From fann_error.c errstr = (char *) malloc(FANN_ERRSTR_MAX); vsprintf(errstr, ... This is obviously broken as there is no length check. Switching to vsnprintf seems mandatory. Ex, runnning test suite for pecl/fann In fann_stdio.c fann_error(NULL, FANN_E_WRONG_CONFIG_VERSION, configuration_file); Message: Wrong version of configuration file, aborting read of configuration file "%s" Option: /home/rpmbuild/SPECS/remirepo/php/pecl/php-pecl-fann/fann-1.0.6/tests/fann_create_from_file_invalid.tmp This is about 180 char, so > FANN_ERRSTR_MAX (128)
$ valgrind zts-php -n -d extension=modules/fann.so tests/fann_create_from_file_basic.phpt ==31606== Memcheck, a memory error detector ==31606== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al. ==31606== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info ==31606== Command: zts-php -n -d extension=modules/fann.so tests/fann_create_from_file_basic.phpt ==31606== --TEST-- Test function fann_create_from_file() by calling it with its expected arguments --FILE-- bool(true) resource(5) of type (FANN) ==31606== Invalid write of size 8 ==31606== at 0x7F6FEB2: __GI_mempcpy (memcpy.S:220) ==31606== by 0x7F5F408: _IO_default_xsputn (genops.c:464) ==31606== by 0x7F2EDB1: vfprintf (vfprintf.c:1635) ==31606== by 0x7FF0DD7: __vsprintf_chk (vsprintf_chk.c:85) ==31606== by 0xFADE6BF: fann_error (stdio2.h:46) ==31606== by 0xFAE2BF8: fann_create_from_fd (fann_io.c:420) ==31606== by 0xFAE3397: fann_create_from_file (fann_io.c:41) ==31606== by 0xF8CA0DA: zif_fann_create_from_file (fann.c:3408) ==31606== by 0x345B11: dtrace_execute_internal (zend_dtrace.c:97) ==31606== by 0x415D9E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:552) ==31606== by 0x3855DA: execute_ex (zend_vm_execute.h:363) ==31606== by 0x3459EE: dtrace_execute_ex (zend_dtrace.c:73) ==31606== Address 0x9301a9a is 122 bytes inside a block of size 128 alloc'd ==31606== at 0x4C28409: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==31606== by 0xFADE529: fann_error (fann_error.c:108) ==31606== by 0xFAE2BF8: fann_create_from_fd (fann_io.c:420) ==31606== by 0xFAE3397: fann_create_from_file (fann_io.c:41) ==31606== by 0xF8CA0DA: zif_fann_create_from_file (fann.c:3408) ==31606== by 0x345B11: dtrace_execute_internal (zend_dtrace.c:97) ==31606== by 0x415D9E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:552) ==31606== by 0x3855DA: execute_ex (zend_vm_execute.h:363) ==31606== by 0x3459EE: dtrace_execute_ex (zend_dtrace.c:73) ==31606== by 0x35983D: zend_execute_scripts (zend.c:1316) ==31606== by 0x2E9797: php_execute_script (main.c:2506) ==31606== by 0x41820C: do_cli (php_cli.c:994) ==31606== ==31606== Invalid write of size 8 ==31606== at 0x7F6FEB6: __GI_mempcpy (memcpy.S:221) ==31606== by 0x7F5F408: _IO_default_xsputn (genops.c:464) ==31606== by 0x7F2EDB1: vfprintf (vfprintf.c:1635) ==31606== by 0x7FF0DD7: __vsprintf_chk (vsprintf_chk.c:85) ==31606== by 0xFADE6BF: fann_error (stdio2.h:46) ==31606== by 0xFAE2BF8: fann_create_from_fd (fann_io.c:420) ==31606== by 0xFAE3397: fann_create_from_file (fann_io.c:41) ==31606== by 0xF8CA0DA: zif_fann_create_from_file (fann.c:3408) ==31606== by 0x345B11: dtrace_execute_internal (zend_dtrace.c:97) ==31606== by 0x415D9E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:552) ==31606== by 