php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66721 __wakeup of DateTime segfaults when invalid object data is supplied
Submitted: 2014-02-16 00:47 UTC Modified: -
From: cedric at ce3c dot be Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 5.6Git-2014-02-15 (Git) OS:
Private report: No CVE-ID: None
 [2014-02-16 00:47 UTC] cedric at ce3c dot be
Description:
------------
In php_date_initialize_from_hash (ext/date/php_date.c), 
the switch statement case "TIMELIB_ZONETYPE_ID" should check if the value returned by the call to php_date_parse_tzfile is NULL. Otherwise in subsequent instructions, the tzi variable may contain a NULL pointer. 

Test script:
---------------
$y = 'O:8:"DateTime":3:{s:4:"date";s:19:"2014-02-15 02:00:51";s:13:"timezone_type";i:3;s:8:"timezone";s:10:"1234567890";}';

var_dump(unserialize($y)); // segfault

Expected result:
----------------
bool(false)

Actual result:
--------------
#0  0x00000000004bb32d in fetch_timezone_offset (tz=0x0, ts=1392474750, transition_time=0x7fff61636948) at /tmp/php-src/ext/date/lib/parse_tz.c:341
#1  0x00000000004bb5ec in timelib_get_time_zone_info (ts=1392474750, tz=0x0) at /tmp/php-src/ext/date/lib/parse_tz.c:415
#2  0x00000000004be5a7 in timelib_unixtime2local (tm=0x269a360, ts=1392474750) at /tmp/php-src/ext/date/lib/unixtime2tm.c:194
#3  0x0000000000478a50 in php_date_initialize (dateobj=0x7f6c6a2db018, time_str=0x7f6c6a2d9f30 "2014-02-15 02:00:51", time_str_len=19, format=0x0, timezone_object=0x7f6c6a2da490, ctor=0) at /tmp/php-src/ext/date/php_date.c:2622
#4  0x000000000047940c in php_date_initialize_from_hash (return_value=0x7fff61636ad0, dateobj=0x7fff61636ae8, myht=0x7f6c6a2db2a8) at /tmp/php-src/ext/date/php_date.c:2790
#5  0x000000000047968b in zim_DateTime___wakeup (ht=0, return_value=0x7f6c6a2db348, return_value_ptr=0x7fff61636d68, this_ptr=0x7f6c6a2d8948, return_value_used=1) at /tmp/php-src/ext/date/php_date.c:2857
#6  0x00000000009766de in zend_call_function (fci=0x7fff61636cc0, fci_cache=0x7fff61636bb0) at /tmp/php-src/Zend/zend_execute_API.c:970
#7  0x000000000097569e in call_user_function_ex (function_table=0x24a7560, object_pp=0x7fff61636f70, function_name=0x7fff61636d80, retval_ptr_ptr=0x7fff61636d68, param_count=0, params=0x0, no_separation=1, symbol_table=0x0) at /tmp/php-src/Zend/zend_execute_API.c:740
#8  0x00000000008a3987 in object_common2 (rval=0x7fff61636f70, p=0x7fff61636f98, max=0x7f6c6a1d08a7 "", var_hash=0x7fff61636fa0, elements=3) at ext/standard/var_unserializer.re:424
#9  0x00000000008a4a28 in php_var_unserialize (rval=0x7fff61636f70, p=0x7fff61636f98, max=0x7f6c6a1d08a7 "", var_hash=0x7fff61636fa0) at ext/standard/var_unserializer.re:803
#10 0x000000000088f6b5 in zif_unserialize (ht=1, return_value=0x7f6c6a2d8948, return_value_ptr=0x7f6c6a2a41e0, this_ptr=0x0, return_value_used=1) at /tmp/php-src/ext/standard/var.c:966
#11 0x00000000009cf447 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f6c6a2a4218) at /tmp/php-src/Zend/zend_vm_execute.h:558
#12 0x00000000009d4c2c in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7f6c6a2a4218) at /tmp/php-src/Zend/zend_vm_execute.h:2585
#13 0x00000000009ceaba in execute_ex (execute_data=0x7f6c6a2a4218) at /tmp/php-src/Zend/zend_vm_execute.h:363
#14 0x00000000009ceb42 in zend_execute (op_array=0x7f6c6a2d9858) at /tmp/php-src/Zend/zend_vm_execute.h:388
#15 0x000000000098b7a1 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /tmp/php-src/Zend/zend.c:1330
#16 0x00000000008f1658 in php_execute_script (primary_file=0x7fff61639600) at /tmp/php-src/main/main.c:2549
#17 0x0000000000a3cd39 in do_cli (argc=4, argv=0x24a6940) at /tmp/php-src/sapi/cli/php_cli.c:994
#18 0x0000000000a3e056 in main (argc=4, argv=0x24a6940) at /tmp/php-src/sapi/cli/php_cli.c:1378


Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-04-13 22:56 UTC] stas@php.net
Automatic comment on behalf of bsitnikovski@sugarcrm.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8c88b6e81c4565b0102a9022d647817845f0c18d
Log: Fix bug #66721
 [2014-04-13 22:56 UTC] stas@php.net
-Status: Open +Status: Closed
 [2014-04-15 12:04 UTC] ab@php.net
Automatic comment on behalf of bsitnikovski@sugarcrm.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8c88b6e81c4565b0102a9022d647817845f0c18d
Log: Fix bug #66721
 [2014-04-15 13:05 UTC] ab@php.net
Automatic comment on behalf of bsitnikovski@sugarcrm.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8c88b6e81c4565b0102a9022d647817845f0c18d
Log: Fix bug #66721
 [2014-05-01 14:59 UTC] tyrael@php.net
Automatic comment on behalf of bsitnikovski@sugarcrm.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8c88b6e81c4565b0102a9022d647817845f0c18d
Log: Fix bug #66721
 [2014-10-07 23:15 UTC] stas@php.net
Automatic comment on behalf of bsitnikovski@sugarcrm.com
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=8c88b6e81c4565b0102a9022d647817845f0c18d
Log: Fix bug #66721
 [2014-10-07 23:26 UTC] stas@php.net
Automatic comment on behalf of bsitnikovski@sugarcrm.com
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=8c88b6e81c4565b0102a9022d647817845f0c18d
Log: Fix bug #66721
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 07:01:29 2024 UTC