further segfaults in php

22 years ago by Sascha Schumann — view source — reply

unread

Here are some further functions which directly or indirectly
cause a segfault.  In some cases, the prior function
invocation screwed up the engine internals, so that the next
function call resulted in a segfault.

How to reproduce:

1. wget http://schumann.cx/do_crash.txt
2. echo funcname | php do_crash.txt

Function list

`ob_start()`;

socket_iovec_alloc($maxn,$maxn,$maxn);

exif_thumbnail('',$maxs,$maxn);

mb_ereg('',$maxs,$maxn);

mb_ereg_match($maxs);

mb_eregi('',$maxs,$maxn);

mb_split($maxn,$maxn,$maxn);

- Sascha

22 years ago by Sascha Schumann — view source — reply

unread

And some more (the 13 should have been 0 in the script):

bcsub('',$maxn);
dbase_open($maxs,$maxn);
exif_imagetype($maxn);

`ob_start()`;

socket_iovec_alloc($maxn,$maxn,$maxn);

exif_thumbnail('',$maxs,$maxn);

mb_ereg('',$maxs,$maxn);

mb_ereg_match($maxs);

mb_eregi('',$maxs,$maxn);

mb_split($maxn,$maxn,$maxn);

- Sascha

22 years ago by Sascha Schumann — view source — reply

unread

Extending the list, now also testing with an empty array().

i18n_convert('','',$mina);
mb_convert_encoding('','',$mina);
array_pad($mina,$maxn,$maxn);
setlocale($maxn,$mina,$maxn);
unregister_tick_function($maxn);
xml_parser_create($maxs);

bcsub('',$maxn);
dbase_open($maxs,$maxn);
exif_imagetype($maxn);

`ob_start()`;

socket_iovec_alloc($maxn,$maxn,$maxn);

exif_thumbnail('',$maxs,$maxn);

mb_ereg('',$maxs,$maxn);

mb_ereg_match($maxs);

mb_eregi('',$maxs,$maxn);

mb_split($maxn,$maxn,$maxn);

- Sascha

22 years ago by Tal Peer — view source — reply

unread

tal@err tal $ php -a
Interactive mode enabled

<?php
echo "foo";
Segmentation fault

Extending the list, now also testing with an empty array().

i18n_convert('','',$mina);
mb_convert_encoding('','',$mina);
array_pad($mina,$maxn,$maxn);
setlocale($maxn,$mina,$maxn);
unregister_tick_function($maxn);
xml_parser_create($maxs);

- Sascha

--
Tal Peer
tal@php.net

22 years ago by Rasmus Lerdorf — view source — reply

unread

socket_iovec_alloc($maxn,$maxn,$maxn);

Didn't I fix that one? Where is the overflow in this:

int             i, j, argc = ZEND_NUM_ARGS();

if(argc>65536) {
    WRONG_PARAM_COUNT;
}

args = emalloc(argc*sizeof(zval**));

if (argc < 1 || zend_get_parameters_array_ex(argc, args) == FAILURE) {
    efree(args);
    WRONG_PARAM_COUNT;
}

convert_to_long_ex(args[0]);
num_vectors = Z_LVAL_PP(args[0]);

if((argc-1) < num_vectors) {
    efree(args);
    WRONG_PARAM_COUNT;
}
vector_array = emalloc(sizeof(struct iovec)*(num_vectors+1));

It's not like argc can be negative, nor can it be >65536, and the two
sizeof() calls certainly can't overflow... I don't see it.

-Rasmus