|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79584 Segmentation fault in uploadprogress 1.1.0 and up
Submitted: 2020-05-11 07:48 UTC Modified: 2020-05-11 08:55 UTC
Avg. Score:4.7 ± 0.5
Reproduced:3 of 3 (100.0%)
Same Version:0 (0.0%)
Same OS:2 (66.7%)
From: petrifiedrowan at gmail dot com Assigned: ramsey (profile)
Status: Assigned Package: uploadprogress (PECL)
PHP Version: 7.4.5 OS: CentOS 7 x86_64
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: petrifiedrowan at gmail dot com
New email:
PHP Version: OS:


 [2020-05-11 07:48 UTC] petrifiedrowan at gmail dot com
When uploadprogress_get_info is called when using uploadprogress 1.1.0 and up (such as the remi-safe build of 1.1.3), sometimes a segmentation fault occurs. This crash is difficult to reproduce with a minimal test case but happens nearly every time the proprietary archive software I develop uses this function.

I've tracked the crash down to the following commit:

I'm not sure what the intent of this change was but I have a pretty good idea of why it's crashing: char **upload_id is allocated at line 108 and then every usage of *upload_id afterward treats uninitialized data in the allocated buffer as if it points to a valid char buffer (when presumably the allocated buffer was meant to be written to instead).

I've tested building from various commits prior to this commit and none of them cause the crash in my software.

Test script:
I've written an example here, but it isn't very useful. This generally doesn't reproduce the crash unless some large external script is included at the beginning.


79584-fix-upload_id-crash.patch (last revision 2020-05-13 05:15 UTC by

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-05-11 08:55 UTC]
-Assigned To: +Assigned To: ramsey
 [2020-05-13 05:15 UTC]
The following patch has been added/updated:

Patch Name: 79584-fix-upload_id-crash.patch
Revision:   1589346905
 [2020-05-13 05:16 UTC]
Thanks for the report.  The code in question is obviously wrong.  I attached a patch that should fix the issue.
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sun Feb 28 04:01:23 2021 UTC