php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77736 Heap corruption in timelib_get_time_zone_info
Submitted: 2019-03-13 15:14 UTC Modified: 2019-03-13 15:21 UTC
From: bugs-syssec at rub dot de Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 7.3.3 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: bugs-syssec at rub dot de
New email:
PHP Version: OS:

 

 [2019-03-13 15:14 UTC] bugs-syssec at rub dot de
Description:
------------
$ ./php --version
PHP 7.3.0 (cli) (built: Jan 17 2019 14:04:29) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.0-dev, Copyright (c) 1998-2018 Zend Technologies

Test script:
---------------
<?php

$a = strtotime(A);
spl_autoload($a);
gc_mem_caches();

Expected result:
----------------
No crash.

Actual result:
--------------
==12279== Memcheck, a memory error detector
==12279== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==12279== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==12279== Command: ./php-plain heap_corrption-1-timelib_get_time_zone_info.php
==12279== 
==12279== Invalid read of size 8
==12279==    at 0x37266D: zend_mm_alloc_small (zend_alloc.c:1287)
==12279==    by 0x37266D: zend_mm_alloc_heap (zend_alloc.c:1358)
==12279==    by 0x37266D: _emalloc (zend_alloc.c:2498)
==12279==    by 0x37358A: _ecalloc (zend_alloc.c:2579)
==12279==    by 0x210D52: timelib_get_time_zone_info (parse_tz.c:633)
==12279==    by 0x2124A7: do_adjust_timezone (tm2unixtime.c:463)
==12279==    by 0x2124A7: timelib_update_ts (tm2unixtime.c:511)
==12279==    by 0x1ED8B3: zif_strtotime (php_date.c:1529)
==12279==    by 0x41F3C7: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:645)
==12279==    by 0x41F3C7: execute_ex (zend_vm_execute.h:55414)
==12279==    by 0x42352F: zend_execute (zend_vm_execute.h:60834)
==12279==    by 0x3972F6: zend_execute_scripts (zend.c:1568)
==12279==    by 0x336457: php_execute_script (main.c:2630)
==12279==    by 0x42597D: do_cli (php_cli.c:997)
==12279==    by 0x1E49B1: main (php_cli.c:1389)
==12279==  Address 0x64014200000 is not stack'd, malloc'd or (recently) free'd
==12279== 
==12279== 
==12279== Process terminating with default action of signal 11 (SIGSEGV)
==12279==  Access not within mapped region at address 0x64014200000
==12279==    at 0x37266D: zend_mm_alloc_small (zend_alloc.c:1287)
==12279==    by 0x37266D: zend_mm_alloc_heap (zend_alloc.c:1358)
==12279==    by 0x37266D: _emalloc (zend_alloc.c:2498)
==12279==    by 0x37358A: _ecalloc (zend_alloc.c:2579)
==12279==    by 0x210D52: timelib_get_time_zone_info (parse_tz.c:633)
==12279==    by 0x2124A7: do_adjust_timezone (tm2unixtime.c:463)
==12279==    by 0x2124A7: timelib_update_ts (tm2unixtime.c:511)
==12279==    by 0x1ED8B3: zif_strtotime (php_date.c:1529)
==12279==    by 0x41F3C7: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:645)
==12279==    by 0x41F3C7: execute_ex (zend_vm_execute.h:55414)
==12279==    by 0x42352F: zend_execute (zend_vm_execute.h:60834)
==12279==    by 0x3972F6: zend_execute_scripts (zend.c:1568)
==12279==    by 0x336457: php_execute_script (main.c:2630)
==12279==    by 0x42597D: do_cli (php_cli.c:997)
==12279==    by 0x1E49B1: main (php_cli.c:1389)
==12279==  If you believe this happened as a result of a stack
==12279==  overflow in your program's main thread (unlikely but
==12279==  possible), you can try to increase the size of the
==12279==  main thread stack using the --main-stacksize= flag.
==12279==  The main thread stack size used in this run was 8388608.
==12279== 
==12279== HEAP SUMMARY:
==12279==     in use at exit: 922,587 bytes in 6,198 blocks
==12279==   total heap usage: 6,622 allocs, 424 frees, 1,125,885 bytes allocated
==12279== 
==12279== LEAK SUMMARY:
==12279==    definitely lost: 0 bytes in 0 blocks
==12279==    indirectly lost: 0 bytes in 0 blocks
==12279==      possibly lost: 692,520 bytes in 5,249 blocks
==12279==    still reachable: 230,067 bytes in 949 blocks
==12279==         suppressed: 0 bytes in 0 blocks
==12279== Rerun with --leak-check=full to see details of leaked memory
==12279== 
==12279== For counts of detected and suppressed errors, rerun with: -v
==12279== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-03-13 15:17 UTC] bugs-syssec at rub dot de
Test Script:

<?php

spl_autoload_call(True . a);
strtotime(NULL);
 [2019-03-13 15:21 UTC] nikic@php.net
-Status: Open +Status: Not a bug
 [2019-03-13 15:21 UTC] nikic@php.net
> PHP 7.3.0 (cli) (built: Jan 17 2019 14:04:29) ( NTS )

Please try a more recent release. The current one is PHP 7.3.3. This issue has already been fixed.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 15:01:29 2024 UTC