#45580 [Ver->Csd]: levenshtein() crashes with invalid arguments (PHP_5_2 only!)

Sat, 13 Sep 2008 22:15:44 -0700 

 ID:               45580
 Updated by:       [EMAIL PROTECTED]
 Reported By:      victor dot stinner at haypocalc dot com
-Status:           Verified
+Status:           Closed
 Bug Type:         Reproducible crash
 Operating System: *
 PHP Version:      5.2CVS-2008-07-21
 New Comment:

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.




Previous Comments:
------------------------------------------------------------------------

[2008-07-21 16:03:56] [EMAIL PROTECTED]

Can not reproduce in PHP_5_3 branch, does crash in current PHP_5_2
branch.

------------------------------------------------------------------------

[2008-07-21 13:08:23] victor dot stinner at haypocalc dot com

Description:
------------
Using my fuzzer, I found a bug in levenshtein() function with random 
arguments. The crash occurs in:

#0  0x08297319 in reference_levdist (s1=0x85486f8
"�3[W\217�W\221�", 
l1=9, s2=0x2a <Address 0x2a out of bounds>, l2=2, cost_ins=42,
    cost_rep=0, cost_del=42) 
at /home/haypo/php-5.2.6/ext/standard/levenshtein.c:54
#1  0x08297bee in zif_levenshtein (ht=5, return_value=0x8548680, 
return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
    at /home/haypo/php-5.2.6/ext/standard/levenshtein.c:112
#2  0x083452b5 in zend_do_fcall_common_helper_SPEC 
(execute_data=0xbfddb6a0) 
at /home/haypo/php-5.2.6/Zend/zend_vm_execute.h:200
#3  0x0834ac85 in ZEND_DO_FCALL_SPEC_CONST_HANDLER 
(execute_data=0xbfddb6a0) 
at /home/haypo/php-5.2.6/Zend/zend_vm_execute.h:1679
#4  0x08344e05 in execute (op_array=0x85480b0) 
at /home/haypo/php-5.2.6/Zend/zend_vm_execute.h:92
#5  0x0831fd69 in zend_execute_scripts (type=8, retval=0x0, 
file_count=3) at /home/haypo/php-5.2.6/Zend/zend.c:1134
#6  0x082cb708 in php_execute_script (primary_file=0xbfddda20) 
at /home/haypo/php-5.2.6/main/main.c:2005

The bug may comes from "s2=0x2a <Address 0x2a out of bounds>" error.

Reproduce code:
---------------
<?php
$a = 42;
levenshtein("test", &$a, &$a, null, &$a);
?>




------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=45580&edit=1

Reply via email to