Mombu the Php Forum sponsored links

Go Back   Mombu the Php Forum > Php > #36928 : error_log with invalid arguments crashes PHP
User Name
Password
REGISTER NOW! Mark Forums Read

sponsored links


Reply
 
1 27th May 22:01
php-bugs
External User
 
Posts: 1
Default #36928 : error_log with invalid arguments crashes PHP


From: michaelw at webcentral dot com dot au
Operating system: Solaris 9 /
PHP version: 4.4.2
PHP Bug Type: Reproducible crash
Bug description: error_log with invalid arguments crashes PHP

Description:
------------
This was noticed by a developer making a typo ( , instead of . ) when
attempting to concat strings within the parameters of error_log. It is
reported as a bug because it causes a segfault in PHP which causes the
webserver to crash.

Reproduce code:
---------------
<html>
<body>
<?php
error_log("commas can crash ",($_SERVER['HTTPS'] != 'off'));
?>
<p>
Test..</p>
</body>
</html>


Expected result:
----------------
Presumably an error indicating that the 2nd parameter passed to error_log
is invalid.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.


(gdb) bt
#0 0xfedb451c in strlen () from /usr/lib/libc.so.1
#1 0xfee06f88 in _doprnt () from /usr/lib/libc.so.1
#2 0xfee089e4 in fprintf () from /usr/lib/libc.so.1
#3 0x000d0970 in php_mail (to=0x0, subject=0x193868 "To: %s\n",
message=0x0, headers=0x0, extra_cmd=0x0,
tsrm_ls=0x0) at /opt/admin/build/php-4.4.2/ext/standard/mail.c:228


Presumably the variable should be sanity checked both in php_mail and the
error_log function..

--
Edit bug report at http://bugs.php.net/?id=36928&edit=1
--
Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=36928&r=trysnapshot44
Try a CVS snapshot (PHP 5.1): http://bugs.php.net/fix.php?id=36928&r=trysnapshot51
Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=36928&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=36928&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=36928&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=36928&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=36928&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=36928&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=36928&r=support
Expected behavior: http://bugs.php.net/fix.php?id=36928&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=36928&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=36928&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=36928&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=36928&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=36928&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=36928&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=36928&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=36928&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=36928&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=36928&r=mysqlcfg
  Reply With Quote


  sponsored links


2 27th May 22:01
External User
 
Posts: 1
Default #36928 : error_log with invalid arguments crashes PHP


ID: 36928
Updated by: bjori@php.net
Reported By: michaelw at webcentral dot com dot au
-Status: Open
+Status: Feedback
Bug Type: Reproducible crash
Operating System: Solaris 9 /
PHP Version: 4.4.2
New Comment:

Please try using this CVS snapshot:

http://snaps.php.net/php4-STABLE-latest.tar.gz

For Windows:

http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

Can't reproduce


Previous Comments:
------------------------------------------------------------------------

[2006-03-31 03:08:23] michaelw at webcentral dot com dot au

Description:
------------
This was noticed by a developer making a typo ( , instead of . ) when
attempting to concat strings within the parameters of error_log. It is
reported as a bug because it causes a segfault in PHP which causes the
webserver to crash.

Reproduce code:
---------------
<html>
<body>
<?php
error_log("commas can crash ",($_SERVER['HTTPS'] != 'off'));
?>
<p>
Test..</p>
</body>
</html>


Expected result:
----------------
Presumably an error indicating that the 2nd parameter passed to
error_log is invalid.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.


(gdb) bt
#0 0xfedb451c in strlen () from /usr/lib/libc.so.1
#1 0xfee06f88 in _doprnt () from /usr/lib/libc.so.1
#2 0xfee089e4 in fprintf () from /usr/lib/libc.so.1
#3 0x000d0970 in php_mail (to=0x0, subject=0x193868 "To: %s\n",
message=0x0, headers=0x0, extra_cmd=0x0,
tsrm_ls=0x0) at /opt/admin/build/php-4.4.2/ext/standard/mail.c:228


Presumably the variable should be sanity checked both in php_mail and
the error_log function..


