php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77697 Crash on Big_Endian platform
Submitted: 2019-03-05 15:14 UTC Modified: -
From: samding at ca dot ibm dot com Assigned:
Status: Closed Package: PHAR related
PHP Version: 7.3.2 OS: Linux
Private report: No CVE-ID: None
 [2019-03-05 15:14 UTC] samding at ca dot ibm dot com
Description:
------------
Test case: ext/phar/tests/phar_setsignaturealgo2.phpt has a core dump on Big-Endian platform.

The Problem code is in "ext/phar/util.c":

1880
1881                         if (!EVP_SignFinal (md_ctx, sigbuf,(unsigned int *)&siglen, key)) {
1882                                 efree(sigbuf);
1883                                 if (error) {
1884                                         spprintf(error, 0, "unable to write phar \"%s\" with requested openssl signature", phar->fname);
1885                                 }
1886                                 return FAILURE;
1887                         }
1888
1889                         sigbuf[siglen] = '\0';    // siglen is out of boundary, leads to a core dump
1890                         EVP_MD_CTX_destroy(md_ctx);

Debugger shows:
(gdb) p siglen
$1 = 549755814016

The reason is that "siglen" is defined as "size_t" (unsigned long), but in line 1881, when calling "EVP_SignFinal", it is cast-ed to "unsigned int" by pointer, which means to take the first 4 bytes in passing to "EVP_SignFinal".
This is not a problem on Little_Endian platform, but has an issue on Big_endian platform, and caused the returned "siglen" in a large value.

One of the solution is to define "siglen" as "unsigned int" instead of "size_t".





Test script:
---------------
./sapi/cli/php run-tests.php -P ext/phar/tests/phar_setsignaturealgo2.phpt



Expected result:
----------------
"siglen" should be returned as an index value.

Actual result:
--------------
(gdb) p siglen
$1 = 549755814016   // wrong index value

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-03-15 08:58 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b41959089313d7397c936a885e9d1ca84e0f93f8
Log: Fixed bug #77697 (Crash on Big_Endian platform)
 [2019-03-15 08:58 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2019-03-15 16:08 UTC] nikic@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b41959089313d7397c936a885e9d1ca84e0f93f8
Log: Fixed bug #77697 (Crash on Big_Endian platform)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 15:01:29 2024 UTC