From: secpelle at ee dot oulu dot fi
Operating system: Solaris
PHP version: 5.0.5
PHP Bug Type: Reproducible crash
Bug description: sqlite_open seg faults if "getcwd" fails
Description:
------------
sqlite crashes php if "getcwd" fails due to restrictive permission in
parent directories, for cli this is an annoyance, for php module in apache
this is a local DoS
null ptr dereference in sqliteOsFullPathname()
Reproduce code:
---------------
% mkdir -p test/test
% cd test/test
% echo '<?sqlite_open("a.db");?>' | php
# all ok
chmod 111 ..
% pwd
pwd: cannot determine current directory!
% echo '<?sqlite_open("b.db");?>' | php
Segmentation fault (core dumped)
Expected result:
----------------
no crash
Actual result:
--------------
=>[1] strlen(0x0, 0x0, 0xffbf9f60, 0x7efefeff, 0x81010100, 0x0), at
0xef8b44e4
[2] sqliteSetString(0xffbfdf3c, 0x0, 0x3f9268, 0x539ca0, 0x0, 0x0), at
0x1fa914
[3] sqliteOsFullPathname(0x539ca0, 0x0, 0x0, 0x62, 0x0, 0x3f9000), at
0x1eb3cc
[4] sqlitepager_open(0x51a854, 0x539ca0, 0x7d0, 0x118, 0x1, 0x46bc00),
at 0x1ec3d0
[5] sqliteBtreeOpen(0x539ca0, 0x0, 0x7d0, 0x539cc4, 0x1, 0x51a850), at
0x1d2100
[6] sqlite_open(0x539ca0, 0x539cb8, 0xffbfe1d4, 0x539d28, 0x2,
0x539cc4), at 0x1e8fc4
[7] zif_sqlite_open(0x539ca0, 0x539c58, 0x0, 0x0, 0x480ce4, 0x1b6), at
0x1c421c
[8] zend_do_fcall_common_helper(0x52bd80, 0x538480, 0x1, 0x498bf0,
0xffbfe2ec, 0x538490), at 0x39d83c
[9] execute(0x534220, 0xffffffff, 0x39de10, 0xffbfe2ec, 0x4, 0x498c18),
at 0x398964
[10] zend_execute_scripts(0x8, 0x0, 0xffbfe9c8, 0x416610, 0x416778,
0x2), at 0x35beb4
[11] php_execute_script(0xffbfe9c8, 0xffbfe910, 0x0, 0x49ae28, 0x0,
0x49ae38), at 0x2ecdfc
[12] main(0x0, 0x1, 0xffffffff, 0x4940d8, 0x0, 0x41c000), at 0x3a58a4
--
Edit bug report at http://bugs.php.net/?id=34579&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=34579&r=trysnapshot4
Try a CVS snapshot (php5.0):
http://bugs.php.net/fix.php?id=34579&r=trysnapshot50
Try a CVS snapshot (php5.1):
http://bugs.php.net/fix.php?id=34579&r=trysnapshot51
Fixed in CVS: http://bugs.php.net/fix.php?id=34579&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=34579&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=34579&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=34579&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=34579&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=34579&r=support
Expected behavior: http://bugs.php.net/fix.php?id=34579&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=34579&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=34579&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=34579&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=34579&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=34579&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=34579&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=34579&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=34579&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=34579&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=34579&r=mysqlcfg