------------------------------------------------------------------------


--
Edit this bug report at http://bugs.php.net/?id=36928&edit=1
  Reply With Quote
3 27th May 22:01
php-bugs
External User
 
Posts: 1
Default #36928 : error_log with invalid arguments crashes PHP


ID: 36928
User updated by: michaelw at webcentral dot com dot au
Reported By: michaelw at webcentral dot com dot au
-Status: Feedback
+Status: Open
Bug Type: Reproducible crash
Operating System: Solaris 9 /
PHP Version: 4.4.2
New Comment:

Hey,

This is a better 'Reproduce Code' (it doesn't attempt to send an email
if the 2nd variable is a 0, and hence doesn't crash, so depending on
what $_SERVER['HTTPS'] evaluated to for you, it might not have
errored..):

<html>
<body>
<?php
error_log("commas can crash ",1);
?>
<p>
Test..</p>
</body>
</html>

I'm currently compiling the suggested CVS snapshot and will let you
know when I have a result.


Previous Comments:
------------------------------------------------------------------------

[2006-03-31 03:32:05] bjori@php.net

Please try using this CVS snapshot:

http://snaps.php.net/php4-STABLE-latest.tar.gz

For Windows:

http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

Can't reproduce

------------------------------------------------------------------------

[2006-03-31 03:08:23] michaelw at webcentral dot com dot au

Description:
------------
This was noticed by a developer making a typo ( , instead of . ) when
attempting to concat strings within the parameters of error_log. It is
reported as a bug because it causes a segfault in PHP which causes the
webserver to crash.

Reproduce code:
---------------
<html>
<body>
<?php
error_log("commas can crash ",($_SERVER['HTTPS'] != 'off'));
?>
<p>
Test..</p>
</body>
</html>


Expected result:
----------------
Presumably an error indicating that the 2nd parameter passed to
error_log is invalid.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.


(gdb) bt
#0 0xfedb451c in strlen () from /usr/lib/libc.so.1
#1 0xfee06f88 in _doprnt () from /usr/lib/libc.so.1
#2 0xfee089e4 in fprintf () from /usr/lib/libc.so.1
#3 0x000d0970 in php_mail (to=0x0, subject=0x193868 "To: %s\n",
message=0x0, headers=0x0, extra_cmd=0x0,
tsrm_ls=0x0) at /opt/admin/build/php-4.4.2/ext/standard/mail.c:228


Presumably the variable should be sanity checked both in php_mail and
the error_log function..


------------------------------------------------------------------------


--
Edit this bug report at http://bugs.php.net/?id=36928&edit=1
  Reply With Quote
4 27th May 22:01
php-bugs
External User
 
Posts: 1
Default #36928 : error_log with invalid arguments crashes PHP


ID: 36928
User updated by: michaelw at webcentral dot com dot au
Reported By: michaelw at webcentral dot com dot au
Status: Open
Bug Type: Reproducible crash
Operating System: Solaris 9 /
PHP Version: 4.4.2
New Comment:

I've verified I can reproduce it with the latest CVS snapshot with a
compile string of:

../configure --prefix=/opt/php --with-nsapi=/opt/sunapps/web
--enable-debug

Its probably also worth noting I can replicate it using the CLI..

# gdb sapi/cli/php
GNU gdb 6.0
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and
you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "sparc-sun-solaris2.9"...set
(gdb) set args
/webdocs/school-hosting/centraloffice/mis-webcentral/www/crash2.php
(gdb) run
Starting program:
/opt/admin/build/php4-STABLE-200603310035/sapi/cli/php
/webdocs/school-hosting/centraloffice/mis-webcentral/www/crash2.php

Program received signal SIGSEGV, Segmentation fault.
0xff13451c in strlen () from /usr/lib/libc.so.1
(gdb) bt
#0 0xff13451c in strlen () from /usr/lib/libc.so.1
#1 0xff186f88 in _doprnt () from /usr/lib/libc.so.1
#2 0xff1889e4 in fprintf () from /usr/lib/libc.so.1
#3 0x0009c374 in php_mail (to=0x0, subject=0x15c8e0 "To: %s\n",
message=0x0, headers=0xff1bc000 "",
extra_cmd=0x2134a8 "s\022", tsrm_ls=0x1a6278)
at
/opt/admin/build/php4-STABLE-200603310035/ext/standard/mail.c:228


