[issue1006] digest is down; suggestions welcome

Dionysus Blazakis dion.blazakis at gmail.com
Wed May 14 11:50:41 PDT 2008


It seems there was an off-by-one error in the strspn code in our libc.
 The buffer was a byte too small and resulted in overwriting the saved
ebx which was the offset to the GOT -- but only if strspn was used
with a \xff in the second string.

I have a patch here:
http://dblaz.beevomit.org/dfly/strspn.patch

I've verified it fixes the PHP problem.  Also, I tested it against a
small program that called strspn with a \xff in the second string and
verified that ebx was correctly restored (unlike prior to the patch).

-- Dion

On Wed, May 14, 2008 at 2:32 PM, Joerg Sonnenberger
<joerg at britannica.bec.de> wrote:
> On Wed, May 14, 2008 at 11:30:19AM -0400, Justin C. Sherrill wrote:
>> Antonio Huete Jimenez wrote:
>>> Antonio Huete Jimenez <tuxillo at quantumachine.net> added the comment:
>>>
>>> What about the commits between 1.12.1 and 1.12.2 related with threading lib?
>>
>> I'm still using the same threading library in both cases - libc_r.
>
> I've been seeing random PHP segfaults lately in the module init code.
> That's a standalone PHP using FastCGI.
>
> Joerg
>





More information about the Bugs mailing list