Edit report at http://bugs.php.net/bug.php?id=54680&edit=1
ID: 54680 Updated by: [email protected] Reported by: cxib at securityreason dot com -Summary: missing TRACK_VARS_SERVER +Summary: missing TRACK_VARS_SERVER check -Status: Open +Status: Closed Type: Bug Package: *General Issues Operating System: NetBSD PHP Version: 5.3.6 -Assigned To: +Assigned To: felipe Block user comment: N Private report: N New Comment: This bug has been fixed in SVN. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. Previous Comments: ------------------------------------------------------------------------ [2011-06-12 04:47:50] [email protected] Automatic comment from SVN on behalf of felipe Revision: http://svn.php.net/viewvc/?view=revision&revision=312079 Log: - Fixed bug #54680 (missing TRACK_VARS_SERVER check) ------------------------------------------------------------------------ [2011-05-07 00:44:53] cxib at securityreason dot com Description: ------------ ./work/php-5.3.6/ext/standard/basic_functions.c: if ((zend_hash_find(HASH_OF(PG(http_globals)[TRACK_VARS_SERVER]), "argv", sizeof("argv"), (void **) &args) != FAILURE || Some 'if' condition is missing here. In all others [TRACK_VARS SERVER] calls, we can see used if condition like if (!PG(http_globals)[TRACK_VARS_SERVER]) { Only in basic_function.c is missing. Please see.. # find . -name "*.c"|xargs grep '\[TRACK_VARS_SERVER\]' ./work/php-5.3.6/ext/phar/phar_object.c: if (!PG(http_globals)[TRACK_VARS_SERVER]) { ./work/php-5.3.6/ext/phar/phar_object.c: _SERVER = Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER]); ./work/php-5.3.6/ext/phar/phar_object.c: if (PG(http_globals)[TRACK_VARS_SERVER]) { ./work/php-5.3.6/ext/phar/phar_object.c: HashTable *_server = Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER]); ./work/php-5.3.6/ext/soap/soap.c: if (PG(http_globals)[TRACK_VARS_SERVER] && ./work/php-5.3.6/ext/soap/soap.c: zend_hash_find(PG(http_globals)[TRACK_VARS_SERVER]->value.ht, "HTTP_USER_AGENT", sizeof("HTTP_USER_AGENT"), (void **) &agent_name) == SUCCESS && ./work/php-5.3.6/ext/zlib/zlib.c: if (!PG(http_globals)[TRACK_VARS_SERVER] ./work/php-5.3.6/ext/zlib/zlib.c: || zend_hash_find(PG(http_globals)[TRACK_VARS_SERVER]->value.ht, "HTTP_ACCEPT_ENCODING", sizeof("HTTP_ACCEPT_ENCODING"), (void **) &a_encoding) == FAILURE ./work/php-5.3.6/ext/zlib/zlib.c: if (!PG(http_globals)[TRACK_VARS_SERVER] ./work/php-5.3.6/ext/zlib/zlib.c: || zend_hash_find(PG(http_globals)[TRACK_VARS_SERVER]->value.ht, "HTTP_ACCEPT_ENCODING", sizeof("HTTP_ACCEPT_ENCODING"), (void **) &a_encoding) == FAILURE ./work/php-5.3.6/ext/session/session.c: if (!PS(use_only_cookies) && !PS(id) && PG(http_globals)[TRACK_VARS_SERVER] && ./work/php-5.3.6/ext/session/session.c: zend_hash_find(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER]), "REQUEST_URI", sizeof("REQUEST_URI"), (void **) &data) == SUCCESS && ./work/php-5.3.6/ext/session/session.c: PG(http_globals)[TRACK_VARS_SERVER] && ./work/php-5.3.6/ext/session/session.c: zend_hash_find(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER]), "HTTP_REFERER", sizeof("HTTP_REFERER"), (void **) &data) == SUCCESS && ./work/php-5.3.6/ext/standard/basic_functions.c: if ((zend_hash_find(HASH_OF(PG(http_globals)[TRACK_VARS_SERVER]), "argv", sizeof("argv"), (void **) &args) != FAILURE || ./work/php-5.3.6/ext/standard/browscap.c: if (!PG(http_globals)[TRACK_VARS_SERVER] || ./work/php-5.3.6/ext/standard/browscap.c: zend_hash_find(HASH_OF(PG(http_globals)[TRACK_VARS_SERVER]), "HTTP_USER_AGENT", sizeof("HTTP_USER_AGENT"), (void **) &http_user_agent) == FAILURE ./work/php-5.3.6/main/php_variables.c: if (PG(http_globals)[TRACK_VARS_SERVER]) { ./work/php-5.3.6/main/php_variables.c: zval_ptr_dtor(&PG(http_globals)[TRACK_VARS_SERVER]); ./work/php-5.3.6/main/php_variables.c: PG(http_globals)[TRACK_VARS_SERVER] = array_ptr; ./work/php-5.3.6/main/php_variables.c: php_autoglobal_merge(&EG(symbol_table), Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER]) TSRMLS_CC); ./work/php-5.3.6/main/php_variables.c: php_build_argv(SG(request_info).query_string, PG(http_globals)[TRACK_VARS_SERVER] TSRMLS_CC); ./work/php-5.3.6/main/php_variables.c: zend_hash_update(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER]), "argv", sizeof("argv"), argv, sizeof(zval *), NULL); ./work/php-5.3.6/main/php_variables.c: zend_hash_update(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER]), "argc", sizeof("argc"), argc, sizeof(zval *), NULL); ./work/php-5.3.6/main/php_variables.c: php_build_argv(SG(request_info).query_string, PG(http_globals)[TRACK_VARS_SERVER] TSRMLS_CC); ./work/php-5.3.6/main/php_variables.c: if (PG(http_globals)[TRACK_VARS_SERVER]) { ./work/php-5.3.6/main/php_variables.c: zval_ptr_dtor(&PG(http_globals)[TRACK_VARS_SERVER]); ./work/php-5.3.6/main/php_variables.c: PG(http_globals)[TRACK_VARS_SERVER] = server_vars; ./work/php-5.3.6/main/php_variables.c: zend_hash_update(&EG(symbol_table), name, name_len + 1, &PG(http_globals)[TRACK_VARS_SERVER], sizeof(zval *), NULL); ./work/php-5.3.6/main/php_variables.c: Z_ADDREF_P(PG(http_globals)[TRACK_VARS_SERVER]); ./work/php-5.3.6/main/php_variables.c: zend_hash_update(&EG(symbol_table), "HTTP_SERVER_VARS", sizeof("HTTP_SERVER_VARS"), &PG(http_globals)[TRACK_VARS_SERVER], sizeof(zval *), NULL); ./work/php-5.3.6/main/php_variables.c: Z_ADDREF_P(PG(http_globals)[TRACK_VARS_SERVER]); ./work/php-5.3.6/sapi/cgi/cgi_main.c: } else if (PG(http_globals)[TRACK_VARS_SERVER] && ./work/php-5.3.6/sapi/cgi/cgi_main.c: array_ptr != PG(http_globals)[TRACK_VARS_SERVER] && ./work/php-5.3.6/sapi/cgi/cgi_main.c: Z_TYPE_P(PG(http_globals)[TRACK_VARS_SERVER]) == IS_ARRAY && ./work/php-5.3.6/sapi/cgi/cgi_main.c: zend_hash_num_elements(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER])) > 0 ./work/php-5.3.6/sapi/cgi/cgi_main.c: *array_ptr = *PG(http_globals)[TRACK_VARS_SERVER]; ./work/php-5.3.6/sapi/fpm/fpm/fpm_main.c: } else if (PG(http_globals)[TRACK_VARS_SERVER] && ./work/php-5.3.6/sapi/fpm/fpm/fpm_main.c: array_ptr != PG(http_globals)[TRACK_VARS_SERVER] && ./work/php-5.3.6/sapi/fpm/fpm/fpm_main.c: Z_TYPE_P(PG(http_globals)[TRACK_VARS_SERVER]) == IS_ARRAY && ./work/php-5.3.6/sapi/fpm/fpm/fpm_main.c: