From: stas at zend dot com
Operating system: *
PHP version: 5.3CVS-2009-02-05 (CVS)
PHP Bug Type: PHP options/info functions
Bug description: UMR when trying to activate user config
Description:
------------
In function sapi_cgi_activate, php_cgi_ini_activate_user_config is called
with path of the current script and third parameter 'start' which is
document_root length - 1. Then, the following code is used:
ptr = path + start; /* start is the point where doc_root ends!
*/
while ((ptr = strchr(ptr, DEFAULT_SLASH)) != NULL) {
However, in general, path is not guaranteed to be residing in
DOCUMENT_ROOT. While usually it is the case, there could be
rewriting/aliasing scenarios that would call PHP on files outside document
root. Or the user can invoke PHP binary by himself too (having
DOCUMENT_ROOT set independently, but not intending to use it).
In such cases, DOCUMENT_ROOT length has no relation to path length, which
makes ptr point either to random place inside string if DOCUMENT_ROOT is
short, or to random unallocated place in memory if it is longer than
current path.
Reproduce code:
---------------
One can easily reproduce it by setting DOCUMENT_ROOT to very long string
and running PHP CGI under valgrind with parameter being some short script
path.
Actual result:
--------------
==15115== Invalid read of size 1
==15115== at 0x400609A: index (mc_replace_strmem.c:164)
==15115== by 0x84CE159: php_cgi_ini_activate_user_config
(cgi_main.c:716)
==15115== by 0x84CE40D: sapi_cgi_activate (cgi_main.c:778)
==15115== by 0x83DA5C1: sapi_activate (SAPI.c:392)
==15115== by 0x83D08AC: php_request_startup (main.c:1342)
==15115== by 0x84D04C1: main (cgi_main.c:1961)
==15115== Address 0x4A65693 is 5 bytes before a block of size 50 alloc'd
==15115== at 0x4005400: malloc (vg_replace_malloc.c:149)
==15115== by 0x844B09C: __zend_malloc (zend_alloc.h:81)
==15115== by 0x844ADC2: _zend_hash_add_or_update (zend_hash.c:247)
==15115== by 0x84CE0E9: php_cgi_ini_activate_user_config
(cgi_main.c:704)
==15115== by 0x84CE40D: sapi_cgi_activate (cgi_main.c:778)
==15115== by 0x83DA5C1: sapi_activate (SAPI.c:392)
==15115== by 0x83D08AC: php_request_startup (main.c:1342)
==15115== by 0x84D04C1: main (cgi_main.c:1961)
--
Edit bug report at http://bugs.php.net/?id=47318&edit=1
--
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=47318&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=47318&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=47318&r=trysnapshot60
Fixed in CVS:
http://bugs.php.net/fix.php?id=47318&r=fixedcvs
Fixed in CVS and need be documented:
http://bugs.php.net/fix.php?id=47318&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=47318&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=47318&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=47318&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=47318&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=47318&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=47318&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=47318&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=47318&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=47318&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=47318&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=47318&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=47318&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=47318&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=47318&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=47318&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=47318&r=mysqlcfg
