History log of /PHP-8.4/tests/basic/gh16998.phpt (Results 1 – 1 of 1)
Revision Date Author Comments
# aab78426 30-Nov-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16998: UBSAN warning in rfc1867

The "else branch" of `next_line` can reset the `buf_begin` field to
NULL, causing the next invocation to pass NULL to `memchr` with a 0
length.

Fix GH-16998: UBSAN warning in rfc1867

The "else branch" of `next_line` can reset the `buf_begin` field to
NULL, causing the next invocation to pass NULL to `memchr` with a 0
length. When UBSAN is enabled this causes an UBSAN abort. Real world
impact is likely none because of the 0 length.

To fix this, don't set the pointer to NULL, which means that the
`memchr` will return NULL and since
`self->bytes_in_buffer < self->bufsize` we return NULL and request more
data through `fill_buffer`. That function will reset `buf_begin` and
`bytes_in_buffer` so that the next invocation works fine.

I chose this solution so we have an invariant that `buf_begin` is never
NULL, which makes reasoning easier. An alternative solution is keeping
the NULLing of `buf_begin` and add an extra check at the top of
`next_line`, but I didn't like special casing this.

Closes GH-17000.

show more ...