#47252 [Opn->Fbk]: Memory corruption bug in extract()

Fri, 30 Jan 2009 13:00:21 -0800 

 ID:               47252
 Updated by:       fel...@php.net
 Reported By:      a dot boykov at timeweb dot ru
-Status:           Open
+Status:           Feedback
-Bug Type:         Unknown/Other Function
+Bug Type:         Arrays related
 Operating System: Gentoo Linux 2008.0
 PHP Version:      5.2.8
 New Comment:

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.




Previous Comments:
------------------------------------------------------------------------

[2009-01-30 18:31:19] a dot boykov at timeweb dot ru

Description:
------------
In function extract() not the length of a line key always is correctly
defined. 

Sometimes it is calculated incorrectly and any following operation with
this string leads to memory corruption. 

Here an example which has been received at debugging.

name: bDescPageNumbering, len: 6276448

[Fri Jan 30 21:18:08 2009] [notice] child pid 19801 exit signal
Segmentation fault (11)

We are used this patch to fix problem:

--- php-5.2.8/ext/standard/array.c  2009-01-30 21:23:25.000000000
+0300
+++ php-5.2.8/ext/standard/array.c  2009-01-30 21:24:35.000000000
+0300
@@ -1397,6 +1397,9 @@
    key_type = zend_hash_get_current_key_ex(Z_ARRVAL_PP(var_array),
&var_name, &var_name_len, &num_key, 0, &pos);
    var_exists = 0;

+    if (key_type == HASH_KEY_IS_STRING)
+      var_name_len = strlen(var_name);
+
    if (key_type == HASH_KEY_IS_STRING) {
      var_name_len--;
      var_exists = zend_hash_exists(EG(active_symbol_table), var_name,
var_name_len + 1);


With this patch all works well, but I think it does not exclude a
problem source.

name: bDescPageNumbering, len: 18



------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=47252&edit=1

Reply via email to