Previous Comments:
------------------------------------------------------------------------

[2006-03-31 03:50:28] michaelw at webcentral dot com dot au

Hey,

This is a better 'Reproduce Code' (it doesn't attempt to send an email
if the 2nd variable is a 0, and hence doesn't crash, so depending on
what $_SERVER['HTTPS'] evaluated to for you, it might not have
errored..):

<html>
<body>
<?php
error_log("commas can crash ",1);
?>
<p>
Test..</p>
</body>
</html>

I'm currently compiling the suggested CVS snapshot and will let you
know when I have a result.

------------------------------------------------------------------------

[2006-03-31 03:32:05] bjori@php.net

Please try using this CVS snapshot:

http://snaps.php.net/php4-STABLE-latest.tar.gz

For Windows:

http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

Can't reproduce

------------------------------------------------------------------------

[2006-03-31 03:08:23] michaelw at webcentral dot com dot au

Description:
------------
This was noticed by a developer making a typo ( , instead of . ) when
attempting to concat strings within the parameters of error_log. It is
reported as a bug because it causes a segfault in PHP which causes the
webserver to crash.

Reproduce code:
---------------
<html>
<body>
<?php
error_log("commas can crash ",($_SERVER['HTTPS'] != 'off'));
?>
<p>
Test..</p>
</body>
</html>


Expected result:
----------------
Presumably an error indicating that the 2nd parameter passed to
error_log is invalid.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.


(gdb) bt
#0 0xfedb451c in strlen () from /usr/lib/libc.so.1
#1 0xfee06f88 in _doprnt () from /usr/lib/libc.so.1
#2 0xfee089e4 in fprintf () from /usr/lib/libc.so.1
#3 0x000d0970 in php_mail (to=0x0, subject=0x193868 "To: %s\n",
message=0x0, headers=0x0, extra_cmd=0x0,
tsrm_ls=0x0) at /opt/admin/build/php-4.4.2/ext/standard/mail.c:228


Presumably the variable should be sanity checked both in php_mail and
the error_log function..


------------------------------------------------------------------------


--
Edit this bug report at http://bugs.php.net/?id=36928&edit=1
  Reply With Quote
5 27th May 22:01
php-bugs
External User
 
Posts: 1
Default #36928 : error_log with invalid arguments crashes PHP


ID: 36928
Comment by: arnar at 8 dot is
Reported By: michaelw at webcentral dot com dot au
Status: Open
Bug Type: Reproducible crash
Operating System: Solaris 9 /
PHP Version: 4.4.2
New Comment:

This crash is cosed by solaris's libc not checking the fprintf
arguments, and php fault for passing in a NULL argumnet.

Link to patch: http://php.is/patch/mail.patch

Index: ext/standard/mail.c
================================================== =================
RCS file: /repository/php-src/ext/standard/mail.c,v
retrieving revision 1.66.2.12.4.2
diff -u -r1.66.2.12.4.2 mail.c
--- ext/standard/mail.c 1 Jan 2006 13:46:57 -0000 1.66.2.12.4.2
+++ ext/standard/mail.c 31 Mar 2006 04:29:29 -0000
@@ -196,6 +196,10 @@
return 0;
#endif
}
+ if (to == NULL && headers == NULL) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid arguments");
+ return 0;
+ }
if (extra_cmd != NULL) {
sendmail_cmd = emalloc (strlen (sendmail_path) + strlen (extra_cmd)
+ 2);
strcpy (sendmail_cmd, sendmail_path);
@@ -225,7 +229,9 @@
return 0;
}
#endif
- fprintf(sendmail, "To: %s\n", to);
+ if (to != NULL) {
+ fprintf(sendmail, "To: %s\n", to);
+ }
fprintf(sendmail, "Subject: %s\n", subject);
if (headers != NULL) {
fprintf(sendmail, "%s\n", headers);


Previous Comments:
------------------------------------------------------------------------

[2006-03-31 03:56:10] michaelw at webcentral dot com dot au

I've verified I can reproduce it with the latest CVS snapshot with a
compile string of:

../configure --prefix=/opt/php --with-nsapi=/opt/sunapps/web
--enable-debug

Its probably also worth noting I can replicate it using the CLI..

