[PHP-BUG] Bug #64949 [NEW]: Buffer overflow in _pdo_pgsql_error

r...@php.net Thu, 30 May 2013 10:22:53 -0700

From:             remi
Operating system: GNU/Linux
PHP version:      5.3.25
Package:          PostgreSQL related
Bug Type:         Bug
Bug description:Buffer overflow in _pdo_pgsql_error


Description:
------------
running the unit tests in ext/pdo_pgsql, 2 tests cause a segfault (with
same backtrace)

(gdb) run copy_from.php
.
Testing pgsqlCopyFromArray() with error
*** buffer overflow detected ***: /usr/bin/php terminated
...
(gdb) bt
#0  0x00007ffff4bfcba5 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:63
#1  0x00007ffff4bfe358 in __GI_abort () at abort.c:90
#2  0x00007ffff4c3c59b in __libc_message (do_abort=do_abort@entry=2,
fmt=fmt@entry=0x7ffff4d3f81f "*** %s ***: %s terminated\n") at
../sysdeps/unix/sysv/linux/libc_fatal.c:197
#3  0x00007ffff4cd16b7 in __GI___fortify_fail (msg=msg@entry=0x7ffff4d3f7c5
"buffer overflow detected") at fortify_fail.c:31
#4  0x00007ffff4ccf830 in __GI___chk_fail () at chk_fail.c:28
#5  0x00007fffe67cdb61 in strcpy (__src=0x7fffe67d0c3a "Copy command
failed", __dest=0x7ffff7fbf920 "Copy c") at
/usr/include/bits/string3.h:104
#6  _pdo_pgsql_error (dbh=dbh@entry=0x7ffff7fbf8c8, stmt=stmt@entry=0x0,
errcode=errcode@entry=7, sqlstate=0x7fffe67d0c3a "Copy command failed",
file=<optimized out>, line=<optimized out>)
    at /usr/src/debug/php-5.5.0RC2/ext/pdo_pgsql/pgsql_driver.c:83
#7  0x00007fffe67cee73 in zim_PDO_pgsqlCopyFromArray (ht=<optimized out>,
return_value=0x7ffff7fbf9a8, return_value_ptr=<optimized out>,
this_ptr=<optimized out>, return_value_used=<optimized out>)
    at /usr/src/debug/php-5.5.0RC2/ext/pdo_pgsql/pgsql_driver.c:611
#8  0x0000555555778249 in dtrace_execute_internal
(execute_data_ptr=<optimized out>, fci=<optimized out>,
return_value_used=<optimized out>) at
/usr/src/debug/php-5.5.0RC2/Zend/zend_dtrace.c:99
#9  0x0000555555836dd3 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7ffff7f83340) at
/usr/src/debug/php-5.5.0RC2/Zend/zend_vm_execute.h:545
#10 0x00005555557f6e78 in execute_ex (execute_data=0x7ffff7f83340) at
/usr/src/debug/php-5.5.0RC2/Zend/zend_vm_execute.h:356
#11 0x000055555577810d in dtrace_execute_ex (execute_data=<optimized out>)
at /usr/src/debug/php-5.5.0RC2/Zend/zend_dtrace.c:75
#12 0x0000555555789b08 in zend_execute_scripts (type=type@entry=8,
retval=retval@entry=0x0, file_count=file_count@entry=3) at
/usr/src/debug/php-5.5.0RC2/Zend/zend.c:1316
#13 0x00005555557278dc in php_execute_script
(primary_file=primary_file@entry=0x7fffffffcb80) at
/usr/src/debug/php-5.5.0RC2/main/main.c:2481
#14 0x000055555583a4e6 in do_cli (argc=2, argv=0x555555b7c3d0) at
/usr/src/debug/php-5.5.0RC2/sapi/cli/php_cli.c:993
#15 0x000055555560f38a in main (argc=2, argv=0x555555b7c3d0) at
/usr/src/debug/php-5.5.0RC2/sapi/cli/php_cli.c:1377



