ID: 20927
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
-Status: Open
+Status: Assigned
Bug Type: Strings related
Operating System: Red Hat Linux 8.0 on Intel
-PHP Version: 4.3.0RC2
+PHP Version: 4.3.0RC3
Assigned To: derick
New Comment:
Okay, now I could verify this (with 4.3.0RC3). Going to fix this
soonish.
Previous Comments:
------------------------------------------------------------------------
[2002-12-11 20:15:23] [EMAIL PROTECTED]
A more dramatic example: The following script, under PHP 4.1.2,
prints:
Length of original string: 130
Length of break string: 11264
Length of wrapped string: 214127
Size allocated by 4.3.0RC2: 173596
BUFFER OVERFLOW by 40531 bytes!
With 4.3.0RC2, it segfaults.
--
David.
<?php
$part = "1234567890 X ";
$string = "";
for ($i=0; $i<10; $i++) {
$string .= $part;
}
$break = "a-very-long-break-string-to-clobber-the-heap";
for ($i=0; $i<8; $i++) {
$break .= $break;
}
$linelength = 10;
$wrapped = wordwrap($string, $linelength, $break, 1);
$textlen = strlen($string);
print("Length of original string: $textlen\n");
$breakcharlen = strlen($break);
print("Length of break string: $breakcharlen\n");
$newtextlen = strlen($wrapped);
print("Length of wrapped string: $newtextlen\n");
$buffer = $textlen +
intval(($textlen/$linelength + 1) * $breakcharlen * 1.1) +
1;
print("Size allocated by 4.3.0RC2: $buffer\n");
$overflow = $newtextlen - $buffer;
if ($overflow > 0) {
print ("BUFFER OVERFLOW by $overflow bytes!\n");
}
?>
------------------------------------------------------------------------
[2002-12-11 15:01:15] [EMAIL PROTECTED]
Ah, the bug might not show up on Red Hat 7.1, probably because of glibc
differences. Anyway, here's my system:
$ gcc -v
Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/3.2/specs
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man
--infodir=/usr/share/info --enable-shared --enable-threads=posix
--disable-checking --host=i386-redhat-linux --with-system-zlib
--enable-__cxa_atexit
Thread model: posix
gcc version 3.2 20020903 (Red Hat Linux 8.0 3.2-7)
$ ldd /usr/local/bin/php
libcrypt.so.1 => /lib/libcrypt.so.1 (0x4002f000)
libresolv.so.2 => /lib/libresolv.so.2 (0x4005d000)
libm.so.6 => /lib/i686/libm.so.6 (0x4006f000)
libdl.so.2 => /lib/libdl.so.2 (0x40091000)
libnsl.so.1 => /lib/libnsl.so.1 (0x40094000)
libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
$ rpm -q glibc
glibc-2.2.93-5
Regards,
David.
------------------------------------------------------------------------
[2002-12-11 14:52:13] [EMAIL PROTECTED]
I'm running RedHat 7.1, and the last script still doesn't crash for me,
and no output from valgrind at all...
gcc = 2.96 (stock redhat 7.1)
What is your gcc version?
Derick
------------------------------------------------------------------------
[2002-12-11 14:43:18] [EMAIL PROTECTED]
Are you running on Red Hat 8.0?
I consistently get a crash. It's also obvious that the buffer
allocated is 135 bytes, and the length of the wrapped string is 138.
So if you're not getting a crash, it's just luck. Try this script
instead:
<?php
$x = "ADV:CLAIM YOUR FORTUNE NOW !!MAKE";
$x .= " xxxxxxxxxxHUNDREDS OF THOUSANDSxxxxxxxxxxxx";
$b = "CANITBREAKFOO";
for ($i=0; $i<1000; $i++) {
$y = wordwrap($x, 20, $b, 1);
}
?>
That should exercise malloc() a lot more.
------------------------------------------------------------------------
[2002-12-11 14:38:23] [EMAIL PROTECTED]
I still can't get it to crash here though, even with your configure
line and scripts. Valgrind doesn't report anything either.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/20927
--
Edit this bug report at http://bugs.php.net/?id=20927&edit=1
