PHP :: Bug #62525 :: sigabrt while converting floating point to string

Bug #62525	sigabrt while converting floating point to string
Submitted:	2012-07-10 17:06 UTC	Modified:	2012-07-16 17:35 UTC
From:	perryjp at gmail dot com	Assigned:	felipe (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	master-Git-2012-07-10 (Git)	OS:	Ubuntu 10.04.3 LTS
Private report:	No	CVE-ID:	None

View Developer Edit

[2012-07-10 17:06 UTC] perryjp at gmail dot com

Description:
------------
I traced the root of my problem to compilation issues but I while debugging my issues I traced a sigabrt to a bug in snprintf.c freeing a static string.

php_conv_fp(snprintf.c:396) tries to free the static strings "NAN" or "INF" returned from __cvt(snprintf.c:97)

Actual result:
--------------
#0  0x0f8fc0d0 in raise () from /lib/tls/libc.so.6
#1  0x0f8fd924 in abort () from /lib/tls/libc.so.6
#2  0x0f93f658 in __libc_message () from /lib/tls/libc.so.6
#3  0x0f945f70 in malloc_printerr () from /lib/tls/libc.so.6
#4  0x0f947330 in _int_free () from /lib/tls/libc.so.6
#5  0x0f9478c0 in free () from /lib/tls/libc.so.6
#6  0x102bb960 in php_conv_fp (format=70 'F', num=2.0824708938098908, 
    add_dp=NO, precision=8, dec_point=46 '.', is_negative=0xbfb8d040, 
    buf=0xbfb8ce3d "NAN", len=0xbfb8ce38)
    at /php/main/snprintf.c:399
#7  0x102bffdc in xbuf_format_converter (xbuf=0xbfb8d138, fmt=0x104463b7 "F", 
    ap=0xbfb8d16c)
    at /php/main/spprintf.c:588
#8  0x102c0d14 in vspprintf (pbuf=0xbfb8d29c, max_len=0, 
    format=0x104463a8 "%.15s%ld%ld%0.8F", ap=0xbfb8d16c)
    at /php/main/spprintf.c:769
#9  0x102c0df0 in spprintf (pbuf=0xbfb8d29c, max_len=0, 
    format=0x104463a8 "%.15s%ld%ld%0.8F")
    at /php/main/spprintf.c:788
#10 0x1017a59c in php_session_create_id (mod_data=0x104b3f08, newlen=0x0)
    at /php/ext/session/session.c:736
#11 0x1017aa2c in php_session_initialize ()
    at /php/ext/session/session.c:830
#12 0x1017d530 in php_session_start ()
    at /php/ext/session/session.c:1325
#13 0x1017fe48 in zif_session_start (ht=0, return_value=0x105695c0, 
    return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
    at /php/ext/session/session.c:1815
#14 0x103539d4 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfb8dff8)
    at /php/Zend/zend_vm_execute.h:200
#15 0x1035b428 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbfb8dff8)
    at /php/Zend/zend_vm_execute.h:1679
#16 0x1035334c in execute (op_array=0x10596f88)
    at /php/Zend/zend_vm_execute.h:92
#17 0x10353ba4 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfb8e148)
    at /php/Zend/zend_vm_execute.h:234
#18 0x1035b428 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbfb8e148)
    at /php/Zend/zend_vm_execute.h:1679
#19 0x1035334c in execute (op_array=0x10560418)
    at /php/Zend/zend_vm_execute.h:92
#20 0x10365278 in ZEND_INCLUDE_OR_EVAL_SPEC_TMP_HANDLER (
    execute_data=0xbfb8f2e8)
    at /php/Zend/zend_vm_execute.h:4612
#21 0x1035334c in execute (op_array=0x1055d000)
    at /php/Zend/zend_vm_execute.h:92
#22 0x10322798 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /php/Zend/zend.c:1134
#23 0x102ba7c0 in php_execute_script (primary_file=0xbfb9175c)
    at /php/main/main.c:2005
#24 0x103cb7dc in main (argc=3, argv=0xbfb93d24)
    at /php/sapi/cgi/cgi_main.c:1919

Patches

snprintf.patch (last revision 2012-07-10 17:06 UTC by perryjp at gmail dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-07-10 17:32 UTC] ab@php.net

But your trace says snprintf.c:399. Could you give a piece of code causing this?

[2012-07-10 17:44 UTC] perryjp at gmail dot com

Apologies, I should have mentioned that the core dump is from 5.2.6 but I looked at the head in git and the issue still exists and the line numbers in my description are based on the head as of today as is the patch file.

As I mentioned previously, the core of my issue was a compilation issue so I'm not entirely sure how you would reproduce it with a good build but if you look at php_conv_fp(snprintf:396) it blindly frees p_orig which was initialized by the calls to php_fcvt()/php_ecvt() which both call __cvt. If __cvt detects Infinity or Nan, it returns the static strings "INF" or "NAN"(snprintf.c:97) which can't be freed and thus the sigabrt.

[2012-07-10 18:55 UTC] ab@php.net

I'm not sure i get you right, the bt is from 5.2, but you fix it for master? 
Could you produce a bt for the current master so one could evaluate that?

Also, which compilation do you mean? Dynamic memory operations usually don't 
affect the compilation of C programs.

Despite like it looks like it could be a bug. a valid bt should be there to 
ensure that. I'll try to make an erroneous prog too.

[2012-07-10 19:48 UTC] perryjp at gmail dot com

I fixed it the master because the version that I'm using isn't open for bug reports but looking at the code I can tell that the incorrect code still exists in the tree.

I don't want to get too much in the weeds here, my compile issues caused zend_dtoa() to mis-evaluate the value so it wouldn't think it could represent the number and thus zend_dtoa() returns decopt=9999 (snprintf.c:91) and so snprintf.c:97 returns a string from the data section of the program rather than allocated memory as it does for snprintf:88 and snprintf:121


My environment doesn't have the necessary dependencies to build the newer versions of PHP for my target which is why I'm still on the older one so getting a bt on master could prove untenable. 

Still, I decided to submit the crash report/bug because it should be clear that doing a free on something from the data portion of the code (what I called a statically declared string) is incorrect. You can't do free("NAN") or free("INF") which is essentially what happens.

[2012-07-14 18:17 UTC] felipe@php.net

Automatic comment on behalf of felipensp@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=63f3962a9015cd119b028e4c6e3f5533fb9f38e0
Log: - Fixed bug #62525 (sigabrt while converting floating point to string)

[2012-07-14 18:17 UTC] felipe@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

I've committed a slight different patch.

Thanks.

[2012-07-14 18:17 UTC] felipe@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: felipe

[2012-07-16 17:35 UTC] perryjp at gmail dot com

Looks great, thanks!

[2014-10-07 23:23 UTC] stas@php.net

Automatic comment on behalf of felipensp@gmail.com
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=63f3962a9015cd119b028e4c6e3f5533fb9f38e0
Log: - Fixed bug #62525 (sigabrt while converting floating point to string)

[2014-10-07 23:34 UTC] stas@php.net

Automatic comment on behalf of felipensp@gmail.com
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=63f3962a9015cd119b028e4c6e3f5533fb9f38e0
Log: - Fixed bug #62525 (sigabrt while converting floating point to string)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Nov 05 05:00:01 2025 UTC