Source

php-src / TODO_SEGFAULTS

Full commit
    This is an overview over existing segfaults in the current PHP source
    tree.


Fixed:

    mb_convert_encoding (Moriyoshi)
    socket_iovec_alloc (Rasmus)
    exif_imagetype,exif_thumbnail (Rasmus)
    dbase_open (Rasmus)
    array_pad (Rasmus)
    setlocale (Rasmus)
    unregister_tick_function (Rasmus)
    bcsub (Rasmus)
    str_repeat (Ilia)
    imagecopyresized (Ilia)
    mhash_keygen_s2k (Ilia)
    mb_ereg, mb_ereg_match, mb_eregi, mb_split (Moriyoshi)
    xml_parser_create (Moriyoshi)
    ob_start (Sascha)
    imagecreate/-truecolor (Sascha)
    flock (Sascha)
    register_shutdown_function (Sascha)
    mb_strcut('', [number greater than the length of first arg]) (Moriyoshi)
    ext/exif, ext/dba (7) (Marcus)
	
Open:

    the dbase extension         (1)
    chunk_split                 (2)
    socket_select               (3)
    php_imagepolygon            (4)
    imagesetstyle               (5)
    bundled gd                  (6)
    php_base64_encode		(8)
    pack			(9)
	
(1) heap corruption, mostly visible in malloc-related calls.  Whether you see 
    this or not might depend on your libc/compiler.  Hard to track down,
    because the result of the corruption might be quite delayed.

    Reproducable with glibc-2.3/gcc 3.2.2 by:
	
cat <<X | php do_crash
dbase_add_record
dbase_close
dbase_create
dbase_delete_record
dbase_get_record
dbase_get_record_with_names
dbase_numfields
dbase_numrecords
dbase_open
X 

(2) integer overflow in php_chunk_split

(3) heap corruption, dies in efree()/execute()

Methodology

    1. Use a plain PHP_4_3 tree
    2. Use the config.nice from ammendment 1.
    3. Download the test script from:

        <URL:http://schumann.cx/do_crash.txt>

    4a. Use the scripts funcparse.awk/genfunclist.sh from phpdoc/scripts
        for creating a plain text function list.  Feed that list to
        the script.  Avoid calls like pcntl_fork.  Manually remove functions
        which take too long to finish/eat up all memory.
    
    4b. For testing a single function, echo the name of the function to
        the script like this:

        echo dbase_open | php do_crash.txt

(4) integer overflow inside php_imagepolygon and possible subsequent 
    integer overflows inside gdlib's gdImageFilledPolygon().

(5) integer overflow if the number of elements in the array passed as
    second argument * sizeof(int) result in an overflow.
    gdImageSetStyle function called by this php wrapper can die for the
    same reason.  

(6) multiple integer overflows that can occur when trying to allocate a buffer
    for a new image. Affected functions:
    gdImageCreateFromJpegCtx
    readwbmp
    gdImageCreateFromXpm
    gdImageCreateFromPngCtx
    gdImagePngCtx
    gdImageCreateFromJpegCtx
    gdImageJpegCtx
    gdImageCreateFromGd2Ctx
    gdImageCreateFromGd2PartCtx
    _gdImageGd2
    GetDataBlock (gd_gif_in.c)

(7) few possible integer overflows, once safe_emalloc() or something similar
    is implemented they can all be addressed.

(8) integer overflow if the specified string is longer then ~1.1 billion bytes.

(9) multiple integer overflows, ex. pack("d4294967297", 2);

Ammendment 1.

CFLAGS='-O0 -g' \
'../src/php4/configure' \
'--enable-pcntl' \
'--enable-shmop' \
'--enable-sysvsem' \
'--enable-sysvshm' \
'--enable-wddx' \
'--enable-yp' \
'--enable-filepro' \
'--enable-ftp' \
'--enable-dba' \
'--enable-dbase' \
'--enable-dio' \
'--enable-exif' \
'--enable-mbstring' \
'--enable-mbregex' \
'--enable-sockets' \
'--enable-bcmath' \
'--enable-calendar' \
'--enable-pcntl' \
'--enable-shmop' \
'--enable-sysvsem' \
'--enable-sysvshm' \
'--enable-wddx' \
'--enable-yp' \
'--enable-filepro' \
'--enable-ftp' \
'--enable-dba' \
'--enable-dbase' \
'--enable-dio' \
'--enable-exif' \
'--enable-mbstring' \
'--enable-mbregex' \
'--enable-sockets' \
'--enable-bcmath' \
'--enable-calendar' \
"$@"