#42365 [NEW]: glob() crashes and/or accepts way too many flags

crrodriguez at suse dot de Tue, 21 Aug 2007 12:00:36 -0700

From:             crrodriguez at suse dot de
Operating system: Linux
PHP version:      5CVS-2007-08-21 (CVS)
PHP Bug Type:     Reproducible crash
Bug description:  glob() crashes and/or accepts way too many flags


Description:
------------
the glob() function crashes when you pass GLOB_ALTDIRFUNC (512) as a a
flag, in short glob should only accept the flags it really supports . 

Reproduce code:
---------------
./php5/sapi/cli/php -r 'var_dump(glob("*",512));'

Expected result:
----------------
only the supported options whitelisted and/or at least GLOB_ALTDIRFUNC and
GLOB_APPEND blacklisted.

Actual result:
--------------
gdb --args ./php5/sapi/cli/php -r 'var_dump(glob("*",512));'
GNU gdb 6.5
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "x86_64-suse-linux"...Using host libthread_db
library "/lib64/libthread_db.so.1".

(gdb) run
Starting program: /home/cristian/php5/sapi/cli/php -r
var_dump\(glob\(\"\*\",512\)\)\;

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
(gdb) bt full
#0  0x0000000000000000 in ?? ()
No symbol table info available.
#1  0x00002b8a1b81ad62 in glob_in_dir () from /lib64/libc.so.6
No symbol table info available.
#2  0x00002b8a1b81b9bd in glob64 () from /lib64/libc.so.6
No symbol table info available.
#3  0x000000000060fff1 in zif_glob (ht=2, return_value=0xc968d8,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at
/home/cristian/php5/ext/standard/dir.c:417
        cwd_skip = 0
        pattern = 0xc96880 "*"
        pattern_len = 1
        flags = 512
        globbuf = {gl_pathc = 0, gl_pathv = 0x0, gl_offs = 0, gl_flags =
0, gl_closedir = 0, gl_readdir = 0, gl_opendir = 0, gl_lstat = 0, gl_stat =
0}
        n = 0
        ret = -1877809728
#4  0x00000000007319d6 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff9012e640) at
/home/cristian/php5/Zend/zend_vm_execute.h:200
        return_reference = 0 '\0'
        opline = (zend_op *) 0xc965d0
        original_return_value = (zval **) 0xb208d0
        current_scope = (zend_class_entry *) 0x0
        current_this = (zval *) 0x0
        return_value_used = 1
        should_change_scope = 0 '\0'
        ctor_opline = (zend_op *) 0x50072fb1b
#5  0x0000000000738190 in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0x7fff9012e640) at
/home/cristian/php5/Zend/zend_vm_execute.h:1681
        opline = (zend_op *) 0xc965d0
        fname = (zval *) 0xc96600
#6  0x000000000073141e in execute (op_array=0xc96288) at
/home/cristian/php5/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0xc965d0, function_state =
{function_symbol_table = 0x0, function = 0xb208f0, reserved =
{0x7fff9012e690, 0x0, 0x0, 0x0}}, fbc = 0x0,
---Type <return> to continue, or q <return> to quit---
  op_array = 0xc96288, object = 0x0, Ts = 0x7fff9012e5c0, CVs =
0x7fff9012e5b0, original_in_execution = 0 '\0', symbol_table = 0xadc528,
prev_execute_data = 0x0,
  old_error_reporting = 0x0}
#7  0x00000000006f87dd in zend_eval_string (str=0x7fff90130f4b
"var_dump(glob(\"*\",512));", retval_ptr=0x0, string_name=0x84052c "Command
line code")
    at /home/cristian/php5/Zend/zend_execute_API.c:1171
        local_retval_ptr = (zval *) 0x0
        original_return_value_ptr_ptr = (zval **) 0x0
        original_opline_ptr = (zend_op **) 0x0
        pv = {value = {lval = 13194888, dval = 6.5191408615229139e-317,
str = {val = 0xc95688 "var_dump(glob(\"*\",512));", len = 24}, ht =
0xc95688, obj = {handle = 13194888,
      handlers = 0x18}}, refcount = 13384816, type = 6 '\006', is_ref = 0
'\0'}
        new_op_array = (zend_op_array *) 0xc96288
        original_active_op_array = (zend_op_array *) 0x0
        original_function_state_ptr = (zend_function_state *) 0x0
        original_handle_op_arrays = 1 '\001'
        retval = 0
#8  0x00000000006f8981 in zend_eval_string_ex (str=0x7fff90130f4b
"var_dump(glob(\"*\",512));", retval_ptr=0x0, string_name=0x84052c "Command
line code", handle_exceptions=1)
    at /home/cristian/php5/Zend/zend_execute_API.c:1205
        result = 0
#9  0x000000000078e8dd in main (argc=3, argv=0x7fff9012ec18) at
/home/cristian/php5/sapi/cli/php_cli.c:1179
        __orig_bailout = (jmp_buf *) 0x0
        __bailout = {{__jmpbuf = {47872153828320, -69669401190941675, 0,
140735610547216, 0, 0, -69669401190944539, -69801448083912037},
__mask_was_saved = 0, __saved_mask = {
      __val = {0, 0, 140735610546528, 0, 0, 0, 0, 0, 47872151728128,
47872171956992, 47872153830976, 47872153832832, 281474976710656, 0, 0,
0}}}}
        exit_status = 0
        c = -1
        file_handle = {type = 2 '\002', filename = 0x8404d5 "-",
opened_path = 0x0, handle = {fd = 464262784, fp = 0x2b8a1bac1680, stream =
{handle = 0x2b8a1bac1680,
      reader = 0x2b8a1b794d80 <data.7078+64800>, closer = 0x40e9e0,
fteller = 0x100000000, interactive = 1955}}, free_filename = 0 '\0'}
        behavior = 6
        reflection_what = 0x0
        orig_optind = 1
---Type <return> to continue, or q <return> to quit---
        orig_optarg = 0x0
        arg_free = 0x7fff90130f4b "var_dump(glob(\"*\",512));"
        arg_excp = (char **) 0x7fff9012ec28
        script_file = 0x0
        interactive = 0
        module_started = 1
        request_started = 1
        lineno = 0
        exec_direct = 0x7fff90130f4b "var_dump(glob(\"*\",512));"
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
        param_error = 0x0
        hide_argv = 0
        ini_entries_len = 110



