It does not really read past it, but internally it does a strlen() on the %s argument, which is where the valgrind shows the message. Technically that code needs to be reviewed, but just from general use case I think its safer not to pass non-terminated char pointers around.


On 11-Dec-08, at 11:50 AM, Nuno Lopes wrote:

Weird.. Isn't that a bug in php_stream_printf() then? I would say it shouldn't read past the specified length.. otherwise the same bug may appear in other places.
What do you think?

Nuno

----- Original Message -----
The patch was already n 5.2, the issue is that the str (key) is not guaranteed to be NULL terminated (nor does it need to be), so when strlen() is attempted on top of it you could end up reading more data then necessary.


On 11-Dec-08, at 10:43 AM, Nuno Lopes wrote:

Modified files:              (Branch: PHP_5_3)
 /php-src/ext/pdo pdo_stmt.c
Log:
Fixed a possible corruption inside PDOStatement::debugDumpParams()


http://cvs.php.net/viewvc.cgi/php-src/ext/pdo/pdo_stmt.c?r1=1.118.2.38.2.24.2.39&r2=1.118.2.38.2.24.2.40&diff_format=u
Index: php-src/ext/pdo/pdo_stmt.c
diff -u php-src/ext/pdo/pdo_stmt.c:1.118.2.38.2.24.2.39 php-src/ ext/ pdo/pdo_stmt.c:1.118.2.38.2.24.2.40
@@ -2209,7 +2209,9 @@
if (res == HASH_KEY_IS_LONG) {
php_stream_printf(out TSRMLS_CC, "Key: Position #%ld:\n", num);
} else if (res == HASH_KEY_IS_STRING) {
- php_stream_printf(out TSRMLS_CC, "Key: Name: [%d] %.*s\n", len, len, str);
+ char *s = estrndup(str, len);
+ php_stream_printf(out TSRMLS_CC, "Key: Name: [%d] %.*s\n", len, len, s);
+ efree(s);
}

Sorry for my ignorance, but isn't the new code exactly equivalent to the old one, albeit a bit slower? I can't really see how a strndup() can fix a corruption there.. If there's some problem, probably it's deeper than this..
Nuno

Ilia Alshanetsky


Ilia Alshanetsky





--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to