#47252 [NEW]: Memory corruption bug in extract()

Fri, 30 Jan 2009 10:31:31 -0800 

From:             a dot boykov at timeweb dot ru
Operating system: Gentoo Linux 2008.0
PHP version:      5.2.8
PHP Bug Type:     Unknown/Other Function
Bug description:  Memory corruption bug in extract()

Description:
------------
In function extract() not the length of a line key always is correctly
defined. 

Sometimes it is calculated incorrectly and any following operation with
this string leads to memory corruption. 

Here an example which has been received at debugging.

name: bDescPageNumbering, len: 6276448

[Fri Jan 30 21:18:08 2009] [notice] child pid 19801 exit signal
Segmentation fault (11)

We are used this patch to fix problem:

--- php-5.2.8/ext/standard/array.c  2009-01-30 21:23:25.000000000 +0300
+++ php-5.2.8/ext/standard/array.c  2009-01-30 21:24:35.000000000 +0300
@@ -1397,6 +1397,9 @@
    key_type = zend_hash_get_current_key_ex(Z_ARRVAL_PP(var_array),
&var_name, &var_name_len, &num_key, 0, &pos);
    var_exists = 0;

+    if (key_type == HASH_KEY_IS_STRING)
+      var_name_len = strlen(var_name);
+
    if (key_type == HASH_KEY_IS_STRING) {
      var_name_len--;
      var_exists = zend_hash_exists(EG(active_symbol_table), var_name,
var_name_len + 1);


With this patch all works well, but I think it does not exclude a problem
source.

name: bDescPageNumbering, len: 18


-- 
Edit bug report at http://bugs.php.net/?id=47252&edit=1
-- 
Try a CVS snapshot (PHP 5.2):        
http://bugs.php.net/fix.php?id=47252&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):        
http://bugs.php.net/fix.php?id=47252&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):        
http://bugs.php.net/fix.php?id=47252&r=trysnapshot60
Fixed in CVS:                        
http://bugs.php.net/fix.php?id=47252&r=fixedcvs
Fixed in CVS and need be documented: 
http://bugs.php.net/fix.php?id=47252&r=needdocs
Fixed in release:                    
http://bugs.php.net/fix.php?id=47252&r=alreadyfixed
Need backtrace:                      
http://bugs.php.net/fix.php?id=47252&r=needtrace
Need Reproduce Script:               
http://bugs.php.net/fix.php?id=47252&r=needscript
Try newer version:                   
http://bugs.php.net/fix.php?id=47252&r=oldversion
Not developer issue:                 
http://bugs.php.net/fix.php?id=47252&r=support
Expected behavior:                   
http://bugs.php.net/fix.php?id=47252&r=notwrong
Not enough info:                     
http://bugs.php.net/fix.php?id=47252&r=notenoughinfo
Submitted twice:                     
http://bugs.php.net/fix.php?id=47252&r=submittedtwice
register_globals:                    
http://bugs.php.net/fix.php?id=47252&r=globals
PHP 4 support discontinued:          http://bugs.php.net/fix.php?id=47252&r=php4
Daylight Savings:                    http://bugs.php.net/fix.php?id=47252&r=dst
IIS Stability:                       
http://bugs.php.net/fix.php?id=47252&r=isapi
Install GNU Sed:                     
http://bugs.php.net/fix.php?id=47252&r=gnused
Floating point limitations:          
http://bugs.php.net/fix.php?id=47252&r=float
No Zend Extensions:                  
http://bugs.php.net/fix.php?id=47252&r=nozend
MySQL Configuration Error:           
http://bugs.php.net/fix.php?id=47252&r=mysqlcfg

Reply via email to