# gdb sapi/cli/php
GNU gdb 6.0
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and
you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "sparc-sun-solaris2.9"...set
(gdb) set args
/webdocs/school-hosting/centraloffice/mis-webcentral/www/crash2.php
(gdb) run
Starting program:
/opt/admin/build/php4-STABLE-200603310035/sapi/cli/php
/webdocs/school-hosting/centraloffice/mis-webcentral/www/crash2.php

Program received signal SIGSEGV, Segmentation fault.
0xff13451c in strlen () from /usr/lib/libc.so.1
(gdb) bt
#0 0xff13451c in strlen () from /usr/lib/libc.so.1
#1 0xff186f88 in _doprnt () from /usr/lib/libc.so.1
#2 0xff1889e4 in fprintf () from /usr/lib/libc.so.1
#3 0x0009c374 in php_mail (to=0x0, subject=0x15c8e0 "To: %s\n",
message=0x0, headers=0xff1bc000 "",
extra_cmd=0x2134a8 "s\022", tsrm_ls=0x1a6278)
at
/opt/admin/build/php4-STABLE-200603310035/ext/standard/mail.c:228

------------------------------------------------------------------------

[2006-03-31 03:50:28] michaelw at webcentral dot com dot au

Hey,

This is a better 'Reproduce Code' (it doesn't attempt to send an email
if the 2nd variable is a 0, and hence doesn't crash, so depending on
what $_SERVER['HTTPS'] evaluated to for you, it might not have
errored..):

<html>
<body>
<?php
error_log("commas can crash ",1);
?>
<p>
Test..</p>
</body>
</html>

I'm currently compiling the suggested CVS snapshot and will let you
know when I have a result.

------------------------------------------------------------------------

[2006-03-31 03:32:05] bjori@php.net

Please try using this CVS snapshot:

http://snaps.php.net/php4-STABLE-latest.tar.gz

For Windows:

http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

Can't reproduce

------------------------------------------------------------------------

[2006-03-31 03:08:23] michaelw at webcentral dot com dot au

Description:
------------
This was noticed by a developer making a typo ( , instead of . ) when
attempting to concat strings within the parameters of error_log. It is
reported as a bug because it causes a segfault in PHP which causes the
webserver to crash.

Reproduce code:
---------------
<html>
<body>
<?php
error_log("commas can crash ",($_SERVER['HTTPS'] != 'off'));
?>
<p>
Test..</p>
</body>
</html>


Expected result:
----------------
Presumably an error indicating that the 2nd parameter passed to
error_log is invalid.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.


(gdb) bt
#0 0xfedb451c in strlen () from /usr/lib/libc.so.1
#1 0xfee06f88 in _doprnt () from /usr/lib/libc.so.1
#2 0xfee089e4 in fprintf () from /usr/lib/libc.so.1
#3 0x000d0970 in php_mail (to=0x0, subject=0x193868 "To: %s\n",
message=0x0, headers=0x0, extra_cmd=0x0,
tsrm_ls=0x0) at /opt/admin/build/php-4.4.2/ext/standard/mail.c:228


Presumably the variable should be sanity checked both in php_mail and
the error_log function..


------------------------------------------------------------------------


--
Edit this bug report at http://bugs.php.net/?id=36928&edit=1
  Reply With Quote
6 27th May 22:01
External User
 
Posts: 1
Default #36928 : error_log with invalid arguments crashes PHP


ID: 36928
Updated by: bjori@php.net
Reported By: michaelw at webcentral dot com dot au
-Status: Open
+Status: ****yzed
Bug Type: Reproducible crash
Operating System: Solaris 9 /
PHP Version: 4.4.2
New Comment:

And a patch for error_log() to require 'destination' when set to send
email: http://php.is/bugs/36928/error_log.patch.txt


Previous Comments:
------------------------------------------------------------------------

[2006-03-31 06:33:54] arnar at 8 dot is

This crash is cosed by solaris's libc not checking the fprintf
arguments, and php fault for passing in a NULL argumnet.

