Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:10456
Return-Path: <cschneid@cschneid.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 86110 invoked by uid 1010); 14 Jun 2004 20:30:53 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 86086 invoked from network); 14 Jun 2004 20:30:53 -0000
Received: from unknown (HELO xaxa.search.ch) (195.141.85.117)
  by pb1.pair.com with SMTP; 14 Jun 2004 20:30:53 -0000
Received: from localhost (localhost [127.0.0.1])
	by xaxa.search.ch (Postfix) with ESMTP
	id 15AD26D888; Mon, 14 Jun 2004 22:30:53 +0200 (CEST)
Received: by xaxa.search.ch (Postfix, from userid 65534)
	id CC0566D87B; Mon, 14 Jun 2004 22:30:51 +0200 (CEST)
Received: from cschneid.com (ultrafilter-i [192.168.85.2])
	(using TLSv1 with cipher RC4-MD5 (128/128 bits))
	(No client certificate requested)
	by xaxa.search.ch (Postfix) with ESMTP
	id D335F6D86B; Mon, 14 Jun 2004 22:30:50 +0200 (CEST)
Message-ID: <40CE0AF9.9070204@cschneid.com>
Date: Mon, 14 Jun 2004 22:30:49 +0200
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040114
X-Accept-Language: en-us, en, de-ch, de
MIME-Version: 1.0
To: ilia@prohost.org
Cc: internals@lists.php.net
References: <opr9liklzzt8r34v@valyala> <200406141354.10937.ilia@prohost.org>
In-Reply-To: <200406141354.10937.ilia@prohost.org>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on xaxa.search.ch
X-Spam-Level: 
X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham 
	version=2.63
X-Virus-Scanned: by AMaViS 0.3.12pre8
Subject: Re: [PHP-DEV] basename() memory access violation
From: cschneid@cschneid.com (Christian Schneider)

Ilia Alshanetsky wrote:
> Do you have an example script that can be used to reproduce the supposed 
> memory access violation?

The function php_basename actually DOES access the char at s-1, i.e. one 
byte before the string it is passed. If you hand it a buffer gotten from 
malloc you get a valgrind hit. If I use emalloc this doesn't happen, I 
guess emalloc has some header stuff before the allocation. If for 
whatever reason s[-1] contains '/' then things would get even worse.

Conclusion: The internal function php_basename IS accessing one byte 
before the buffer passed to it but the PHP environment seems to hide 
this behaviour.
Is this a bug which should proactively been fixed? Or do we rely on the 
environment to guarantee that we can access s[-1] without problems? I 
don't know and it's up to you PHP gods to decide ;-)

- Chris