-- 
Edit bug report at http://bugs.php.net/?id=42365&edit=1
-- 
Try a CVS snapshot (PHP 4.4): 
http://bugs.php.net/fix.php?id=42365&r=trysnapshot44
Try a CVS snapshot (PHP 5.2): 
http://bugs.php.net/fix.php?id=42365&r=trysnapshot52
Try a CVS snapshot (PHP 6.0): 
http://bugs.php.net/fix.php?id=42365&r=trysnapshot60
Fixed in CVS:                 http://bugs.php.net/fix.php?id=42365&r=fixedcvs
Fixed in release:             
http://bugs.php.net/fix.php?id=42365&r=alreadyfixed
Need backtrace:               http://bugs.php.net/fix.php?id=42365&r=needtrace
Need Reproduce Script:        http://bugs.php.net/fix.php?id=42365&r=needscript
Try newer version:            http://bugs.php.net/fix.php?id=42365&r=oldversion
Not developer issue:          http://bugs.php.net/fix.php?id=42365&r=support
Expected behavior:            http://bugs.php.net/fix.php?id=42365&r=notwrong
Not enough info:              
http://bugs.php.net/fix.php?id=42365&r=notenoughinfo
Submitted twice:              
http://bugs.php.net/fix.php?id=42365&r=submittedtwice
register_globals:             http://bugs.php.net/fix.php?id=42365&r=globals
PHP 3 support discontinued:   http://bugs.php.net/fix.php?id=42365&r=php3
Daylight Savings:             http://bugs.php.net/fix.php?id=42365&r=dst
IIS Stability:                http://bugs.php.net/fix.php?id=42365&r=isapi
Install GNU Sed:              http://bugs.php.net/fix.php?id=42365&r=gnused
Floating point limitations:   http://bugs.php.net/fix.php?id=42365&r=float
No Zend Extensions:           http://bugs.php.net/fix.php?id=42365&r=nozend
MySQL Configuration Error:    http://bugs.php.net/fix.php?id=42365&r=mysqlcfg

#42365 [NEW]: glob() crashes and/or accepts way too many flags

Reply via email to