Link to patch: http://php.is/patch/mail.patch

Index: ext/standard/mail.c
================================================== =================
RCS file: /repository/php-src/ext/standard/mail.c,v
retrieving revision 1.66.2.12.4.2
diff -u -r1.66.2.12.4.2 mail.c
--- ext/standard/mail.c 1 Jan 2006 13:46:57 -0000 1.66.2.12.4.2
+++ ext/standard/mail.c 31 Mar 2006 04:29:29 -0000
@@ -196,6 +196,10 @@
return 0;
#endif
}
+ if (to == NULL && headers == NULL) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid arguments");
+ return 0;
+ }
if (extra_cmd != NULL) {
sendmail_cmd = emalloc (strlen (sendmail_path) + strlen (extra_cmd)
+ 2);
strcpy (sendmail_cmd, sendmail_path);
@@ -225,7 +229,9 @@
return 0;
}
#endif
- fprintf(sendmail, "To: %s\n", to);
+ if (to != NULL) {
+ fprintf(sendmail, "To: %s\n", to);
+ }
fprintf(sendmail, "Subject: %s\n", subject);
if (headers != NULL) {
fprintf(sendmail, "%s\n", headers);

------------------------------------------------------------------------

[2006-03-31 03:56:10] michaelw at webcentral dot com dot au

I've verified I can reproduce it with the latest CVS snapshot with a
compile string of:

../configure --prefix=/opt/php --with-nsapi=/opt/sunapps/web
--enable-debug

Its probably also worth noting I can replicate it using the CLI..

# gdb sapi/cli/php
GNU gdb 6.0
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and
you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "sparc-sun-solaris2.9"...set
(gdb) set args
/webdocs/school-hosting/centraloffice/mis-webcentral/www/crash2.php
(gdb) run
Starting program:
/opt/admin/build/php4-STABLE-200603310035/sapi/cli/php
/webdocs/school-hosting/centraloffice/mis-webcentral/www/crash2.php

Program received signal SIGSEGV, Segmentation fault.
0xff13451c in strlen () from /usr/lib/libc.so.1
(gdb) bt
#0 0xff13451c in strlen () from /usr/lib/libc.so.1
#1 0xff186f88 in _doprnt () from /usr/lib/libc.so.1
#2 0xff1889e4 in fprintf () from /usr/lib/libc.so.1
#3 0x0009c374 in php_mail (to=0x0, subject=0x15c8e0 "To: %s\n",
message=0x0, headers=0xff1bc000 "",
extra_cmd=0x2134a8 "s\022", tsrm_ls=0x1a6278)
at
/opt/admin/build/php4-STABLE-200603310035/ext/standard/mail.c:228

------------------------------------------------------------------------

[2006-03-31 03:50:28] michaelw at webcentral dot com dot au

Hey,

This is a better 'Reproduce Code' (it doesn't attempt to send an email
if the 2nd variable is a 0, and hence doesn't crash, so depending on
what $_SERVER['HTTPS'] evaluated to for you, it might not have
errored..):

<html>
<body>
<?php
error_log("commas can crash ",1);
?>
<p>
Test..</p>
</body>
</html>

I'm currently compiling the suggested CVS snapshot and will let you
know when I have a result.

------------------------------------------------------------------------

[2006-03-31 03:32:05] bjori@php.net

Please try using this CVS snapshot:

http://snaps.php.net/php4-STABLE-latest.tar.gz

For Windows:

http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

Can't reproduce

------------------------------------------------------------------------

[2006-03-31 03:08:23] michaelw at webcentral dot com dot au

Description:
------------
This was noticed by a developer making a typo ( , instead of . ) when
attempting to concat strings within the parameters of error_log. It is
reported as a bug because it causes a segfault in PHP which causes the
webserver to crash.

