From: Operating system: NetBSD PHP version: 5.3.6 Package: *General Issues Bug Type: Bug Bug description:addGlob addPattern buffer overflow
Description: ------------ For first function addGlob and addPattern are not described in manual http://pl2.php.net/manual/en/class.ziparchive.php ext/zip/php_zip.c 1629 /* 1 == glob, 2==pcre */ 1630 if (type == 1) { 1631 if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|la", 1632 &pattern, &pattern_len, &flags, &options) == FAILURE) { 1633 return; 1634 } 1635 } else { 1636 if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|sa", 1637 &pattern, &pattern_len, &path, &path_len, &options) == FAILURE) { 1638 return; 1639 } 1640 } 1641 There are no GLOB flags validation like in php/glob(). So limit flags only to GLOB_MARK|GLOB_NOSORT|GLOB_NOCHECK|GLOB_NOESCAPE|GLOB_BRACE|GLOB_ONLYDIR|GLOB_ERR like http://pl2.php.net/manual/en/function.glob.php * GLOB_MARK - Adds a slash to each directory returned * GLOB_NOSORT - Return files as they appear in the directory (no sorting) * GLOB_NOCHECK - Return the search pattern if no files matching it were found * GLOB_NOESCAPE - Backslashes do not quote metacharacters * GLOB_BRACE - Expands {a,b,c} to match 'a', 'b', or 'c' * GLOB_ONLYDIR - Return only directory entries which match the pattern * GLOB_ERR - Stop on read errors (like unreadable directories), by default errors are ignored. Test script: --------------- The crash come, when we run libc/glob(3) function with incorrect flag. Tested also on linux/ubuntu and (netbsd) cx@cx64:~$ php -v PHP 5.3.3-1ubuntu9.3 with Suhosin-Patch (cli) (built: Jan 12 2011 16:07:38) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies cx@cx64:~$ uname -a Linux cx64 2.6.35-28-generic #49-Ubuntu SMP Tue Mar 1 14:39:03 UTC 2011 x86_64 GNU/Linux cx@cx64:/www$ cat zip.php <?php unlink("empty.zip"); fopen("empty.zip","a"); $nx=new ZipArchive();$nx->open("empty.zip");$nx->addGlob(str_repeat("*",333333),0x39); ?>cx@cx64:/www$ php zip.php Segmentation fault Actual result: -------------- Segmentation fault -- Edit bug report at http://bugs.php.net/bug.php?id=54681&edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=54681&r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=54681&r=trysnapshot53 Try a snapshot (trunk): http://bugs.php.net/fix.php?id=54681&r=trysnapshottrunk Fixed in SVN: http://bugs.php.net/fix.php?id=54681&r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=54681&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=54681&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=54681&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=54681&r=needscript Try newer version: http://bugs.php.net/fix.php?id=54681&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=54681&r=support Expected behavior: http://bugs.php.net/fix.php?id=54681&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=54681&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=54681&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=54681&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=54681&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=54681&r=dst IIS Stability: http://bugs.php.net/fix.php?id=54681&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=54681&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=54681&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=54681&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=54681&r=mysqlcfg
