|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2019-10-13 20:29 UTC] skeval65 at gmail dot com
Description:
------------
Out of Bound read issue while calling dbase_get_header_info() function.
Test script:
---------------
root@vmi269474:~/# hexdump -C test.dbf
00000000 01 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66 |.fffffffffffffff|
00000010 66 6a 72 68 |fjrh|
00000014
=================================================================
root@vmi269474:~/#php -r '$db_path = "./test.dbf";$dbh = dbase_open($db_path, 0);$column_info = dbase_get_header_info($dbh);'
Expected result:
----------------
No crash
Actual result:
--------------
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2726==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ffff289f5a1 bp 0x7fffffffc4f0 sp 0x7fffffffbc78 T0)
==2726==The signal is caused by a READ memory access.
==2726==Hint: address points to the zero page.
#0 0x7ffff289f5a0 /build/glibc-OTsEL5/glibc-2.27/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:59
#1 0x4d7cbc in __interceptor_strlen.part.30 (/usr/bin/php+0x4d7cbc)
#2 0x16d2251 in add_assoc_string_ex /root/target/php-src/Zend/zend_API.c:1361:2
#3 0x7fffe9f1eff2 in zif_dbase_get_header_info /root/target/php-src/ext/varnish-1.2.4/dbase-7.0.0/dbase.c:915:3
#4 0x19a3be8 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /root/target/php-src/Zend/zend_vm_execute.h:1278:2
#5 0x183ab3c in execute_ex /root/target/php-src/Zend/zend_vm_execute.h:52102:7
#6 0x183b41c in zend_execute /root/target/php-src/Zend/zend_vm_execute.h:56355:2
#7 0x16756ce in zend_eval_stringl /root/target/php-src/Zend/zend_execute_API.c:1027:4
#8 0x1675e30 in zend_eval_stringl_ex /root/target/php-src/Zend/zend_execute_API.c:1068:11
#9 0x1675e30 in zend_eval_string_ex /root/target/php-src/Zend/zend_execute_API.c:1079
#10 0x1a40e81 in do_cli /root/target/php-src/sapi/cli/php_cli.c:992:4
#11 0x1a3e57b in main /root/target/php-src/sapi/cli/php_cli.c:1351:18
#12 0x7ffff2732b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#13 0x45b3b9 in _start (/usr/bin/php+0x45b3b9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-OTsEL5/glibc-2.27/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:59
==2726==ABORTING
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Tue Apr 16 21:01:28 2024 UTC |
Thanks for reporting this issue. I can confirm the segfault for dbase 7.0.0 (the only supported version). The fix should be as simple as: Index: dbf_head.c =================================================================== --- dbf_head.c (revision 347486) +++ dbf_head.c (working copy) @@ -31,7 +31,7 @@ efree(dbh); return NULL; } - if ((ret = read(fd, &dbhead, sizeof(dbhead))) <= 0) { + if ((ret = read(fd, &dbhead, sizeof(dbhead))) != sizeof(dbhead)) { efree(dbh); return NULL; } I shall release dbase 7.0.1 as soon as possible.