Reproduce code:
---------------
<html>
<body>
<?php
error_log("commas can crash ",($_SERVER['HTTPS'] != 'off'));
?>
<p>
Test..</p>
</body>
</html>


Expected result:
----------------
Presumably an error indicating that the 2nd parameter passed to
error_log is invalid.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.


(gdb) bt
#0 0xfedb451c in strlen () from /usr/lib/libc.so.1
#1 0xfee06f88 in _doprnt () from /usr/lib/libc.so.1
#2 0xfee089e4 in fprintf () from /usr/lib/libc.so.1
#3 0x000d0970 in php_mail (to=0x0, subject=0x193868 "To: %s\n",
message=0x0, headers=0x0, extra_cmd=0x0,
tsrm_ls=0x0) at /opt/admin/build/php-4.4.2/ext/standard/mail.c:228


Presumably the variable should be sanity checked both in php_mail and
the error_log function..


------------------------------------------------------------------------


--
Edit this bug report at http://bugs.php.net/?id=36928&edit=1
  Reply With Quote
7 27th May 22:01
php-bugs
External User
 
Posts: 1
Default #36928 : error_log with invalid arguments crashes PHP


From: michaelw at webcentral dot com dot au
Operating system: Solaris 9 /
PHP version: 4.4.2
PHP Bug Type: Reproducible crash
Bug description: error_log with invalid arguments crashes PHP

Description:
------------
This was noticed by a developer making a typo ( , instead of . ) when
attempting to concat strings within the parameters of error_log. It is
reported as a bug because it causes a segfault in PHP which causes the
webserver to crash.

Reproduce code:
---------------
<html>
<body>
<?php
error_log("commas can crash ",($_SERVER['HTTPS'] != 'off'));
?>
<p>
Test..</p>
</body>
</html>


Expected result:
----------------
Presumably an error indicating that the 2nd parameter passed to error_log
is invalid.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.


(gdb) bt
#0 0xfedb451c in strlen () from /usr/lib/libc.so.1
#1 0xfee06f88 in _doprnt () from /usr/lib/libc.so.1
#2 0xfee089e4 in fprintf () from /usr/lib/libc.so.1
#3 0x000d0970 in php_mail (to=0x0, subject=0x193868 "To: %s\n",
message=0x0, headers=0x0, extra_cmd=0x0,
tsrm_ls=0x0) at /opt/admin/build/php-4.4.2/ext/standard/mail.c:228


Presumably the variable should be sanity checked both in php_mail and the
error_log function..

--
Edit bug report at http://bugs.php.net/?id=36928&edit=1
--
Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=36928&r=trysnapshot44
Try a CVS snapshot (PHP 5.1): http://bugs.php.net/fix.php?id=36928&r=trysnapshot51
Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=36928&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=36928&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=36928&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=36928&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=36928&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=36928&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=36928&r=support
Expected behavior: http://bugs.php.net/fix.php?id=36928&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=36928&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=36928&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=36928&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=36928&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=36928&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=36928&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=36928&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=36928&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=36928&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=36928&r=mysqlcfg
  Reply With Quote
8 27th May 22:01
php-bugs
External User
 
Posts: 1
Default #36928 : error_log with invalid arguments crashes PHP


ID: 36928
User updated by: michaelw at webcentral dot com dot au
Reported By: michaelw at webcentral dot com dot au
Status: ****yzed
Bug Type: Reproducible crash
Operating System: Solaris 9 /
PHP Version: 4.4.2
New Comment:

Thank you, this corrects the issue.

Just one more thing for completeness.. in the mail.c patch you test
the value of to before passing it to fprintf. Should the same thing be
done for the value of subject ?


Previous Comments:
------------------------------------------------------------------------

[2006-03-31 06:40:31] bjori@php.net

And a patch for error_log() to require 'destination' when set to send
email: http://php.is/bugs/36928/error_log.patch.txt

------------------------------------------------------------------------

[2006-03-31 06:33:54] arnar at 8 dot is

This crash is cosed by solaris's libc not checking the fprintf
arguments, and php fault for passing in a NULL argumnet.

