pointer returned by php_stream_fopen_temporary_file not validated in memory.c
| Bug #68986 | pointer returned by php_stream_fopen_temporary_file not validated in memory.c | ||||
|---|---|---|---|---|---|
| Submitted: | 2015-02-05 04:25 UTC | Modified: | 2015-02-05 08:41 UTC | ||
| From: | nayana at ddproperty dot com | Assigned: | laruence (profile) | ||
| Status: | Closed | Package: | Streams related | ||
| PHP Version: | master-Git-2015-02-05 (Git) | OS: | Linux | ||
| Private report: | No | CVE-ID: | None | ||
[2015-02-05 04:25 UTC] nayana at ddproperty dot com
Description:
------------
it seems that the pointer returned by php_stream_fopen_temporary_file / php_stream_fopen_tmpfile is not validated prior to use in memory.c in the case where a script is executed in an environment where the TMPDIR is not writable to the user, it will cause a SIGSEGV.
from the script side any code that utilize php://temp with 2MB+ buffer with the above condition will encounter this issue.
i have fixed the problem on all the calling code in memory.c using php_error_docref, i see that in phar they have handled the condition with zend_throw_exception_ex. i am not in a position to decide which one is best at this time. i think a friendly warning is better than a SIGSEGV at this point :)
i have validated this problem exists on github-master and releases 5.4.37, 5.4.17
i will post my pull-request in a comment
Test script:
---------------
#mkdir /tmp/x
#chmod 444 /tmp/x
#export TMPDIR=/tmp/x
$fp = fopen('php://temp', 'r+');
$data = implode('', array_fill(0, (1024 * 1024 * 2), 'A'));
fwrite($fp, $data);
Patches
fix.patch (last revision 2015-02-05 04:29 UTC by Nayana at ddproperty dot com)Pull Requests
History
AllCommentsChangesGit/SVN commits
[2015-02-05 08:41 UTC] laruence@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: laruence