From: crrodriguez at suse dot de Operating system: Linux PHP version: 5CVS-2007-08-21 (CVS) PHP Bug Type: Reproducible crash Bug description: glob() crashes and/or accepts way too many flags
Description: ------------ the glob() function crashes when you pass GLOB_ALTDIRFUNC (512) as a a flag, in short glob should only accept the flags it really supports . Reproduce code: --------------- ./php5/sapi/cli/php -r 'var_dump(glob("*",512));' Expected result: ---------------- only the supported options whitelisted and/or at least GLOB_ALTDIRFUNC and GLOB_APPEND blacklisted. Actual result: -------------- gdb --args ./php5/sapi/cli/php -r 'var_dump(glob("*",512));' GNU gdb 6.5 Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "x86_64-suse-linux"...Using host libthread_db library "/lib64/libthread_db.so.1". (gdb) run Starting program: /home/cristian/php5/sapi/cli/php -r var_dump\(glob\(\"\*\",512\)\)\; Program received signal SIGSEGV, Segmentation fault. 0x0000000000000000 in ?? () (gdb) bt full #0 0x0000000000000000 in ?? () No symbol table info available. #1 0x00002b8a1b81ad62 in glob_in_dir () from /lib64/libc.so.6 No symbol table info available. #2 0x00002b8a1b81b9bd in glob64 () from /lib64/libc.so.6 No symbol table info available. #3 0x000000000060fff1 in zif_glob (ht=2, return_value=0xc968d8, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at /home/cristian/php5/ext/standard/dir.c:417 cwd_skip = 0 pattern = 0xc96880 "*" pattern_len = 1 flags = 512 globbuf = {gl_pathc = 0, gl_pathv = 0x0, gl_offs = 0, gl_flags = 0, gl_closedir = 0, gl_readdir = 0, gl_opendir = 0, gl_lstat = 0, gl_stat = 0} n = 0 ret = -1877809728 #4 0x00000000007319d6 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff9012e640) at /home/cristian/php5/Zend/zend_vm_execute.h:200 return_reference = 0 '\0' opline = (zend_op *) 0xc965d0 original_return_value = (zval **) 0xb208d0 current_scope = (zend_class_entry *) 0x0 current_this = (zval *) 0x0 return_value_used = 1 should_change_scope = 0 '\0' ctor_opline = (zend_op *) 0x50072fb1b #5 0x0000000000738190 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7fff9012e640) at /home/cristian/php5/Zend/zend_vm_execute.h:1681 opline = (zend_op *) 0xc965d0 fname = (zval *) 0xc96600 #6 0x000000000073141e in execute (op_array=0xc96288) at /home/cristian/php5/Zend/zend_vm_execute.h:92 execute_data = {opline = 0xc965d0, function_state = {function_symbol_table = 0x0, function = 0xb208f0, reserved = {0x7fff9012e690, 0x0, 0x0, 0x0}}, fbc = 0x0, ---Type <return> to continue, or q <return> to quit--- op_array = 0xc96288, object = 0x0, Ts = 0x7fff9012e5c0, CVs = 0x7fff9012e5b0, original_in_execution = 0 '\0', symbol_table = 0xadc528, prev_execute_data = 0x0, old_error_reporting = 0x0} #7 0x00000000006f87dd in zend_eval_string (str=0x7fff90130f4b "var_dump(glob(\"*\",512));", retval_ptr=0x0, string_name=0x84052c "Command line code") at /home/cristian/php5/Zend/zend_execute_API.c:1171 local_retval_ptr = (zval *) 0x0 original_return_value_ptr_ptr = (zval **) 0x0 original_opline_ptr = (zend_op **) 0x0 pv = {value = {lval = 13194888, dval = 6.5191408615229139e-317, str = {val = 0xc95688 "var_dump(glob(\"*\",512));", len = 24}, ht = 0xc95688, obj = {handle = 13194888, handlers = 0x18}}, refcount = 13384816, type = 6 '\006', is_ref = 0 '\0'} new_op_array = (zend_op_array *) 0xc96288 original_active_op_array = (zend_op_array *) 0x0 original_function_state_ptr = (zend_function_state *) 0x0 original_handle_op_arrays = 1 '\001' retval = 0 #8 0x00000000006f8981 in zend_eval_string_ex (str=0x7fff90130f4b "var_dump(glob(\"*\",512));", retval_ptr=0x0, string_name=0x84052c "Command line code", handle_exceptions=1) at /home/cristian/php5/Zend/zend_execute_API.c:1205 result = 0 #9 0x000000000078e8dd in main (argc=3, argv=0x7fff9012ec18) at /home/cristian/php5/sapi/cli/php_cli.c:1179 __orig_bailout = (jmp_buf *) 0x0 __bailout = {{__jmpbuf = {47872153828320, -69669401190941675, 0, 140735610547216, 0, 0, -69669401190944539, -69801448083912037}, __mask_was_saved = 0, __saved_mask = { __val = {0, 0, 140735610546528, 0, 0, 0, 0, 0, 47872151728128, 47872171956992, 47872153830976, 47872153832832, 281474976710656, 0, 0, 0}}}} exit_status = 0 c = -1 file_handle = {type = 2 '\002', filename = 0x8404d5 "-", opened_path = 0x0, handle = {fd = 464262784, fp = 0x2b8a1bac1680, stream = {handle = 0x2b8a1bac1680, reader = 0x2b8a1b794d80 <data.7078+64800>, closer = 0x40e9e0, fteller = 0x100000000, interactive = 1955}}, free_filename = 0 '\0'} behavior = 6 reflection_what = 0x0 orig_optind = 1 ---Type <return> to continue, or q <return> to quit--- orig_optarg = 0x0 arg_free = 0x7fff90130f4b "var_dump(glob(\"*\",512));" arg_excp = (char **) 0x7fff9012ec28 script_file = 0x0 interactive = 0 module_started = 1 request_started = 1 lineno = 0 exec_direct = 0x7fff90130f4b "var_dump(glob(\"*\",512));" exec_run = 0x0 exec_begin = 0x0 exec_end = 0x0 param_error = 0x0 hide_argv = 0 ini_entries_len = 110 -- Edit bug report at http://bugs.php.net/?id=42365&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=42365&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=42365&r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=42365&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=42365&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=42365&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=42365&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=42365&r=needscript Try newer version: http://bugs.php.net/fix.php?id=42365&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=42365&r=support Expected behavior: http://bugs.php.net/fix.php?id=42365&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=42365&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=42365&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=42365&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=42365&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=42365&r=dst IIS Stability: http://bugs.php.net/fix.php?id=42365&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=42365&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=42365&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=42365&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=42365&r=mysqlcfg