7.1.13\zend\zend_vm_execute.h @ 432]
000000ac`d79fbd30 00007ff9`d87519d9 php7!zend_execute+0x14d [c:\php-snap-build\php71\vc14\x64\php-7.1.13\zend\zend_vm_execute.h @ 475]
000000ac`d79fbd60 00007ff9`d87517a7 php7!zend_execute_scripts+0xa9 [c:\php-snap-build\php71\vc14\x64\php-7.1.13\zend\zend.c @ 1483]
000000ac`d79fbde0 00007ff6`a06128e6 php7!php_execute_script+0x277 [c:\php-snap-build\php71\vc14\x64\php-7.1.13\main\main.c @ 2577]
000000ac`d79fe990 00007ff6`a061375e php!do_cli+0x996 [c:\php-snap-build\php71\vc14\x64\php-7.1.13\sapi\cli\php_cli.c @ 994]
000000ac`d79ff5b0 00007ff6`a061b5a9 php!main+0x67e [c:\php-snap-build\php71\vc14\x64\php-7.1.13\sapi\cli\php_cli.c @ 1381]
000000ac`d79ff7c0 00007ffa`10431fe4 php!__scrt_common_main_seh+0x11d [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 253]
000000ac`d79ff800 00007ffa`124cefb1 KERNEL32!BaseThreadInitThunk+0x14
000000ac`d79ff830 00000000`00000000 ntdll!RtlUserThreadStart+0x21


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2018-01-12 15:41 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: ab
 [2018-01-12 15:41 UTC]
Thanks for reporting. I've pushed a fix to our fork as the preparation for next RCs and also reported upstream. The patched version is available from the staging series.

The issue is not the NULL, but the line containing unitialized data as nothing was read.

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Apr 15 04:01:28 2024 UTC