0x3855DA: execute_ex (zend_vm_execute.h:363) ==31606== by 0x3459EE: dtrace_execute_ex (zend_dtrace.c:73) ==31606== Address 0x9301aa2 is 2 bytes after a block of size 128 alloc'd ==31606== at 0x4C28409: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==31606== by 0xFADE529: fann_error (fann_error.c:108) ==31606== by 0xFAE2BF8: fann_create_from_fd (fann_io.c:420) ==31606== by 0xFAE3397: fann_create_from_file (fann_io.c:41) ==31606== by 0xF8CA0DA: zif_fann_create_from_file (fann.c:3408) ==31606== by 0x345B11: dtrace_execute_internal (zend_dtrace.c:97) ==31606== by 0x415D9E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:552) ==31606== by 0x3855DA: execute_ex (zend_vm_execute.h:363) ==31606== by 0x3459EE: dtrace_execute_ex (zend_dtrace.c:73) ==31606== by 0x35983D: zend_execute_scripts (zend.c:1316) ==31606== by 0x2E9797: php_execute_script (main.c:2506) ==31606== by 0x41820C: do_cli (php_cli.c:994) ==31606== ==31606== Invalid write of size 8 ==31606== at 0x7F6FE81: __GI_mempcpy (memcpy.S:201) ==31606== by 0x7F5F408: _IO_default_xsputn (genops.c:464) ==31606== by 0x7F2EDB1: vfprintf (vfprintf.c:1635) ==31606== by 0x7FF0DD7: __vsprintf_chk (vsprintf_chk.c:85) ==31606== by 0xFADE6BF: fann_error (stdio2.h:46) ==31606== by 0xFAE2BF8: fann_create_from_fd (fann_io.c:420) ==31606== by 0xFAE3397: fann_create_from_file (fann_io.c:41) ==31606== by 0xF8CA0DA: zif_fann_create_from_file (fann.c:3408) ==31606== by 0x345B11: dtrace_execute_internal (zend_dtrace.c:97) ==31606== by 0x415D9E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:552) ==31606== by 0x3855DA: execute_ex (zend_vm_execute.h:363) ==31606== by 0x3459EE: dtrace_execute_ex (zend_dtrace.c:73) ==31606== Address 0x9301aaa is 10 bytes after a block of size 128 alloc'd ==31606== at 0x4C28409: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==31606== by 0xFADE529: fann_error (fann_error.c:108) ==31606== by 0xFAE2BF8: fann_create_from_fd (fann_io.c:420) ==31606== by 0xFAE3397: fann_create_from_file (fann_io.c:41) ==31606== by 0xF8CA0DA: zif_fann_create_from_file (fann.c:3408) ==31606== by 0x345B11: dtrace_execute_internal (zend_dtrace.c:97) ==31606== by 0x415D9E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:552) ==31606== by 0x3855DA: execute_ex (zend_vm_execute.h:363) ==31606== by 0x3459EE: dtrace_execute_ex (zend_dtrace.c:73) ==31606== by 0x35983D: zend_execute_scripts (zend.c:1316) ==31606== by 0x2E9797: php_execute_script (main.c:2506) ==31606== by 0x41820C: do_cli (php_cli.c:994) ==31606== ==31606== Invalid write of size 8 ==31606== at 0x7F6FE84: __GI_mempcpy (memcpy.S:202) ==31606== by 0x7F5F408: _IO_default_xsputn (genops.c:464) ==31606== by 0x7F2EDB1: vfprintf (vfprintf.c:1635) ==31606== by 0x7FF0DD7: __vsprintf_chk (vsprintf_chk.c:85) ==31606== by 0xFADE6BF: fann_error (stdio2.h:46) ==31606== by 0xFAE2BF8: fann_create_from_fd (fann_io.c:420) ==31606== by 0xFAE3397: fann_create_from_file (fann_io.c:41) ==31606== by 0xF8CA0DA: zif_fann_create_from_file (fann.c:3408) ==31606== by 0x345B11: dtrace_execute_internal (zend_dtrace.c:97) ==31606== by 0x415D9E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:552) ==31606== by 0x3855DA: execute_ex (zend_vm_execute.h:363) ==31606== by 0x3459EE: dtrace_execute_ex (zend_dtrace.c:73) ==31606== Address 0x9301ab2 is 18 bytes after a block of size 128 alloc'd ==31606== at 0x4C28409: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==31606== by 0xFADE529: fann_error (fann_error.c:108) ==31606== by 0xFAE2BF8: fann_create_from_fd (fann_io.c:420) ==31606== by 0xFAE3397: fann_create_from_file (fann_io.c:41) ==31606== by 0xF8CA0DA: zif_fann_create_from_file (fann.c:3408) ==31606== by 0x345B11: dtrace_execute_internal (zend_dtrace.c:97) ==31606== by 0x415D9E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:552) ==31606== by 0x3855DA: execute_ex (zend_vm_execute.h:363) ==31606== by 0x3459EE: dtrace_execute_ex (zend_dtrace.c:73) ==31606== by 0x35983D: zend_execute_scripts (zend.c:1316) ==31606== by 0x2E9797: php_execute_script (main.c:2506) ==31606== by 0x41820C: do_cli (php_cli.c:994) ==31606== ==31606== Invalid write of size 8 ==31606== at 0x7F6FE88: __GI_mempcpy (memcpy.S:203) ==31606== by 0x7F5F408: _IO_default_xsputn (genops.c:464) ==31606== by 0x7F2EDB1: vfprintf (vfprintf.c:1635) ==31606== by 0x7FF0DD7: __vsprintf_chk (vsprintf_chk.c:85) ==31606== by 0xFADE6BF: fann_error (stdio2.h:46) ==31606== by 0xFAE2BF8: fann_create_from_fd (fann_io.c:420) ==31606== by 0xFAE3397: fann_create_from_file (fann_io.c:41) ==31606== by 0xF8CA0DA: zif_fann_create_from_file (fann.c:3408) ==31606== by 0x345B11: dtrace_execute_internal (zend_dtrace.c:97) ==31606== by 0x415D9E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:552) ==31606== by 0x3855DA: execute_ex (zend_vm_execute.h:363) ==31606== by 0x3459EE: dtrace_execute_ex (zend_dtrace.c:73) ==31606== Address 0x9301aba is not stack'd, malloc'd or (recently) free'd ==31606== ==31606== Invalid write of size 8 ==31606== at 0x7F6FE8C: __GI_mempcpy (memcpy.S:204) ==31606== by 0x7F5F408: _IO_default_xsputn (genops.c:464) ==31606== by 0x7F2EDB1: vfprintf (vfprintf.c:1635) ==31606== by 0x7FF0DD7: __vsprintf_chk (vsprintf_chk.c:85) ==31606== by 0xFADE6BF: fann_error (stdio2.h:46) ==31606== by 0xFAE2BF8: fann_create_from_fd (fann_io.c:420) ==31606== by 0xFAE3397: fann_create_from_file (fann_io.c:41) ==31606== by 0xF8CA0DA: zif_fann_create_from_file (fann.c:3408) ==31606== by 0x345B11: dtrace_execute_internal (zend_dtrace.c:97) ==31606== by 0x415D9E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:552) ==31606== by 0x3855DA: execute_ex (zend_vm_execute.h:363) ==31606== by 0x3459EE: dtrace_execute_ex (zend_dtrace.c:73) ==31606== Address 0x9301ac2 is not stack'd, malloc'd or (recently) free'd ==31606== ==31606== Invalid write of size 1 ==31606== at 0x7F6FDBE: __GI_mempcpy (memcpy.S:72) ==31606== by 0x7F5F408: _IO_default_xsputn (genops.c:464) ==31606== by 0x7F2EDB1: vfprintf (vfprintf.c:1635) ==31606== by 0x7FF0DD7: __vsprintf_chk (vsprintf_chk.c:85) ==31606== by 0xFADE6BF: fann_error (stdio2.h:46) ==31606== by 0xFAE2BF8: fann_create_from_fd (fann_io.c:420) ==31606== by 0xFAE3397: fann_create_from_file (fann_io.c:41) ==31606== by 0xF8CA0DA: zif_fann_create_from_file (fann.c:3408) ==31606== by 0x345B11: dtrace_execute_internal (zend_dtrace.c:97) ==31606== by 0x415D9E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:552) ==31606== by 0x3855DA: execute_ex (zend_vm_execute.h:363) ==31606== by 0x3459EE: dtrace_execute_ex (zend_dtrace.c:73) ==31606== Address 0x9301aca is not stack'd, malloc'd or (recently) free'd ==31606== ==31606== Invalid write of size 2 ==31606== at 0x7F6FDCE: __GI_mempcpy (memcpy.S:84) ==31606== by 0x7F5F408: _IO_default_xsputn (genops.c:464) ==31606== by 0x7F2EDB1: vfprintf (vfprintf.c:1635) ==31606== by 0x7FF0DD7: __vsprintf_chk (vsprintf_chk.c:85) ==31606== by 0xFADE6BF: fann_error (stdio2.h:46) ==31606== by 0xFAE2BF8: fann_create_from_fd (fann_io.c:420) ==31606== by 0xFAE3397: fann_create_from_file (fann_io.c:41) ==31606== by 0xF8CA0DA: zif_fann_create_from_file (fann.c:3408) ==31606== by 0x345B11: dtrace_execute_internal (zend_dtrace.c:97) ==31606== by 0x415D9E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:552) ==31606== by 0x3855DA: execute_ex (zend_vm_execute.h:363) ==31606== by 0x3459EE: dtrace_execute_ex (zend_dtrace.c:73) ==31606== Address 0x9301acb is not stack'd, malloc'd or (recently) free'd ==31606== ==31606== Invalid write of size 4 ==31606== at 0x7F6FDE0: __GI_mempcpy (memcpy.S:96) ==31606== by 0x7F5F408: _IO_default_xsputn (genops.c:464) ==31606== by 0x7F2EDB1: vfprintf (vfprintf.c:1635) ==31606== by 0x7FF0DD7: __vsprintf_chk (vsprintf_chk.c:85) ==31606== by 0xFADE6BF: fann_error (stdio2.h:46) ==31606== by 0xFAE2BF8: fann_create_from_fd (fann_io.c:420) ==31606== by 0xFAE3397: fann_create_from_file (fann_io.c:41) ==31606== by 0xF8CA0DA: zif_fann_create_from_file (fann.c:3408) ==31606== by 0x345B11: dtrace_execute_internal (zend_dtrace.c:97) ==31606== by 0x415D9E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:552) ==31606== by 0x3855DA: execute_ex (zend_vm_execute.h:363) ==31606== by 0x3459EE: dtrace_execute_ex (zend_dtrace.c:73) ==31606== Address 0x9301acd is not stack'd, malloc'd or (recently) free'd ==31606== ==31606== Invalid write of size 1 ==31606== at 0x7F5F42D: _IO_default_xsputn (genops.c:476) ==31606== by 0x7F2E15A: vfprintf (vfprintf.c:1666) ==31606== by 0x7FF0DD7: __vsprintf_chk (vsprintf_chk.c:85) ==31606== by 0xFADE6BF: fann_error (stdio2.h:46) ==31606== by 0xFAE2BF8: fann_create_from_fd (fann_io.c:420) ==31606== by 0xFAE3397: fann_create_from_file (fann_io.c:41) ==31606== by 0xF8CA0DA: zif_fann_create_from_file (fann.c:3408) ==31606== by 0x345B11: dtrace_execute_internal (zend_dtrace.c:97) ==31606== by 0x415D9E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:552) ==31606== by 0x3855DA: execute_ex (zend_vm_execute.h:363) ==31606== by 0x3459EE: dtrace_execute_ex (zend_dtrace.c:73) ==31606== by 0x35983D: zend_execute_scripts (zend.c:1316) ==31606== Address 0x9301ad1 is not stack'd, malloc'd or (recently) free'd ==31606== ==31606== Invalid write of size 1 ==31606== at 0x7FF0DDD: __vsprintf_chk (vsprintf_chk.c:87) ==31606== by 0xFADE6BF: fann_error (stdio2.h:46) ==31606== by 0xFAE2BF8: fann_create_from_fd (fann_io.c:420) ==31606== by 0xFAE3397: fann_create_from_file (fann_io.c:41) ==31606== by 0xF8CA0DA: zif_fann_create_from_file (fann.c:3408) ==31606== by 0x345B11: dtrace_execute_internal (zend_dtrace.c:97) ==31606== by 0x415D9E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:552) ==31606== by 0x3855DA: execute_ex (zend_vm_execute.h:363) ==31606== by 0x3459EE: dtrace_execute_ex (zend_dtrace.c:73) ==31606== by 0x35983D: zend_execute_scripts (zend.c:1316) ==31606== by 0x2E9797: php_execute_script (main.c:2506) ==31606== by 0x41820C: do_cli (php_cli.c:994) ==31606== Address 0x9301ad4 is not stack'd, malloc'd or (recently) free'd ==31606== --31606-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV) - exiting --31606-- si_code=80; Faulting address: 0x0; sp: 0x403049de0 valgrind: the 'impossible' happened: Killed by fatal signal ==31606== at 0x380656B6: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux) ==31606== by 0x3802CAAC: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux) ==31606== by 0x3802CC32: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux) ==31606== by 0x3809F3AD: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux) ==31606== by 0x380AE0FC: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux) sched status: running_tid=1 Thread 1: status = VgTs_Runnable ==31606== at 0x4C28409: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==31606== by 0x7F6C3F9: strdup (strdup.c:42) ==31606== by 0x2E5D34: php_error_cb (main.c:990) ==31606== by 0x35837B: zend_error (zend.c:1117) ==31606== by 0x2E68D1: php_verror (main.c:870) ==31606== by 0x2E6D36: php_error_docref0 (main.c:882) ==31606== by 0xF8CA13C: zif_fann_create_from_file (fann.c:3410) ==31606== by 0x345B11: dtrace_execute_internal (zend_dtrace.c:97) ==31606== by 0x415D9E: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:552) ==31606== by 0x3855DA: execute_ex (zend_vm_execute.h:363) ==31606== by 0x3459EE: dtrace_execute_ex (zend_dtrace.c:73) ==31606== by 0x35983D: zend_execute_scripts (zend.c:1316) ==31606== by 0x2E9797: php_execute_script (main.c:2506) ==31606== by 0x41820C: do_cli (php_cli.c:994) ==31606== by 0x1C3A35: main (php_cli.c:1378)
Notice: there is also a memory leak, as in some case the malloced buffer is not freed.
Created attachment 844054 [details] 0001-fix-memory-corruption-in-fann_error-1047627.patch git format-patch Fix proposal (need to be reported upstream).
I sent the proposed patch to upstream, but also notice this was already reported, see https://github.com/libfann/fann/pull/2 (the fix is different)
Hi Remi, thanks a lot for the patch. I took a look at the other proposed fix [1] by bukka and it seems the differences are merely cosmetic or have negligible impact. I will use your patch as is for now. [1] https://github.com/bukka/fann/commit/0b07b4c1f7162d5b5cb1782e538ff65b036b586e
fann-2.2.0-5.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/fann-2.2.0-5.fc20
fann-2.2.0-5.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/fann-2.2.0-5.fc19
Package fann-2.2.0-5.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing fann-2.2.0-5.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-0494/fann-2.2.0-5.fc19 then log in and leave karma (feedback).
Package fann-2.2.0-5.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing fann-2.2.0-5.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-0495/fann-2.2.0-5.fc20 then log in and leave karma (feedback).
fann-2.2.0-5.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
fann-2.2.0-5.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
fann-2.2.0-6.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/fann-2.2.0-6.el6
fann-2.2.0-6.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.