PHP :: Bug #49372 :: Segfault in function php_curl_option

PHP :: Bug #49372 :: Segfault in function php_curl_option_url

Bug #49372	Segfault in function php_curl_option_url
Submitted:	2009-08-26 13:30 UTC	Modified:	2009-08-26 22:24 UTC
From:	sergk at sergk dot org dot ua	Assigned:	pajoye (profile)
Status:	Closed	Package:	cURL related
PHP Version:	5.2.10	OS:	Debian GNU/Linux, kernel 2.6.30
Private report:	No	CVE-ID:	None

[2009-08-26 13:30 UTC] sergk at sergk dot org dot ua

Description:
------------
There is segfault in strncasecmp calling from this code:
curl/interface.c:186 :

if (!strncasecmp("file", uri->scheme, sizeof("file"))) {   
...

when URI is without protocol part hence uri->scheme is NULL.
Like in this example of backtrace:
#0  0xb7e20a8b in strncasecmp () from /lib/i686/cmov/libc.so.6
#1  0xb777dd11 in php_curl_option_url (ch=0x856be00, 
    url=0x856e360 "show.setlinks.ru/?host=SCREENEDHOSTNAME&k=WINDOWS-1251&p=b44eff595164745dee4a6a655a57a425", 
    len=<value optimized out>) at /opt/src/build/apache-1-dweb/dbuild/003d/php-5.2.10/ext/curl/interface.c:187

This bug is also present in last 5.2.x development snapshot.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-08-26 13:35 UTC] sergk at sergk dot org dot ua

this patch will fix bug:

--- php-5.2.10.orig/ext/curl/interface.c        2009-06-15 12:38:11.000000000 +0000
+++ php-5.2.10/ext/curl/interface.c     2009-08-26 11:22:15.000000000 +0000
@@ -183,10 +183,12 @@
                        return 0;
                }
 
-               if (!strncasecmp("file", uri->scheme, sizeof("file"))) {
-                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Protocol 'file' disabled in cURL");
-                       php_url_free(uri);
-                       return 0;
+               if (uri->scheme != NULL) {
+                       if (!strncasecmp("file", uri->scheme, sizeof("file")-1)) {
+                               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Protocol 'file' disabled in cURL");
+                               php_url_free(uri);
+                               return 0;
+                       }
                }
                php_url_free(uri);
 #endif

[2009-08-26 14:11 UTC] pajoye@php.net

Thanks for the patch.
Do you have a small code to test it? I could quickly use it as phpt.

[2009-08-26 17:13 UTC] sergk at sergk dot org dot ua

Yes, this one trigger segfault, but only in mod_php mode:

<?PHP
  $curl = curl_init("www.php.net/manual/en/function.curl-init.php");
  curl_exec($curl);
  curl_close($curl);
?>

[2009-08-26 18:18 UTC] pajoye@php.net

Thanks for the script.

An easy fix would be to update the Curl library to a more recent version (recommended).

I will apply the fix shortly (need to fetch an old curl first).

[2009-08-26 20:21 UTC] jani@php.net

Please don't apply that patch, you can do it with single line change 
too.. if (uri->scheme && !strncasecmp("file", uri->scheme, 
sizeof("file"))) rather than having several lines changed for nothing.

[2009-08-26 22:24 UTC] pajoye@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.