PHP :: Bug #79584 :: Segmentation fault in uploadprogress 1.1.0 and up

Bug #79584

Segmentation fault in uploadprogress 1.1.0 and up

Submitted:

2020-05-11 07:48 UTC

Modified:

2020-05-11 08:55 UTC

Votes:	4
Avg. Score:	4.8 ± 0.4
Reproduced:	4 of 4 (100.0%)
Same Version:	0 (0.0%)
Same OS:	2 (50.0%)

From:

petrifiedrowan at gmail dot com

Assigned:

ramsey (profile)

Status:

Closed

Package:

uploadprogress (PECL)

PHP Version:

7.4.5

OS:

CentOS 7 x86_64

Private report:

CVE-ID:

None

View Developer Edit

[2020-05-11 07:48 UTC] petrifiedrowan at gmail dot com

Description:
------------
When uploadprogress_get_info is called when using uploadprogress 1.1.0 and up (such as the remi-safe build of 1.1.3), sometimes a segmentation fault occurs. This crash is difficult to reproduce with a minimal test case but happens nearly every time the proprietary archive software I develop uses this function.

I've tracked the crash down to the following commit:

https://github.com/php/pecl-php-uploadprogress/commit/e12376f7fd51e386aa8c9be922732e389c1eee7a

I'm not sure what the intent of this change was but I have a pretty good idea of why it's crashing: char **upload_id is allocated at line 108 and then every usage of *upload_id afterward treats uninitialized data in the allocated buffer as if it points to a valid char buffer (when presumably the allocated buffer was meant to be written to instead).

I've tested building from various commits prior to this commit and none of them cause the crash in my software.

Test script:
---------------
I've written an example here, but it isn't very useful. This generally doesn't reproduce the crash unless some large external script is included at the beginning.

https://gist.github.com/AliceLR/83b9386abb962486118578d6e99a5791

Patches

79584-fix-upload_id-crash.patch (last revision 2020-05-13 05:15 UTC by ondrej@php.net)

Pull Requests

Pull requests:

Fix #79584: Segmentation fault in uploadprogress 1.1.0 and up (pecl-php-uploadprogress/9)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-05-11 08:55 UTC] cmb@php.net

-Assigned To: +Assigned To: ramsey

[2020-05-13 05:15 UTC] ondrej@php.net

The following patch has been added/updated:

Patch Name: 79584-fix-upload_id-crash.patch
Revision:   1589346905
URL:        https://bugs.php.net/patch-display.php?bug=79584&patch=79584-fix-upload_id-crash.patch&revision=1589346905

[2020-05-13 05:16 UTC] ondrej@php.net

Thanks for the report.  The code in question is obviously wrong.  I attached a patch that should fix the issue.

[2021-04-08 18:23 UTC] dev at andreas-ziegler dot de

i also experienced this issue on Debian 10 (Apache 2.4.38, PHP 7.3.27)
thanks to the patch from Ondrej, the issue is gone.

[2021-08-31 12:13 UTC] cmb@php.net

The following pull request has been associated:

Patch Name: Fix #79584: Segmentation fault in uploadprogress 1.1.0 and up
On GitHub:  https://github.com/php/pecl-php-uploadprogress/pull/9
Patch:      https://github.com/php/pecl-php-uploadprogress/pull/9.patch

[2021-09-28 18:48 UTC] git@php.net

Automatic comment on behalf of cmb69
Revision: https://github.com/php/pecl-php-uploadprogress/commit/b0e5f122b45ddbf7d7475b927e148d6dd5bf3c86
Log: Fix #79584: Segmentation fault in uploadprogress 1.1.0 and up

[2021-09-28 18:48 UTC] git@php.net

-Status: Assigned +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Jul 14 21:01:33 2025 UTC