From: remi Operating system: GNU/Linux (Fedora 18) PHP version: 5.4.8 Package: FPM related Bug Type: Bug Bug description:Possible null dereference and buffer overflow
Description: ------------ 1. possible null dereference => fpm/fpm/fpm_events.c|435| I'm not familiar with the code, but it seems to be possible NULL dereference. Please, consider the situation (on line 425) when the 'q' item is the latest one on the list -- q->next does not exist (== NULL). Next, if the 'q' is also fpm_event_queue_timer (I'm not sure if this may occur?), program will crash on NULL dereference. 2. Same situation -> null dereference => fpm/fpm/fpm_events.c|191| Consider the queue length of 1. Than the condition (q == *queue) (line 189) must be true ~~> *queue = q->next (this is NULL) ~~> NULL->prev = NULL Again, I'm not sure if there may exist queue of single item. 3. off-by-one(two) (low prio) => fpm/fpm/fpm_log.c|459| The 'len' may be up to 1025 on this line. On line 149, consider 'len' to be equal to 1024 - program then continues down to line 453 where the 'len' is incremented. The problem could only occurs if, after increment (ligne 453), loop is not entered again. So when produced buffer is "exactly" 1024" or "1025". Test script: --------------- This issues where found from by static code analysis tool and, so, I can't provide any reproducer. -- Edit bug report at https://bugs.php.net/bug.php?id=63581&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=63581&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=63581&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=63581&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=63581&r=fixed Fixed in release: https://bugs.php.net/fix.php?id=63581&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=63581&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=63581&r=needscript Try newer version: https://bugs.php.net/fix.php?id=63581&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=63581&r=support Expected behavior: https://bugs.php.net/fix.php?id=63581&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=63581&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=63581&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=63581&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=63581&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=63581&r=dst IIS Stability: https://bugs.php.net/fix.php?id=63581&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=63581&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=63581&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=63581&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=63581&r=mysqlcfg
