PHP :: Bug #75775 :: readline_read_history segfaults with empty file

Bug #75775	readline_read_history segfaults with empty file
Submitted:	2018-01-08 02:06 UTC	Modified:	2018-01-12 15:41 UTC
From:	fernando at null-life dot com	Assigned:	ab (profile)
Status:	Closed	Package:	Readline related
PHP Version:	7.1.13	OS:	Windows
Private report:	No	CVE-ID:	None

View Developer Edit

[2018-01-08 02:06 UTC] fernando at null-life dot com

Description:
------------
I believe the bug is caused by using strlen with null, fgets (probably) returns NULL on empty files.

https://github.com/winlibs/wineditline/blob/master/src/history.c#L270

    eof = fgets(&line[s], _EL_BUF_LEN, file);
    line_len = (int)strlen(line);



Test script:
---------------
<?php
touch("empty.file");
readline_read_history("empty.file");


Expected result:
----------------
Nothing

Actual result:
--------------
(227c.1c20): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
php7!read_history+0xe3:
00007ff9`d89bb8c3 40383413        cmp     byte ptr [rbx+rdx],sil ds:00000223`0ea15000=??
0:000> k
Child-SP          RetAddr           Call Site
000000ac`d79fbc20 00007ff9`d884d87a php7!read_history+0xe3 [e:\repo\winlibs_wineditline\src\history.c @ 270]
000000ac`d79fbc70 00007ff9`d872b875 php7!zif_readline_read_history+0x5a [c:\php-snap-build\php71\vc14\x64\php-7.1.13\ext\readline\readline.c @ 420]
000000ac`d79fbca0 00007ff9`d8708aa0 php7!ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER+0x55 [c:\php-snap-build\php71\vc14\x64\php-7.1.13\zend\zend_vm_execute.h @ 638]
000000ac`d79fbce0 00007ff9`d8751c7d php7!execute_ex+0x80 [c:\php-snap-build\php71\vc14\x64\php-7.1.13\zend\zend_vm_execute.h @ 432]
000000ac`d79fbd30 00007ff9`d87519d9 php7!zend_execute+0x14d [c:\php-snap-build\php71\vc14\x64\php-7.1.13\zend\zend_vm_execute.h @ 475]
000000ac`d79fbd60 00007ff9`d87517a7 php7!zend_execute_scripts+0xa9 [c:\php-snap-build\php71\vc14\x64\php-7.1.13\zend\zend.c @ 1483]
000000ac`d79fbde0 00007ff6`a06128e6 php7!php_execute_script+0x277 [c:\php-snap-build\php71\vc14\x64\php-7.1.13\main\main.c @ 2577]
000000ac`d79fe990 00007ff6`a061375e php!do_cli+0x996 [c:\php-snap-build\php71\vc14\x64\php-7.1.13\sapi\cli\php_cli.c @ 994]
000000ac`d79ff5b0 00007ff6`a061b5a9 php!main+0x67e [c:\php-snap-build\php71\vc14\x64\php-7.1.13\sapi\cli\php_cli.c @ 1381]
000000ac`d79ff7c0 00007ffa`10431fe4 php!__scrt_common_main_seh+0x11d [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 253]
000000ac`d79ff800 00007ffa`124cefb1 KERNEL32!BaseThreadInitThunk+0x14
000000ac`d79ff830 00000000`00000000 ntdll!RtlUserThreadStart+0x21

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-01-12 15:41 UTC] ab@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: ab

[2018-01-12 15:41 UTC] ab@php.net

Thanks for reporting. I've pushed a fix to our fork https://github.com/winlibs/wineditline/commit/43c25c4e3e01f06003ac6132a308b5be71fb2611 as the preparation for next RCs and also reported upstream. The patched version is available from the staging series.

The issue is not the NULL, but the line containing unitialized data as nothing was read.

Thanks.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2026 The PHP Group All rights reserved.	Last updated: Mon Jan 05 02:00:02 2026 UTC