(gdb) run copy_to.php
...
Testing pgsqlCopyToArray() with error
*** buffer overflow detected ***: /usr/bin/php terminated
...
(gdb) bt
#0  0x00007ffff4bfcba5 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:63
#1  0x00007ffff4bfe358 in __GI_abort () at abort.c:90
#2  0x00007ffff4c3c59b in __libc_message (do_abort=do_abort@entry=2,
fmt=fmt@entry=0x7ffff4d3f81f "*** %s ***: %s terminated\n") at
../sysdeps/unix/sysv/linux/libc_fatal.c:197
#3  0x00007ffff4cd16b7 in __GI___fortify_fail (msg=msg@entry=0x7ffff4d3f7c5
"buffer overflow detected") at fortify_fail.c:31
#4  0x00007ffff4ccf830 in __GI___chk_fail () at chk_fail.c:28
#5  0x00007fffe67cdb61 in strcpy (__src=0x7fffe67d0c3a "Copy command
failed", __dest=0x7ffff7fbbae8 "Copy c") at
/usr/include/bits/string3.h:104
#6  _pdo_pgsql_error (dbh=dbh@entry=0x7ffff7fbba90, stmt=stmt@entry=0x0,
errcode=errcode@entry=7, sqlstate=0x7fffe67d0c3a "Copy command failed",
file=<optimized out>, line=<optimized out>)
    at /usr/src/debug/php-5.5.0RC2/ext/pdo_pgsql/pgsql_driver.c:83
#7  0x00007fffe67ce68b in zim_PDO_pgsqlCopyToArray (ht=<optimized out>,
return_value=0x7ffff7fbffe0, return_value_ptr=<optimized out>,
this_ptr=<optimized out>, return_value_used=<optimized out>)
    at /usr/src/debug/php-5.5.0RC2/ext/pdo_pgsql/pgsql_driver.c:864
#8  0x0000555555778249 in dtrace_execute_internal
(execute_data_ptr=<optimized out>, fci=<optimized out>,
return_value_used=<optimized out>) at
/usr/src/debug/php-5.5.0RC2/Zend/zend_dtrace.c:99
#9  0x0000555555836dd3 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7ffff7f829c0) at
/usr/src/debug/php-5.5.0RC2/Zend/zend_vm_execute.h:545
#10 0x00005555557f6e78 in execute_ex (execute_data=0x7ffff7f829c0) at
/usr/src/debug/php-5.5.0RC2/Zend/zend_vm_execute.h:356
#11 0x000055555577810d in dtrace_execute_ex (execute_data=<optimized out>)
at /usr/src/debug/php-5.5.0RC2/Zend/zend_dtrace.c:75
#12 0x0000555555789b08 in zend_execute_scripts (type=type@entry=8,
retval=retval@entry=0x0, file_count=file_count@entry=3) at
/usr/src/debug/php-5.5.0RC2/Zend/zend.c:1316
#13 0x00005555557278dc in php_execute_script
(primary_file=primary_file@entry=0x7fffffffcb80) at
/usr/src/debug/php-5.5.0RC2/main/main.c:2481
#14 0x000055555583a4e6 in do_cli (argc=2, argv=0x555555b7c3d0) at
/usr/src/debug/php-5.5.0RC2/sapi/cli/php_cli.c:993
#15 0x000055555560f38a in main (argc=2, argv=0x555555b7c3d0) at
/usr/src/debug/php-5.5.0RC2/sapi/cli/php_cli.c:1377


A trivial fix will be to switch to strncpy to avoid this buffer overflow,
but this doesn't explain why a run condition come with a sql_state = "Copy
command failed" which is not a standard 5 char error code.



-- 
Edit bug report at https://bugs.php.net/bug.php?id=64949&edit=1
-- 
Try a snapshot (PHP 5.4):   
https://bugs.php.net/fix.php?id=64949&r=trysnapshot54
Try a snapshot (PHP 5.3):   
https://bugs.php.net/fix.php?id=64949&r=trysnapshot53
Try a snapshot (trunk):     
https://bugs.php.net/fix.php?id=64949&r=trysnapshottrunk
Fixed in SVN:               https://bugs.php.net/fix.php?id=64949&r=fixed
Fixed in release:           https://bugs.php.net/fix.php?id=64949&r=alreadyfixed
Need backtrace:             https://bugs.php.net/fix.php?id=64949&r=needtrace
Need Reproduce Script:      https://bugs.php.net/fix.php?id=64949&r=needscript
Try newer version:          https://bugs.php.net/fix.php?id=64949&r=oldversion
Not developer issue:        https://bugs.php.net/fix.php?id=64949&r=support
Expected behavior:          https://bugs.php.net/fix.php?id=64949&r=notwrong
Not enough info:            
https://bugs.php.net/fix.php?id=64949&r=notenoughinfo
Submitted twice:            
https://bugs.php.net/fix.php?id=64949&r=submittedtwice
register_globals:           https://bugs.php.net/fix.php?id=64949&r=globals
PHP 4 support discontinued: https://bugs.php.net/fix.php?id=64949&r=php4
Daylight Savings:           https://bugs.php.net/fix.php?id=64949&r=dst
IIS Stability:              https://bugs.php.net/fix.php?id=64949&r=isapi
Install GNU Sed:            https://bugs.php.net/fix.php?id=64949&r=gnused
Floating point limitations: https://bugs.php.net/fix.php?id=64949&r=float
No Zend Extensions:         https://bugs.php.net/fix.php?id=64949&r=nozend
MySQL Configuration Error:  https://bugs.php.net/fix.php?id=64949&r=mysqlcfg

[PHP-BUG] Bug #64949 [NEW]: Buffer overflow in _pdo_pgsql_error

Reply via email to