Edit report at https://bugs.php.net/bug.php?id=64949&edit=1
ID: 64949 Updated by: mbecc...@php.net Reported by: r...@php.net Summary: Buffer overflow in _pdo_pgsql_error Status: Closed Type: Bug Package: PostgreSQL related Operating System: GNU/Linux PHP Version: 5.3.25 Assigned To: remi Block user comment: N Private report: N New Comment: FYI, the proper fix is on master now: http://git.php.net/?p=php-src.git;a=commitdiff;h=baabd1192973156ac79c35f6d1b0dced4af8e8fb I have left the strlen check in place, maybe we should really use strncpy instead now. Previous Comments: ------------------------------------------------------------------------ [2013-05-31 06:46:30] r...@php.net Automatic comment on behalf of remi Revision: http://git.php.net/?p=php-src.git;a=commit;h=1c623e3b07128e78362911ff5754e7eee57fa8bb Log: Fixed Bug #64949 (Buffer overflow in _pdo_pgsql_error) ------------------------------------------------------------------------ [2013-05-30 17:22:37] r...@php.net Description: ------------ running the unit tests in ext/pdo_pgsql, 2 tests cause a segfault (with same backtrace) (gdb) run copy_from.php . Testing pgsqlCopyFromArray() with error *** buffer overflow detected ***: /usr/bin/php terminated ... (gdb) bt #0 0x00007ffff4bfcba5 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:63 #1 0x00007ffff4bfe358 in __GI_abort () at abort.c:90 #2 0x00007ffff4c3c59b in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff4d3f81f "*** %s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:197 #3 0x00007ffff4cd16b7 in __GI___fortify_fail (msg=msg@entry=0x7ffff4d3f7c5 "buffer overflow detected") at fortify_fail.c:31 #4 0x00007ffff4ccf830 in __GI___chk_fail () at chk_fail.c:28 #5 0x00007fffe67cdb61 in strcpy (__src=0x7fffe67d0c3a "Copy command failed", __dest=0x7ffff7fbf920 "Copy c") at /usr/include/bits/string3.h:104 #6 _pdo_pgsql_error (dbh=dbh@entry=0x7ffff7fbf8c8, stmt=stmt@entry=0x0, errcode=errcode@entry=7, sqlstate=0x7fffe67d0c3a "Copy command failed", file=<optimized out>, line=<optimized out>) at /usr/src/debug/php-5.5.0RC2/ext/pdo_pgsql/pgsql_driver.c:83 #7 0x00007fffe67cee73 in zim_PDO_pgsqlCopyFromArray (ht=<optimized out>, return_value=0x7ffff7fbf9a8, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>) at /usr/src/debug/php-5.5.0RC2/ext/pdo_pgsql/pgsql_driver.c:611 #8 0x0000555555778249 in dtrace_execute_internal (execute_data_ptr=<optimized out>, fci=<optimized out>, return_value_used=<optimized out>) at /usr/src/debug/php-5.5.0RC2/Zend/zend_dtrace.c:99 #9 0x0000555555836dd3 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f83340) at /usr/src/debug/php-5.5.0RC2/Zend/zend_vm_execute.h:545 #10 0x00005555557f6e78 in execute_ex (execute_data=0x7ffff7f83340) at /usr/src/debug/php-5.5.0RC2/Zend/zend_vm_execute.h:356 #11 0x000055555577810d in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/debug/php-5.5.0RC2/Zend/zend_dtrace.c:75 #12 0x0000555555789b08 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /usr/src/debug/php-5.5.0RC2/Zend/zend.c:1316 #13 0x00005555557278dc in php_execute_script (primary_file=primary_file@entry=0x7fffffffcb80) at /usr/src/debug/php-5.5.0RC2/main/main.c:2481 #14 0x000055555583a4e6 in do_cli (argc=2, argv=0x555555b7c3d0) at /usr/src/debug/php-5.5.0RC2/sapi/cli/php_cli.c:993 #15 0x000055555560f38a in main (argc=2, argv=0x555555b7c3d0) at /usr/src/debug/php-5.5.0RC2/sapi/cli/php_cli.c:1377 (gdb) run copy_to.php ... Testing pgsqlCopyToArray() with error *** buffer overflow detected ***: /usr/bin/php terminated ... (gdb) bt #0 0x00007ffff4bfcba5 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:63 #1 0x00007ffff4bfe358 in __GI_abort () at abort.c:90 #2 0x00007ffff4c3c59b in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff4d3f81f "*** %s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:197 #3 0x00007ffff4cd16b7 in __GI___fortify_fail (msg=msg@entry=0x7ffff4d3f7c5 "buffer overflow detected") at fortify_fail.c:31 #4 0x00007ffff4ccf830 in __GI___chk_fail () at chk_fail.c:28 #5 0x00007fffe67cdb61 in strcpy (__src=0x7fffe67d0c3a "Copy command failed", __dest=0x7ffff7fbbae8 "Copy c") at /usr/include/bits/string3.h:104 #6 _pdo_pgsql_error (dbh=dbh@entry=0x7ffff7fbba90, stmt=stmt@entry=0x0, errcode=errcode@entry=7, sqlstate=0x7fffe67d0c3a "Copy command failed", file=<optimized out>, line=<optimized out>) at /usr/src/debug/php-5.5.0RC2/ext/pdo_pgsql/pgsql_driver.c:83 #7 0x00007fffe67ce68b in zim_PDO_pgsqlCopyToArray (ht=<optimized out>, return_value=0x7ffff7fbffe0, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>) at /usr/src/debug/php-5.5.0RC2/ext/pdo_pgsql/pgsql_driver.c:864 #8 0x0000555555778249 in dtrace_execute_internal (execute_data_ptr=<optimized out>, fci=<optimized out>, return_value_used=<optimized out>) at /usr/src/debug/php-5.5.0RC2/Zend/zend_dtrace.c:99 #9 0x0000555555836dd3 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f829c0) at /usr/src/debug/php-5.5.0RC2/Zend/zend_vm_execute.h:545 #10 0x00005555557f6e78 in execute_ex (execute_data=0x7ffff7f829c0) at /usr/src/debug/php-5.5.0RC2/Zend/zend_vm_execute.h:356 #11 0x000055555577810d in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/debug/php-5.5.0RC2/Zend/zend_dtrace.c:75 #12 0x0000555555789b08 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /usr/src/debug/php-5.5.0RC2/Zend/zend.c:1316 #13 0x00005555557278dc in php_execute_script (primary_file=primary_file@entry=0x7fffffffcb80) at /usr/src/debug/php-5.5.0RC2/main/main.c:2481 #14 0x000055555583a4e6 in do_cli (argc=2, argv=0x555555b7c3d0) at /usr/src/debug/php-5.5.0RC2/sapi/cli/php_cli.c:993 #15 0x000055555560f38a in main (argc=2, argv=0x555555b7c3d0) at /usr/src/debug/php-5.5.0RC2/sapi/cli/php_cli.c:1377 A trivial fix will be to switch to strncpy to avoid this buffer overflow, but this doesn't explain why a run condition come with a sql_state = "Copy command failed" which is not a standard 5 char error code. ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=64949&edit=1
