php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75775 readline_read_history segfaults with empty file
Submitted: 2018-01-08 02:06 UTC Modified: 2018-01-12 15:41 UTC
From: fernando at null-life dot com Assigned: ab (profile)
Status: Closed Package: Readline related
PHP Version: 7.1.13 OS: Windows
Private report: No CVE-ID: None
 [2018-01-08 02:06 UTC] fernando at null-life dot com
Description:
------------
I believe the bug is caused by using strlen with null, fgets (probably) returns NULL on empty files.

https://github.com/winlibs/wineditline/blob/master/src/history.c#L270

    eof = fgets(&line[s], _EL_BUF_LEN, file);
    line_len = (int)strlen(line);



Test script:
---------------
<?php
touch("empty.file");
readline_read_history("empty.file");


Expected result:
----------------
Nothing

Actual result:
--------------
(227c.1c20): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
php7!read_history+0xe3:
00007ff9`d89bb8c3 40383413        cmp     byte ptr [rbx+rdx],sil ds:00000223`0ea15000=??
0:000> k
Child-SP          RetAddr           Call Site
000000ac`d79fbc20 00007ff9`d884d87a php7!read_history+0xe3 [e:\repo\winlibs_wineditline\src\history.c @ 270]
000000ac`d79fbc70 00007ff9`d872b875 php7!zif_readline_read_history+0x5a [c:\php-snap-build\php71\vc14\x64\php-7.1.13\ext\readline\readline.c @ 420]
000000ac`d79fbca0 00007ff9`d8708aa0 php7!ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER+0x55 [c:\php-snap-build\php71\vc14\x64\php-7.1.13\zend\zend_vm_execute.h @ 638]
000000ac`d79fbce0 00007ff9`d8751c7d php7!execute_ex+0x80 [c:\php-snap-build\php71\vc14\x64\php-7.1.13\zend\zend_vm_execute.h @ 432]
000000ac`d79fbd30 00007ff9`d87519d9 php7!zend_execute+0x14d [c:\php-snap-build\php71\vc14\x64\php-7.1.13\zend\zend_vm_execute.h @ 475]
000000ac`d79fbd60 00007ff9`d87517a7 php7!zend_execute_scripts+0xa9 [c:\php-snap-build\php71\vc14\x64\php-7.1.13\zend\zend.c @ 1483]
000000ac`d79fbde0 00007ff6`a06128e6 php7!php_execute_script+0x277 [c:\php-snap-build\php71\vc14\x64\php-7.1.13\main\main.c @ 2577]
000000ac`d79fe990 00007ff6`a061375e php!do_cli+0x996 [c:\php-snap-build\php71\vc14\x64\php-7.1.13\sapi\cli\php_cli.c @ 994]
000000ac`d79ff5b0 00007ff6`a061b5a9 php!main+0x67e [c:\php-snap-build\php71\vc14\x64\php-7.1.13\sapi\cli\php_cli.c @ 1381]
000000ac`d79ff7c0 00007ffa`10431fe4 php!__scrt_common_main_seh+0x11d [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 253]
000000ac`d79ff800 00007ffa`124cefb1 KERNEL32!BaseThreadInitThunk+0x14
000000ac`d79ff830 00000000`00000000 ntdll!RtlUserThreadStart+0x21


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-01-12 15:41 UTC] ab@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: ab
 [2018-01-12 15:41 UTC] ab@php.net
Thanks for reporting. I've pushed a fix to our fork https://github.com/winlibs/wineditline/commit/43c25c4e3e01f06003ac6132a308b5be71fb2611 as the preparation for next RCs and also reported upstream. The patched version is available from the staging series.

The issue is not the NULL, but the line containing unitialized data as nothing was read.

Thanks.
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC