From: victor dot stinner at haypocalc dot com
Operating system: Linux
PHP version: 5.2.6
PHP Bug Type: Reproducible crash
Bug description: levenshtein() crashs with invalid arguments
Description:
------------
Using my fuzzer, I found a bug in levenshtein() function with random
arguments. The crash occurs in:
#0 0x08297319 in reference_levdist (s1=0x85486f8
"�3[W\217�W\221�",
l1=9, s2=0x2a <Address 0x2a out of bounds>, l2=2, cost_ins=42,
cost_rep=0, cost_del=42)
at /home/haypo/php-5.2.6/ext/standard/levenshtein.c:54
#1 0x08297bee in zif_levenshtein (ht=5, return_value=0x8548680,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
at /home/haypo/php-5.2.6/ext/standard/levenshtein.c:112
#2 0x083452b5 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfddb6a0)
at /home/haypo/php-5.2.6/Zend/zend_vm_execute.h:200
#3 0x0834ac85 in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0xbfddb6a0)
at /home/haypo/php-5.2.6/Zend/zend_vm_execute.h:1679
#4 0x08344e05 in execute (op_array=0x85480b0)
at /home/haypo/php-5.2.6/Zend/zend_vm_execute.h:92
#5 0x0831fd69 in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /home/haypo/php-5.2.6/Zend/zend.c:1134
#6 0x082cb708 in php_execute_script (primary_file=0xbfddda20)
at /home/haypo/php-5.2.6/main/main.c:2005
The bug may comes from "s2=0x2a <Address 0x2a out of bounds>" error.
Reproduce code:
---------------
<?php
$a = 42;
levenshtein("test", &$a, &$a, null, &$a);
?>
--
Edit bug report at http://bugs.php.net/?id=45580&edit=1
--
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=45580&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=45580&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=45580&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=45580&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=45580&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=45580&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=45580&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=45580&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=45580&r=support
Expected behavior: http://bugs.php.net/fix.php?id=45580&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=45580&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=45580&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=45580&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=45580&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=45580&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=45580&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=45580&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=45580&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=45580&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=45580&r=mysqlcfg