Link to patch: http://php.is/patch/mail.patch

Index: ext/standard/mail.c
================================================== =================
RCS file: /repository/php-src/ext/standard/mail.c,v
retrieving revision 1.66.2.12.4.2
diff -u -r1.66.2.12.4.2 mail.c
--- ext/standard/mail.c 1 Jan 2006 13:46:57 -0000 1.66.2.12.4.2
+++ ext/standard/mail.c 31 Mar 2006 04:29:29 -0000
@@ -196,6 +196,10 @@
return 0;
#endif
}
+ if (to == NULL && headers == NULL) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid arguments");
+ return 0;
+ }
if (extra_cmd != NULL) {
sendmail_cmd = emalloc (strlen (sendmail_path) + strlen (extra_cmd)
+ 2);
strcpy (sendmail_cmd, sendmail_path);
@@ -225,7 +229,9 @@
return 0;
}
#endif
- fprintf(sendmail, "To: %s\n", to);
+ if (to != NULL) {
+ fprintf(sendmail, "To: %s\n", to);
+ }
fprintf(sendmail, "Subject: %s\n", subject);
if (headers != NULL) {
fprintf(sendmail, "%s\n", headers);

------------------------------------------------------------------------

[2006-03-31 03:56:10] michaelw at webcentral dot com dot au

I've verified I can reproduce it with the latest CVS snapshot with a
compile string of:

../configure --prefix=/opt/php --with-nsapi=/opt/sunapps/web
--enable-debug

Its probably also worth noting I can replicate it using the CLI..

# gdb sapi/cli/php
GNU gdb 6.0
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and
you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "sparc-sun-solaris2.9"...set
(gdb) set args
/webdocs/school-hosting/centraloffice/mis-webcentral/www/crash2.php
(gdb) run
Starting program:
/opt/admin/build/php4-STABLE-200603310035/sapi/cli/php
/webdocs/school-hosting/centraloffice/mis-webcentral/www/crash2.php

Program received signal SIGSEGV, Segmentation fault.
0xff13451c in strlen () from /usr/lib/libc.so.1
(gdb) bt
#0 0xff13451c in strlen () from /usr/lib/libc.so.1
#1 0xff186f88 in _doprnt () from /usr/lib/libc.so.1
#2 0xff1889e4 in fprintf () from /usr/lib/libc.so.1
#3 0x0009c374 in php_mail (to=0x0, subject=0x15c8e0 "To: %s\n",
message=0x0, headers=0xff1bc000 "",
extra_cmd=0x2134a8 "s\022", tsrm_ls=0x1a6278)
at
/opt/admin/build/php4-STABLE-200603310035/ext/standard/mail.c:228

------------------------------------------------------------------------

[2006-03-31 03:50:28] michaelw at webcentral dot com dot au

Hey,

This is a better 'Reproduce Code' (it doesn't attempt to send an email
if the 2nd variable is a 0, and hence doesn't crash, so depending on
what $_SERVER['HTTPS'] evaluated to for you, it might not have
errored..):

<html>
<body>
<?php
error_log("commas can crash ",1);
?>
<p>
Test..</p>
</body>
</html>

I'm currently compiling the suggested CVS snapshot and will let you
know when I have a result.

------------------------------------------------------------------------

[2006-03-31 03:32:05] bjori@php.net

Please try using this CVS snapshot:

http://snaps.php.net/php4-STABLE-latest.tar.gz

For Windows:

http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

Can't reproduce

------------------------------------------------------------------------

The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/36928

--
Edit this bug report at http://bugs.php.net/?id=36928&edit=1
  Reply With Quote
9 27th May 22:01
External User
 
Posts: 1
Default #36928 : error_log with invalid arguments crashes PHP


ID: 36928
Updated by: bjori@php.net
Reported By: michaelw at webcentral dot com dot au
-Status: Open
+Status: Feedback
Bug Type: Reproducible crash
Operating System: Solaris 9 /
PHP Version: 4.4.2
New Comment:

Please try using this CVS snapshot:

http://snaps.php.net/php4-STABLE-latest.tar.gz

For Windows:

http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

Can't reproduce


Previous Comments:
------------------------------------------------------------------------

[2006-03-31 03:08:23] michaelw at webcentral dot com dot au

Description:
------------
This was noticed by a developer making a typo ( , instead of . ) when
attempting to concat strings within the parameters of error_log. It is
reported as a bug because it causes a segfault in PHP which causes the
webserver to crash.

Reproduce code:
---------------
<html>
<body>
<?php
error_log("commas can crash ",($_SERVER['HTTPS'] != 'off'));
?>
<p>
Test..</p>
</body>
</html>


Expected result:
----------------
Presumably an error indicating that the 2nd parameter passed to
error_log is invalid.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.


(gdb) bt
#0 0xfedb451c in strlen () from /usr/lib/libc.so.1
#1 0xfee06f88 in _doprnt () from /usr/lib/libc.so.1
#2 0xfee089e4 in fprintf () from /usr/lib/libc.so.1
#3 0x000d0970 in php_mail (to=0x0, subject=0x193868 "To: %s\n",
message=0x0, headers=0x0, extra_cmd=0x0,
tsrm_ls=0x0) at /opt/admin/build/php-4.4.2/ext/standard/mail.c:228


Presumably the variable should be sanity checked both in php_mail and
the error_log function..


------------------------------------------------------------------------


--
Edit this bug report at http://bugs.php.net/?id=36928&edit=1
  Reply With Quote
10 27th May 22:01
php-bugs
External User
 
Posts: 1
Default #36928 : error_log with invalid arguments crashes PHP


ID: 36928
User updated by: michaelw at webcentral dot com dot au
Reported By: michaelw at webcentral dot com dot au
-Status: Feedback
+Status: Open
Bug Type: Reproducible crash
Operating System: Solaris 9 /
PHP Version: 4.4.2
New Comment:

Hey,

This is a better 'Reproduce Code' (it doesn't attempt to send an email
if the 2nd variable is a 0, and hence doesn't crash, so depending on
what $_SERVER['HTTPS'] evaluated to for you, it might not have
errored..):

<html>
<body>
<?php
error_log("commas can crash ",1);
?>
<p>
Test..</p>
</body>
</html>

I'm currently compiling the suggested CVS snapshot and will let you
know when I have a result.


Previous Comments:
------------------------------------------------------------------------

[2006-03-31 03:32:05] bjori@php.net

Please try using this CVS snapshot:

http://snaps.php.net/php4-STABLE-latest.tar.gz

For Windows:

http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

Can't reproduce

------------------------------------------------------------------------

[2006-03-31 03:08:23] michaelw at webcentral dot com dot au

Description:
------------
This was noticed by a developer making a typo ( , instead of . ) when
attempting to concat strings within the parameters of error_log. It is
reported as a bug because it causes a segfault in PHP which causes the
webserver to crash.

Reproduce code:
---------------
<html>
<body>
<?php
error_log("commas can crash ",($_SERVER['HTTPS'] != 'off'));
?>
<p>
Test..</p>
</body>
</html>


Expected result:
----------------
Presumably an error indicating that the 2nd parameter passed to
error_log is invalid.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.


(gdb) bt
#0 0xfedb451c in strlen () from /usr/lib/libc.so.1
#1 0xfee06f88 in _doprnt () from /usr/lib/libc.so.1
#2 0xfee089e4 in fprintf () from /usr/lib/libc.so.1
#3 0x000d0970 in php_mail (to=0x0, subject=0x193868 "To: %s\n",
message=0x0, headers=0x0, extra_cmd=0x0,
tsrm_ls=0x0) at /opt/admin/build/php-4.4.2/ext/standard/mail.c:228


Presumably the variable should be sanity checked both in php_mail and
the error_log function..


------------------------------------------------------------------------


--
Edit this bug report at http://bugs.php.net/?id=36928&edit=1
  Reply With Quote
Reply


Thread Tools
Display Modes




Copyright 2006 SmartyDevil.com - Dies Mies Jeschet Boenedoesef Douvema Enitemaus -
666