PHP :: Bug #48768 :: parse_ini_*() crash with INI_SCANNER

Bug #48768	parse_ini_*() crash with INI_SCANNER_RAW
Submitted:	2009-07-02 07:04 UTC	Modified:	2009-08-04 02:57 UTC
From:	aharvey@php.net	Assigned:
Status:	Closed	Package:	PHP options/info functions
PHP Version:	5.3CVS-2009-07-02 (CVS)	OS:	Linux x86
Private report:	No	CVE-ID:	None

View Developer Edit

[2009-07-02 07:04 UTC] aharvey@php.net

Description:
------------
parse_ini_file() crashes in INI_SCANNER_RAW mode if a configuration item consists solely of an equals sign.

Reproduce code:
---------------
INI file contents:

equal = "="


PHP script:

$ini = parse_ini_file('equals.ini', false, INI_SCANNER_NORMAL);
var_dump($ini);

$ini = parse_ini_file('equals.ini', false, INI_SCANNER_RAW);
var_dump($ini);


Expected result:
----------------
array(1) {
  ["equal"]=>
  string(1) "="
}
array(1) {
  ["equal"]=>
  string(1) "="
}

Actual result:
--------------
array(1) {
  ["equal"]=>
  string(1) "="
}
Segmentation fault (core dumped)


gdb backtrace:

#0  0xb75f58b1 in memcpy () from /lib/tls/i686/cmov/libc.so.6
#1  0x083d5e5b in zend_strndup (s=0xb7f14009 <Address 0xb7f14009 out of bounds>, length=3086171320) at /usr/include/bits/string3.h:52
#2  0x083d1b21 in ini_lex (ini_lval=0xbf9321d8) at Zend/zend_ini_scanner.l:343
#3  0x083cf9fe in ini_parse () at /h/aharvey/trees/php5/Zend/zend_ini_parser.c:1557
#4  0x083cfe91 in zend_parse_ini_file (fh=0xbf9322d0, unbuffered_errors=0 '\0', scanner_mode=1, ini_parser_cb=0x8320f20 <php_simple_ini_parser_cb>, arg=0xa29d148) at /h/aharvey/trees/php5/Zend/zend_ini_parser.y:206
#5  0x0831f829 in zif_parse_ini_file (ht=3, return_value=0xa29d148, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at /h/aharvey/trees/php5/ext/standard/basic_functions.c:5937
#6  0x08412a12 in execute_internal (execute_data_ptr=0xa2cddd8, return_value_used=1) at /h/aharvey/trees/php5/Zend/zend_execute.c:1256
#7  0xb728dab0 in xdebug_execute_internal (current_execute_data=0xa2cddd8, return_value_used=1) at /tmp/pear/temp/xdebug/xdebug.c:1630
#8  0x0843c9af in zend_do_fcall_common_helper_SPEC (execute_data=0xa2cddd8) at /h/aharvey/trees/php5/Zend/zend_vm_execute.h:315
#9  0x0841a08e in execute (op_array=0xa29c554) at /h/aharvey/trees/php5/Zend/zend_vm_execute.h:104
#10 0xb728d734 in xdebug_execute (op_array=0xa29c554) at /tmp/pear/temp/xdebug/xdebug.c:1561
#11 0x083f12f6 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /h/aharvey/trees/php5/Zend/zend.c:1188
#12 0x0839f610 in php_execute_script (primary_file=0xbf9348f4) at /h/aharvey/trees/php5/main/main.c:2196
#13 0x08476002 in main (argc=2, argv=0xbf934a54) at /h/aharvey/trees/php5/sapi/cli/php_cli.c:1188

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-07-03 00:49 UTC] scottmac@php.net

I can reproduce this though I'm curious why re2c isn't picking this up.

We have
<ST_RAW>{RAW_VALUE_CHARS}+ {

And RAW_VALUE_CHARS is
RAW_VALUE_CHARS [^=\n\r;]

So that code shouldn't even be executing, i'll need to look at it some more.

[2009-07-07 17:10 UTC] jani@php.net

Simply removing the '=' from RAW_VALUE_CHARS fixes both this and bug #48769.

[2009-08-04 02:56 UTC] svn@php.net

Automatic comment from SVN on behalf of jani
Revision: http://svn.php.net/viewvc/?view=revision&revision=286783
Log: - Fixed bug #48768 (parse_ini_*() crash with INI_SCANNER_RAW)

[2009-08-04 02:57 UTC] jani@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Feb 22 16:01:29 2025 UTC