Use of uninitialised value on mssql_guid

Use of uninitialised value on mssql_guid_string

Bug #72039	Use of uninitialised value on mssql_guid_string
Submitted:	2016-04-17 04:51 UTC	Modified:	2016-08-06 08:18 UTC
From:	fernando at null-life dot com	Assigned:	kalle (profile)
Status:	Closed	Package:	MSSQL related
PHP Version:	5.6.20	OS:	Linux
Private report:	No	CVE-ID:	None

[2016-04-17 04:51 UTC] fernando at null-life dot com

Description:
------------
Tested under PHP 5.6.20 but should affect 5.5.34 too

https://github.com/php/php-src/blob/PHP-5.5.34/ext/mssql/php_mssql.c#L2278


Steps
1) Compile PHP 5.6.20 with debugging symbols.
2) Run PHP under valgrind  with the test case
   $ valgrind /home/fmunozs/phpgit/php56dbg/sapi/cli/php -n -dextension=/home/fmunozs/phpgit/php56dbg/modules/mssql.so mssql.php

Test script:
---------------
<?php

var_dump(mssql_guid_string(0));

Expected result:
----------------
No warnings

Actual result:
--------------
fmunozs@fuzzilla:/ramdisk/ww$ valgrind /home/fmunozs/phpgit/php56dbg/sapi/cli/php -n -dextension=/home/fmunozs/phpgit/php56dbg/modules/mssql.so mssql.php
==2099== Memcheck, a memory error detector
==2099== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==2099== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==2099== Command: /home/fmunozs/phpgit/php56dbg/sapi/cli/php -n -dextension=/home/fmunozs/phpgit/php56dbg/modules/mssql.so mssql.php
==2099== 
==2099== Conditional jump or move depends on uninitialised value(s)
==2099==    at 0x42F807B: toupper (ctype.c:52)
==2099==    by 0x8353579: php_strtoupper (string.c:1360)
==2099==    by 0x4049C7D: zif_mssql_guid_string (php_mssql.c:2278)
==2099==    by 0x849351E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:558)
==2099==    by 0x849846A: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2602)
==2099==    by 0x8492CBE: execute_ex (zend_vm_execute.h:363)
==2099==    by 0x8492D43: zend_execute (zend_vm_execute.h:388)
==2099==    by 0x8454594: zend_execute_scripts (zend.c:1341)
==2099==    by 0x83C9A40: php_execute_script (main.c:2613)
==2099==    by 0x84FCD29: do_cli (php_cli.c:994)
==2099==    by 0x84FE0C3: main (php_cli.c:1378)
==2099== 
==2099== Use of uninitialised value of size 4
==2099==    at 0x42F8092: toupper (ctype.c:52)
==2099==    by 0x8353579: php_strtoupper (string.c:1360)
==2099==    by 0x4049C7D: zif_mssql_guid_string (php_mssql.c:2278)
==2099==    by 0x849351E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:558)
==2099==    by 0x849846A: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2602)
==2099==    by 0x8492CBE: execute_ex (zend_vm_execute.h:363)
==2099==    by 0x8492D43: zend_execute (zend_vm_execute.h:388)
==2099==    by 0x8454594: zend_execute_scripts (zend.c:1341)
==2099==    by 0x83C9A40: php_execute_script (main.c:2613)
==2099==    by 0x84FCD29: do_cli (php_cli.c:994)
==2099==    by 0x84FE0C3: main (php_cli.c:1378)
==2099== 
string(2) "�"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-08-06 05:14 UTC] kalle@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: kalle

[2016-08-06 08:19 UTC] kalle@php.net

-Status: Assigned +Status: Closed

[2016-08-06 08:19 UTC] kalle@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

Should be fixed in 5.6.26, thanks for helping to make PHP even greater!