ID: 12227 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: Assigned +Status: Closed Bug Type: Output Control Operating System: Linux 2.2.16-SMP PHP Version: 4.2.0-dev Assigned To: yohgaki New Comment:
This bug has been fixed in CVS. You can grab a snapshot of the CVS version at http://snaps.php.net/ Previous Comments: ------------------------------------------------------------------------ [2002-04-05 05:19:32] [EMAIL PROTECTED] the following testcase even crashes PHP4. it seems if you assign a value to the given parameter (here $s) which is larger than the original, it will crash. copying the input into a seperate variable and work with that is a workaround. still this simple buffer overflow ought to be easy to fix? using 4.1.1 (build dec 30, 2001): ob_start( "handler" ); function handler( $s ) { $s = $s."foobar foobar foobar"; return $s; } ------------------------------------------------------------------------ [2002-02-12 22:38:01] [EMAIL PROTECTED] Last patch that I memtioned still have problem with simple output handler like ob_handler($buffer) { $result = $buffer; return $result; } This could happen easily when user conditinally convert buffer.... To fix this segfualt completely, it seems I have to copy buffer before pass it to user defined output handler. ------------------------------------------------------------------------ [2002-02-07 02:29:33] [EMAIL PROTECTED] Anyone who are interested in this problem. here is a patch for this problem. This should solve unwanted free for this specific case. Question is do we really want this? Index: main/output.c =================================================================== RCS file: /repository/php4/main/output.c,v retrieving revision 1.84 diff -u -r1.84 output.c --- main/output.c 7 Feb 2002 02:50:28 -0000 1.84 +++ main/output.c 7 Feb 2002 06:31:35 -0000 @@ -164,7 +164,7 @@ ALLOC_INIT_ZVAL(orig_buffer); ZVAL_STRINGL(orig_buffer, OG(active_ob_buffer).buffer, OG(active_ob_buffer).text_length, 0); orig_buffer->refcount=2; /* don't let call_user_function() destroy our buffer */ - orig_buffer->is_ref=1; + orig_buffer->is_ref=0; ALLOC_INIT_ZVAL(z_status); ZVAL_LONG(z_status, status); ------------------------------------------------------------------------ [2002-02-05 18:28:22] [EMAIL PROTECTED] Easy one to fix :) <?php ob_start("my_flush"); function my_flush($buffer) { $buffer = preg_replace("/(<!--REPLACE\\s.*?-->)/e", "parse(\"\\1\")", $buffer); return $buffer; } ?> /home/yohgaki/public_html/bugs/12227/bug.php(9) : Warning - String is not zero-terminated (ZZZZZZZZZZZZZZ ------------------------------------------------------------------------ [2002-01-02 18:48:32] [EMAIL PROTECTED] The same issue was submitted recently and it seems there is a problem. To Reporter: Do not change parameter passed, but assgin to new var and return new var to prevent segfault for now. Please update PHP Version if you have tried with newer PHP. Assigned to myslef so that I don't forget this. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/12227 -- Edit this bug report at http://bugs.php.net/?id=12227&edit=1
