|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2006-02-01 11:32 UTC] tony2001@php.net
[2006-02-01 14:03 UTC] cyberleo at cyberleo dot net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 13:01:29 2024 UTC |
Description: ------------ Weak type checking on stream_select() allows stack corruption. Passing a value that is not an integer to stream_select()'s fourth parameter, tv_sec, appears to overwrite stack data, eventually resulting in a program crash, corruption of function parameters or corruption of function frame and return pointer. This can occur if a script uses math functions to compute a delay that evaluates to a float, and typecasting is not done, or if someone uses a string representation of an integer instead (e.g. "86400" instead of 86400) This bug was originally found on PHP-4.3.10, verified on 4.4.2 and the latest php4 snapshot. It took a while to track down what was causing the weird crashes. Build options: --disable-cgi Run from build directory: sapi/cli/php No php.ini Reproduce code: --------------- $fp = fopen("/dev/zero","r"); // Random stream while(TRUE){ echo "Start of loop here.\n"; $reads = Array($fp); $delay = 3.7; // <- Anything but an integer. $null = NULL; printf("Waiting for data or %d seconds...\n",$delay); $result = stream_select($reads, $null, $null, $delay); if($result){ foreach($reads as $stream){ $data = fread($stream, 1); printf("Read %d byte(s).\n", strlen($data)); } } } Expected result: ---------------- An endless loop reading single ASCII 0 bytes from /dev/zero until interrupted. ---- Start of loop here. Waiting for data or 3 seconds... Read 1 byte(s). Start of loop here. Waiting for data or 3 seconds... Read 1 byte(s). ...etc... ---- Actual result: -------------- The code seems to run fine for a few iterations, but eventually starts showing various errors or passing incorrect parameters to functions: ---- Start of loop here. Waiting for data or 3 seconds... Read 1 byte(s). Start of loop here. Waiting for data or 3 seconds... Warning: fread(): supplied argument is not a valid stream resource in /usr/home/cyberleo/logs/working/crashtest.php on line 12 Read 0 byte(s). Start of loop here. Waiting for data or 3 seconds... Read 1 byte(s). Start of loop here. Waiting for data or 3 seconds... Warning: fread(): supplied argument is not a valid stream resource in /usr/home/cyberleo/logs/working/crashtest.php on line 12 Read 0 byte(s). Start of loop here. Warning: stream_select(): 4 is not a valid stream resource in /usr/home/cyberleo/logs/working/crashtest.php on line 9 Warning: stream_select(): 4 is not a valid stream resource in /usr/home/cyberleo/logs/working/crashtest.php on line 9 (Program hangs at this point, no looping) ----