Calls to session_name() segfault when session.name is null.
| Bug #66481 | Calls to session_name() segfault when session.name is null. | ||||
|---|---|---|---|---|---|
| Submitted: | 2014-01-13 23:52 UTC | Modified: | - | ||
| From: | cmcdermottroe at engineyard dot com | Assigned: | |||
| Status: | Closed | Package: | Session related | ||
| PHP Version: | master-Git-2014-01-13 (Git) | OS: | Ubuntu 12.04 LTS | ||
| Private report: | No | CVE-ID: | None | ||
[2014-01-13 23:52 UTC] cmcdermottroe at engineyard dot com
Description: ------------ I first noticed this bug when using the PHP 5.4 and 5.5 packages in Ondřej Surý's PPAs (https://launchpad.net/~ondrej/+archive/php5 and https://launchpad.net/~ondrej/+archive/php5-oldstable) but I've been able to replicate them from a git checkout. Reproduction steps from packages: $ php -d session.name= -r 'session_name("foo");' Segmentation fault (core dumped) Reproduction steps from git: $ git clone https://github.com/php/php-src.git $ cd php-src $ ./buildconf $ ./configure $ make $ ./sapi/cli/php -d session.name= -r 'session_name("foo");' Segmentation fault (core dumped) Test script: --------------- <?php /* This will segfault if session.name is configured to be blank. */ session_name("foo"); ?> Expected result: ---------------- No segmentation faults. (I would expect that if the prior value of session.name is null then session_name("something") would return null) Actual result: -------------- #0 0x00007f88e81a4b91 in ?? () from /lib/x86_64-linux-gnu/libc.so.6 #1 0x00000000005888cf in zif_session_name (ht=<optimized out>, return_value=0x7f88e9158440, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>) at /home/vagrant/php-src/ext/session/session.c:1687 #2 0x0000000000733cf1 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f88e91260a8) at /home/vagrant/php-src/Zend/zend_vm_execute.h:554 #3 0x00000000006fd6e8 in execute_ex (execute_data=0x7f88e91260a8) at /home/vagrant/php-src/Zend/zend_vm_execute.h:363 #4 0x0000000000688eb2 in zend_eval_stringl (str=<optimized out>, str_len=<optimized out>, retval_ptr=0x0, string_name=0xa7ed60 "Command line code") at /home/vagrant/php-src/Zend/zend_execute_API.c:1200 #5 0x0000000000688f99 in zend_eval_stringl_ex (str=<optimized out>, str_len=<optimized out>, retval_ptr=<optimized out>, string_name=<optimized out>, handle_exceptions=1) at /home/vagrant/php-src/Zend/zend_execute_API.c:1247 #6 0x0000000000736c62 in do_cli (argc=5, argv=0x23fd890) at /home/vagrant/php-src/sapi/cli/php_cli.c:1034 #7 0x00000000004273c7 in main (argc=5, argv=0x23fd890) at /home/vagrant/php-src/sapi/cli/php_cli.c:1378
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2015-07-10 13:21 UTC] spam2 at rhsoft dot net