zend_hash_num_elements(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER])) > 0 ./work/php-5.3.6/sapi/fpm/fpm/fpm_main.c: *array_ptr = *PG(http_globals)[TRACK_VARS_SERVER]; ./work/php-5.3.6/sapi/apache_hooks/sapi_apache.c: php_register_variable_ex("request", req, PG(http_globals)[TRACK_VARS_SERVER] TSRMLS_CC); ./work/php-5.3.6/sapi/apache_hooks/sapi_apache.c: php_register_variable("PHP_SELF_HOOK", handler->name, PG(http_globals)[TRACK_VARS_SERVER] TSRMLS_CC); # Test script: --------------- 127# php -v && uname -a PHP 5.3.6 (cli) (built: Mar 16 2011 10:00:59) (DEBUG) Copyright (c) 1997-2011 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies NetBSD 127 5.1 NetBSD 5.1 (GENERIC) #0: Sun Nov 7 14:39:56 UTC 2010 [email protected]:/home/builds/ab/netbsd-5-1-RELEASE/i386/201011061943Z-obj/home/builds/ab/netbsd-5-1-RELEASE/src/sys/arch/i386/compile/GENERIC i386 127# curl http://127.0.0.1/getopt.php curl: (52) Empty reply from server error_log: [Sat May 07 02:29:20 2011] [notice] child pid 970 exit signal Segmentation fault (11) Actual result: -------------- Program received signal SIGSEGV, Segmentation fault. 0xbaf5506c in zif_getopt (ht=2, return_value=0xba60e4c4, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0, tsrm_ls=0xba939980) at /usr/pkgsrc/www/ap-php/work/php-5.3.6/ext/standard/basic_functions.c:4260 4260 if ((zend_hash_find(HASH_OF(PG(http_globals)[TRACK_VARS_SERVER]), "argv", sizeof("argv"), (void **) &args) != FAILURE || (gdb) #0 0xbaf5506c in zif_getopt (ht=2, return_value=0xba60e4c4, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0, tsrm_ls=0xba939980) at /usr/pkgsrc/www/ap-php/work/php-5.3.6/ext/standard/basic_functions.c:4260 #1 0xbb0aa13d in zend_do_fcall_common_helper_SPEC (execute_data=0xba6a7044, tsrm_ls=0xba939980) at /usr/pkgsrc/www/ap-php/work/php-5.3.6/Zend/zend_vm_execute.h:316 #2 0xbb0affa9 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xba6a7044, tsrm_ls=0xba939980) at /usr/pkgsrc/www/ap-php/work/php-5.3.6/Zend/zend_vm_execute.h:1602 #3 0xbb0a8f54 in execute (op_array=0xba60e128, tsrm_ls=0xba939980) at /usr/pkgsrc/www/ap-php/work/php-5.3.6/Zend/zend_vm_execute.h:96 #4 0xbb079d8a in zend_execute_scripts (type=8, tsrm_ls=0xba939980, retval=0x0, file_count=3) at /usr/pkgsrc/www/ap-php/work/php-5.3.6/Zend/zend.c:1194 #5 0xbaff56f9 in php_execute_script (primary_file=0xbfbfe81c, tsrm_ls=0xba939980) at /usr/pkgsrc/www/ap-php/work/php-5.3.6/main/main.c:2266 #6 0xbb15729d in php_handler (r=0xba718058) at /usr/pkgsrc/www/ap-php/work/php-5.3.6/sapi/apache2handler/sapi_apache2.c:666 #7 0x0807894a in ap_run_handler () (gdb) i r eax 0x0 0 ecx 0xbfbfcfa4 -1077948508 edx 0xba88b0cc -1165446964 ebx 0xbb5e66d8 -1151441192 esp 0xbfbfcfb0 0xbfbfcfb0 ebp 0xbfbfd0e8 0xbfbfd0e8 esi 0xbb6069c8 -1151309368 edi 0xba60e4d4 -1168055084 eip 0xbaf5506c 0xbaf5506c <zif_getopt+218> eflags 0x10216 [ PF AF IF RF ] cs 0x17 23 ss 0x1f 31 ds 0x1f 31 es 0x1f 31 fs 0x0 0 gs 0x0 0 (gdb) x/i $eip 0xbaf5506c <zif_getopt+218>: mov 0xc(%eax),%al (gdb) x/i $eax 0x0: Cannot access memory at address 0x0 ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/bug.php?id=54680&edit=1
