Bug #63581 [Opn]: Possible null dereference and buffer overflow

Thu, 22 Nov 2012 17:48:09 -0800 

Edit report at https://bugs.php.net/bug.php?id=63581&edit=1

 ID:                 63581
 Updated by:         ahar...@php.net
 Reported by:        r...@php.net
 Summary:            Possible null dereference and buffer overflow
 Status:             Open
 Type:               Bug
 Package:            FPM related
 Operating System:   GNU/Linux (Fedora 18)
 PHP Version:        5.4.8
-Assigned To:        
+Assigned To:        fat
 Block user comment: N
 Private report:     N

 New Comment:

Jérôme, are you able to have a look at this, please?


Previous Comments:
------------------------------------------------------------------------
[2012-11-22 13:47:34] r...@php.net

I have forget, affected branches: 5.3, 5.4 and 5.5

------------------------------------------------------------------------
[2012-11-22 13:44:03] r...@php.net

See https://github.com/php/php-src/pull/234

------------------------------------------------------------------------
[2012-11-22 13:43:12] r...@php.net

Description:
------------
1. possible null dereference

   => fpm/fpm/fpm_events.c|435|

I'm not familiar with the code, but it seems to be possible NULL dereference.  
Please, consider the situation (on line 425) when the 'q' item is the latest 
one on the list --  q->next does not exist (== NULL). Next, if the 'q' is also 
fpm_event_queue_timer (I'm not sure if this may occur?), program will crash on 
NULL dereference.


2. Same situation -> null dereference

   => fpm/fpm/fpm_events.c|191|

Consider the queue length of 1.  Than the condition (q == *queue) (line 189) 
must be true ~~> *queue = q->next (this is NULL) ~~> NULL->prev = NULL

Again, I'm not sure if there may exist queue of single item.


3. off-by-one(two) (low prio)

   => fpm/fpm/fpm_log.c|459|

The 'len' may be up to 1025 on this line.  On line 149, consider 'len' to be 
equal to 1024 - program then continues down to line 453 where the 'len' is 
incremented.

The problem could only occurs if, after increment (ligne 453), loop is
not entered again. So when produced buffer is "exactly" 1024" or "1025".


Test script:
---------------
This issues where found from by static code analysis tool and, so, I can't 
provide any reproducer.




------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=63581&edit=1

Reply via email to