Uploaded image for project: 'PHP Driver: Extension'
  1. PHP Driver: Extension
  2. PHPC-1266

Empty deeply nested BSON document causes unallocated memory writes

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Critical - P2 Critical - P2
    • 1.5.3
    • Affects Version/s: 1.5.2
    • Component/s: None
    • None

      Running the attached script with USE_ZEND_ALLOC=0 valgrind php test.php produces:

      ==1458== Invalid write of size 8
      ==1458==    at 0xA0E2764: php_phongo_field_path_pop (bson.c:164)
      ==1458==    by 0xA0E3BB9: php_phongo_bson_visit_document (bson.c:956)
      ==1458==    by 0xA05DD89: bson_iter_visit_all (bson-iter.c:1975)
      ==1458==    by 0xA0E392F: php_phongo_bson_visit_document (bson.c:872)
      ==1458==    by 0xA05DD89: bson_iter_visit_all (bson-iter.c:1975)
      ==1458==    by 0xA0E392F: php_phongo_bson_visit_document (bson.c:872)
      ==1458==    by 0xA05DD89: bson_iter_visit_all (bson-iter.c:1975)
      ==1458==    by 0xA0E3CD4: php_phongo_bson_visit_array (bson.c:989)
      ==1458==    by 0xA05DE21: bson_iter_visit_all (bson-iter.c:1987)
      ==1458==    by 0xA0E392F: php_phongo_bson_visit_document (bson.c:872)
      ==1458==    by 0xA05DD89: bson_iter_visit_all (bson-iter.c:1975)
      ==1458==    by 0xA0E392F: php_phongo_bson_visit_document (bson.c:872)
      ==1458==  Address 0xaa6a800 is 0 bytes after a block of size 64 alloc'd
      ==1458==    at 0x48356EF: malloc (vg_replace_malloc.c:298)
      ==1458==    by 0x4837A34: realloc (vg_replace_malloc.c:785)
      ==1458==    by 0x949283: __zend_realloc (zend_alloc.c:2845)
      ==1458==    by 0x94864F: _erealloc (zend_alloc.c:2459)
      ==1458==    by 0xA0E2577: php_phongo_field_path_ensure_allocation (bson.c:124)
      ==1458==    by 0xA0E263E: php_phongo_field_path_write_item_at_current_level (bson.c:136)
      ==1458==    by 0xA0E2719: php_phongo_field_path_push (bson.c:154)
      ==1458==    by 0xA0E38A7: php_phongo_bson_visit_document (bson.c:858)
      ==1458==    by 0xA05DD89: bson_iter_visit_all (bson-iter.c:1975)
      ==1458==    by 0xA0E4222: php_phongo_bson_to_zval_ex (bson.c:1153)
      ==1458==    by 0xA0F62FC: zif_MongoDB_BSON_toPHP (functions.c:75)
      ==1458==    by 0x9DECC7: execute_internal (zend_execute.c:2078)
      ==1458== 
      ==1458== Invalid write of size 4
      ==1458==    at 0xA0E2782: php_phongo_field_path_pop (bson.c:165)
      ==1458==    by 0xA0E3BB9: php_phongo_bson_visit_document (bson.c:956)
      ==1458==    by 0xA05DD89: bson_iter_visit_all (bson-iter.c:1975)
      ==1458==    by 0xA0E392F: php_phongo_bson_visit_document (bson.c:872)
      ==1458==    by 0xA05DD89: bson_iter_visit_all (bson-iter.c:1975)
      ==1458==    by 0xA0E392F: php_phongo_bson_visit_document (bson.c:872)
      ==1458==    by 0xA05DD89: bson_iter_visit_all (bson-iter.c:1975)
      ==1458==    by 0xA0E3CD4: php_phongo_bson_visit_array (bson.c:989)
      ==1458==    by 0xA05DE21: bson_iter_visit_all (bson-iter.c:1987)
      ==1458==    by 0xA0E392F: php_phongo_bson_visit_document (bson.c:872)
      ==1458==    by 0xA05DD89: bson_iter_visit_all (bson-iter.c:1975)
      ==1458==    by 0xA0E392F: php_phongo_bson_visit_document (bson.c:872)
      ==1458==  Address 0xaa6a860 is 0 bytes after a block of size 32 alloc'd
      ==1458==    at 0x48356EF: malloc (vg_replace_malloc.c:298)
      ==1458==    by 0x4837A34: realloc (vg_replace_malloc.c:785)
      ==1458==    by 0x949283: __zend_realloc (zend_alloc.c:2845)
      ==1458==    by 0x94864F: _erealloc (zend_alloc.c:2459)
      ==1458==    by 0xA0E25B9: php_phongo_field_path_ensure_allocation (bson.c:125)
      ==1458==    by 0xA0E263E: php_phongo_field_path_write_item_at_current_level (bson.c:136)
      ==1458==    by 0xA0E2719: php_phongo_field_path_push (bson.c:154)
      ==1458==    by 0xA0E38A7: php_phongo_bson_visit_document (bson.c:858)
      ==1458==    by 0xA05DD89: bson_iter_visit_all (bson-iter.c:1975)
      ==1458==    by 0xA0E4222: php_phongo_bson_to_zval_ex (bson.c:1153)
      ==1458==    by 0xA0F62FC: zif_MongoDB_BSON_toPHP (functions.c:75)
      ==1458==    by 0x9DECC7: execute_internal (zend_execute.c:2078)
      

            Assignee:
            derick Derick Rethans
            Reporter:
            derick Derick Rethans
            Votes:
            2 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: