php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81563 SIGSEGV reading dbase file with few data
Submitted: 2021-10-28 20:54 UTC Modified: 2021-10-29 12:17 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: ckoinig at codegraft dot com Assigned: cmb (profile)
Status: Closed Package: dbase (PECL)
PHP Version: Irrelevant OS: any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: ckoinig at codegraft dot com
New email:
PHP Version: OS:

 

 [2021-10-28 20:54 UTC] ckoinig at codegraft dot com
Description:
------------
The dbf included in the testscript below causes a SIGSEGV (null pointer de-reference) in php_dbase_get_record. 

On cursory debugging it appears that EOF is encountered while reading the file which leaves db_format as NULL.

It's possible that the dbase is invalid, however it opens fine in various applications, for example dbview.



Test script:
---------------
// write temp. dbase file
$data = base64_decode('A3cBEAEAAACBAB0AAAAAAAAAAAAAAAAAAAAAAAAAAABTQ0hMQUdOUgAAAE4AAAAACgAAAAAAAAAAAAAAAAAAAFRFSUxTQ0hMQUcAQwAAAAACAAAAAAAAAAAAAAAAAAAARkxJSwAAAAAAAABDAAAAABAAAAAAAAAAAAAAAAAAAAANICAgICAgMTIzNDVhIERFTldMSTA1NDYxMzI3Nzca');
$tmpFile = tmpfile();
fwrite($tmpFile, $data);
fflush($tmpFile);
$path = stream_get_meta_data($tmpFile)['uri'];

$db = dbase_open($path, 0);

$n = dbase_numrecords($db);
for ($index=1; $index<=$n; $index++) {
    // crash here
    $record = dbase_get_record_with_names($db, $index);
    print_r($record);
}
dbase_close($db);

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff561cb4c in php_dbase_get_record (return_value=0x7ffff5414ec0, assoc=1, execute_data=<optimized out>)
    at /tmp/pecl-database-dbase/dbase.c:456
456			if (*cur_f->db_format) {
(gdb) bt
#0  0x00007ffff561cb4c in php_dbase_get_record (return_value=0x7ffff5414ec0, assoc=1, execute_data=<optimized out>)
    at /tmp/pecl-database-dbase/dbase.c:456
#1  0x00007ffff563607d in xdebug_execute_internal (current_execute_data=0x7ffff5415020, return_value=0x7ffff5414ec0) at ./build-7.4/src/base/base.c:897
#2  0x0000555555883ebb in execute_ex ()
#3  0x00007ffff56357d2 in xdebug_execute_ex (execute_data=0x7ffff5414cd0) at ./build-7.4/src/base/base.c:779
#4  0x00005555557ee5df in zend_call_function ()
#5  0x0000555555731dff in ?? ()
#6  0x00007ffff563607d in xdebug_execute_internal (current_execute_data=0x7ffff5414c60, return_value=0x7ffff5414c50) at ./build-7.4/src/base/base.c:897
#7  0x0000555555883ebb in execute_ex ()
#8  0x00007ffff56357d2 in xdebug_execute_ex (execute_data=0x7ffff5414980) at ./build-7.4/src/base/base.c:779
#9  0x0000555555883e08 in execute_ex ()
#10 0x00007ffff56357d2 in xdebug_execute_ex (execute_data=0x7ffff54148f0) at ./build-7.4/src/base/base.c:779
#11 0x0000555555883e08 in execute_ex ()
#12 0x00007ffff56357d2 in xdebug_execute_ex (execute_data=0x7ffff5414840) at ./build-7.4/src/base/base.c:779
#13 0x0000555555883e08 in execute_ex ()
#14 0x00007ffff56357d2 in xdebug_execute_ex (execute_data=0x7ffff5414770) at ./build-7.4/src/base/base.c:779
#15 0x0000555555883e08 in execute_ex ()
#16 0x00007ffff56357d2 in xdebug_execute_ex (execute_data=0x7ffff54145c0) at ./build-7.4/src/base/base.c:779
#17 0x0000555555883e08 in execute_ex ()
#18 0x00007ffff56357d2 in xdebug_execute_ex (execute_data=0x7ffff54141b0) at ./build-7.4/src/base/base.c:779
#19 0x0000555555883e08 in execute_ex ()
#20 0x00007ffff56357d2 in xdebug_execute_ex (execute_data=0x7ffff5413350) at ./build-7.4/src/base/base.c:779
#21 0x0000555555883c8e in execute_ex ()
#22 0x00007ffff56357d2 in xdebug_execute_ex (execute_data=0x7ffff54131f0) at ./build-7.4/src/base/base.c:779
#23 0x0000555555883c8e in execute_ex ()
#24 0x00007ffff56357d2 in xdebug_execute_ex (execute_data=0x7ffff5413020) at ./build-7.4/src/base/base.c:779
#25 0x0000555555886cab in zend_execute ()
#26 0x00005555557fd1fc in zend_execute_scripts ()
#27 0x000055555579c930 in php_execute_script ()
#28 0x0000555555888dea in ?? ()
#29 0x0000555555661ec8 in ?? ()


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-10-29 12:17 UTC] cmb@php.net
-Summary: SIGSEGV reading dbase file +Summary: SIGSEGV reading dbase file with few data -Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2021-10-29 12:17 UTC] cmb@php.net
Thanks for reporting this issue!  The .dbf is perfectly fine, but
the actual data are just so few that it triggers an erroneous
edge-case of the fix for bug #78668.
 [2021-10-29 15:37 UTC] git@php.net
Automatic comment on behalf of cmb69
Revision: https://github.com/php/pecl-database-dbase/commit/4259c681c11fe60c9347d79a573b95c7ea2c5b4e
Log: Fix #81563: SIGSEGV reading dbase file with few data
 [2021-10-29 15:37 UTC] git@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Jul 22 16:01:29 2024 UTC