Edit report at https://bugs.php.net/bug.php?id=61964&edit=1
ID: 61964
Updated by: fel...@php.net
Reported by: ni...@php.net
Summary: finfo_open with directory causes invalid free
Status: Open
Type: Bug
Package: Filesystem function related
PHP Version: master-Git-2012-05-06 (Git)
Block user comment: N
Private report: N
New Comment:
Hi, I got a crash when running the following code in the php-src root dir using
your patch (pull-request):
<?php
finfo_open(FILEINFO_NONE, ".");
(gdb) r ../bug.php
Starting program: /home/felipe/dev/php5_3/sapi/cli/php ../bug.php
[Thread debugging using libthread_db enabled]
Program received signal SIGSEGV, Segmentation fault.
memset () at ../sysdeps/i386/i686/memset.S:85
85 ../sysdeps/i386/i686/memset.S: No such file or directory.
in ../sysdeps/i386/i686/memset.S
Current language: auto
The current source language is "auto; currently asm".
(gdb) bt
#0 memset () at ../sysdeps/i386/i686/memset.S:85
#1 0x081b29b9 in parse (ms=0x89baeac, mentryp=0xbfffae6c, nmentryp=0xbfffae68,
line=0xbfff7dcb "> Makefile.fragments", lineno=143, action=0)
at /home/felipe/dev/php5_3/ext/fileinfo/libmagic/apprentice.c:1178
#2 0x081b1a55 in load_1 (ms=0x89baeac, action=0, fn=0x89d4e48
"/home/felipe/dev/php5_3/acinclude.m4", errs=0xbfffae70, marray=0xbfffae6c,
marraycount=0xbfffae68)
at /home/felipe/dev/php5_3/ext/fileinfo/libmagic/apprentice.c:733
#3 0x081b1df8 in apprentice_load (ms=0x89baeac, magicp=0xbfffaef0,
nmagicp=0xbfffaeec, fn=0x89baf58 "/home/felipe/dev/php5_3", action=0)
at /home/felipe/dev/php5_3/ext/fileinfo/libmagic/apprentice.c:812
#4 0x081b0ebd in apprentice_1 (ms=0x89baeac, fn=0x89baf58
"/home/felipe/dev/php5_3", action=0, mlist=0x89bb33c) at
/home/felipe/dev/php5_3/ext/fileinfo/libmagic/apprentice.c:275
#5 0x081b1180 in file_apprentice (ms=0x89baeac, fn=0x89baf58
"/home/felipe/dev/php5_3", action=0) at
/home/felipe/dev/php5_3/ext/fileinfo/libmagic/apprentice.c:369
#6 0x081bb662 in magic_load (ms=0x89baeac, magicfile=0xbfffafb4
"/home/felipe/dev/php5_3") at
/home/felipe/dev/php5_3/ext/fileinfo/libmagic/magic.c:308
#7 0x081b003d in zif_finfo_open (ht=2, return_value=0x89ba6b4,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=0, tsrm_ls=0x8874050)
at /home/felipe/dev/php5_3/ext/fileinfo/fileinfo.c:350
#8 0x084673bd in zend_do_fcall_common_helper_SPEC (execute_data=0x89e924c,
tsrm_ls=0x8874050) at /home/felipe/dev/php5_3/Zend/zend_vm_execute.h:320
#9 0x0846bac4 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x89e924c,
tsrm_ls=0x8874050) at /home/felipe/dev/php5_3/Zend/zend_vm_execute.h:1640
---Type <return> to continue, or q <return> to quit---
#10 0x08466656 in execute (op_array=0x89badec, tsrm_ls=0x8874050) at
/home/felipe/dev/php5_3/Zend/zend_vm_execute.h:107
#11 0x08433ee9 in zend_execute_scripts (type=8, tsrm_ls=0x8874050, retval=0x0,
file_count=3) at /home/felipe/dev/php5_3/Zend/zend.c:1236
#12 0x083ae512 in php_execute_script (primary_file=0xbffff434,
tsrm_ls=0x8874050) at /home/felipe/dev/php5_3/main/main.c:2308
#13 0x08510211 in main (argc=2, argv=0xbffff5b4) at
/home/felipe/dev/php5_3/sapi/cli/php_cli.c:1189
(gdb) f 1
#1 0x081b29b9 in parse (ms=0x89baeac, mentryp=0xbfffae6c, nmentryp=0xbfffae68,
line=0xbfff7dcb "> Makefile.fragments", lineno=143, action=0)
at /home/felipe/dev/php5_3/ext/fileinfo/libmagic/apprentice.c:1178
1178 (void)memset(m, 0, sizeof(*m));
Current language: auto
The current source language is "auto; currently c".
(gdb) p m
$1 = (struct magic *) 0x1d0
Previous Comments:
------------------------------------------------------------------------
[2012-05-24 18:00:59] reeze dot xia at gmail dot com
Hi,
I've sent the file lib author, he replied it was intend to support
dir open. and I sent a Pull Request: https://github.com/php/php-src/pull/91
@felipe will you take lookï¼
Thanks.
------------------------------------------------------------------------
[2012-05-13 11:03:52] ni...@php.net
Reeze already has a patch which fixes this issue and several related memory
leaks. Though I can't find it anywhere now :/
------------------------------------------------------------------------
[2012-05-13 10:56:10] larue...@php.net
then I think we can simply prevent directory parameter
------------------------------------------------------------------------
[2012-05-09 23:37:07] fel...@php.net
In fact the libmagic code seems not prepared to work with directory, even
alloc'ing the data properly and freeing, it causes memleaks in other parts.
------------------------------------------------------------------------
[2012-05-06 14:06:07] larue...@php.net
diff --git a/ext/fileinfo/fileinfo.c b/ext/fileinfo/fileinfo.c
index 2c0e39a..9241e5b 100644
--- a/ext/fileinfo/fileinfo.c
+++ b/ext/fileinfo/fileinfo.c
@@ -315,16 +315,24 @@ PHP_FUNCTION(finfo_open)
if (file_len == 0) {
file = NULL;
} else if (file && *file) { /* user specified file, perform
open_basedir
checks */
+ struct stat sb;
+
if (strlen(file) != file_len) {
FILEINFO_DESTROY_OBJECT(object);
RETURN_FALSE;
}
+
+ if (VCWD_STAT(file, &sb) || !S_ISREG(sb.st_mode)) {
+ FILEINFO_DESTROY_OBJECT(object);
+ RETURN_FALSE;
+ }
+
if (!VCWD_REALPATH(file, resolved_path)) {
FILEINFO_DESTROY_OBJECT(object);
RETURN_FALSE;
}
- file = resolved_path;
+ file = resolved_path;
#if PHP_API_VERSION < 20100412
if ((PG(safe_mode) && (!php_checkuid(file, NULL,
CHECKUID_CHECK_FILE_AND_DIR))) || php_check_open_basedir(file TSRMLS_CC)) {
#else
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=61964
--
Edit this bug report at https://bugs.php.net/bug.php?id=61964&edit=1
