PHP :: Bug #72716 :: php_stream_ftp_stream_close leaks stack memory
| Bug #72716 | php_stream_ftp_stream_close leaks stack memory | ||||
|---|---|---|---|---|---|
| Submitted: | 2016-07-31 05:18 UTC | Modified: | 2016-08-04 05:58 UTC | ||
| From: | fernando at null-life dot com | Assigned: | |||
| Status: | Closed | Package: | FTP related | ||
| PHP Version: | 5.6.24 | OS: | * | ||
| Private report: | No | CVE-ID: | None | ||
[2016-07-31 05:18 UTC] fernando at null-life dot com
Description: ------------ Description =========== tmp_line is never assigned a value in this scope, so if an error occurs it will log information from the stack on php_error_docref . https://github.com/php/php-src/blob/PHP-7.0.9/ext/standard/ftp_fopen_wrapper.c#L111-L117 Code ==== char tmp_line[512]; int result; /* For write modes close data stream first to signal EOF to server */ result = GET_FTP_RESULT(controlstream); if (result != 226 && result != 250) { php_error_docref(NULL, E_WARNING, "FTP server error %d:%s", result, tmp_line); Fix === There's probably a missing call to php_stream_notify_error here. Test script: --------------- Not available Expected result: ---------------- No warnings Actual result: -------------- valgrind output ==22586== Use of uninitialised value of size 4 ==22586== at 0x4DC528B: ____strtol_l_internal (strtol_l.c:435) ==22586== by 0x4DC4EFF: strtol (strtol.c:106) ==22586== by 0x28082C: ??? (in /usr/bin/php7.0) ==22586== by 0x2B0493: _php_stream_free (in /usr/bin/php7.0) ==22586== by 0x242CC6: zif_file_get_contents (in /usr/bin/php7.0) ==22586== by 0x776011A: ??? (in /usr/lib/php/20151012/phar.so) ==22586== by 0x38E621: execute_internal (in /usr/bin/php7.0) ==22586== by 0x2E9A8D: dtrace_execute_internal (in /usr/bin/php7.0) ==22586== by 0x380704: ??? (in /usr/bin/php7.0) ==22586== by 0x339719: execute_ex (in /usr/bin/php7.0) ==22586== by 0x2E98F4: dtrace_execute_ex (in /usr/bin/php7.0) ==22586== by 0x390175: zend_execute (in /usr/bin/php7.0) ==22586== ==22586== Conditional jump or move depends on uninitialised value(s) ==22586== at 0x4DC52CE: ____strtol_l_internal (strtol_l.c:437) ==22586== by 0x4DC4EFF: strtol (strtol.c:106) ==22586== by 0x28082C: ??? (in /usr/bin/php7.0) ==22586== by 0x2B0493: _php_stream_free (in /usr/bin/php7.0) ==22586== by 0x242CC6: zif_file_get_contents (in /usr/bin/php7.0) ==22586== by 0x776011A: ??? (in /usr/lib/php/20151012/phar.so) ==22586== by 0x38E621: execute_internal (in /usr/bin/php7.0) ==22586== by 0x2E9A8D: dtrace_execute_internal (in /usr/bin/php7.0) ==22586== by 0x380704: ??? (in /usr/bin/php7.0) ==22586== by 0x339719: execute_ex (in /usr/bin/php7.0) ==22586== by 0x2E98F4: dtrace_execute_ex (in /usr/bin/php7.0) ==22586== by 0x390175: zend_execute (in /usr/bin/php7.0) ==22586== ==22586== Use of uninitialised value of size 4 ==22586== at 0x4DC5394: ____strtol_l_internal (strtol_l.c:461) ==22586== by 0x4DC4EFF: strtol (strtol.c:106) ==22586== by 0x28082C: ??? (in /usr/bin/php7.0) ==22586== by 0x2B0493: _php_stream_free (in /usr/bin/php7.0) ==22586== by 0x242CC6: zif_file_get_contents (in /usr/bin/php7.0) ==22586== by 0x776011A: ??? (in /usr/lib/php/20151012/phar.so) ==22586== by 0x38E621: execute_internal (in /usr/bin/php7.0) ==22586== by 0x2E9A8D: dtrace_execute_internal (in /usr/bin/php7.0) ==22586== by 0x380704: ??? (in /usr/bin/php7.0) ==22586== by 0x339719: execute_ex (in /usr/bin/php7.0) ==22586== by 0x2E98F4: dtrace_execute_ex (in /usr/bin/php7.0) ==22586== by 0x390175: zend_execute (in /usr/bin/php7.0) ==22586== ==22586== Conditional jump or move depends on uninitialised value(s) ==22586== at 0x4DC5327: ____strtol_l_internal (strtol_l.c:479) ==22586== by 0x4DC4EFF: strtol (strtol.c:106) ==22586== by 0x28082C: ??? (in /usr/bin/php7.0) ==22586== by 0x2B0493: _php_stream_free (in /usr/bin/php7.0) ==22586== by 0x242CC6: zif_file_get_contents (in /usr/bin/php7.0) ==22586== by 0x776011A: ??? (in /usr/lib/php/20151012/phar.so) ==22586== by 0x38E621: execute_internal (in /usr/bin/php7.0) ==22586== by 0x2E9A8D: dtrace_execute_internal (in /usr/bin/php7.0) ==22586== by 0x380704: ??? (in /usr/bin/php7.0) ==22586== by 0x339719: execute_ex (in /usr/bin/php7.0) ==22586== by 0x2E98F4: dtrace_execute_ex (in /usr/bin/php7.0) ==22586== by 0x390175: zend_execute (in /usr/bin/php7.0) ==22586== ==22586== Conditional jump or move depends on uninitialised value(s) ==22586== at 0x4830387: strlen (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==22586== by 0x29BC3E: ??? (in /usr/bin/php7.0) ==22586== by 0x29CC57: vspprintf (in /usr/bin/php7.0) ==22586== by 0x16FC9E: ??? (in /usr/bin/php7.0) ==22586== by 0x1719A1: zend_error (in /usr/bin/php7.0) ==22586== by 0x1709ED: php_verror (in /usr/bin/php7.0) ==22586== by 0x170A82: php_error_docref0 (in /usr/bin/php7.0) ==22586== by 0x28085F: ??? (in /usr/bin/php7.0) ==22586== by 0x2B0493: _php_stream_free (in /usr/bin/php7.0) ==22586== by 0x242CC6: zif_file_get_contents (in /usr/bin/php7.0) ==22586== by 0x776011A: ??? (in /usr/lib/php/20151012/phar.so) ==22586== by 0x38E621: execute_internal (in /usr/bin/php7.0)
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2016-08-04 05:58 UTC] stas@php.net
-Type: Security +Type: Bug -PHP Version: 7.0.9 +PHP Version: 5.6.24
[2016-08-04 05:58 UTC] stas@php.net
[2016-08-04 06:04 UTC] stas@php.net
-Status: Open +Status: Closed