PHP :: Bug #36243 :: Weak type checking on stream_select() allows stack corruption (php5)

Bug #36243	Weak type checking on stream_select() allows stack corruption (php5)
Submitted:	2006-02-01 10:54 UTC	Modified:	2006-02-01 11:28 UTC
From:	cyberleo at cyberleo dot net	Assigned:
Status:	Not a bug	Package:	Streams related
PHP Version:	5CVS-2006-02-01 (snap)	OS:	FreeBSD 4.10-REL
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	cyberleo at cyberleo dot net
New email:
PHP Version:		OS:

New Comment:

[2006-02-01 10:54 UTC] cyberleo at cyberleo dot net

Description:
------------
This bug is similar to http://bugs.php.net/36242 however, the symptoms are different.

Weak type checking on stream_select() allows stack corruption.
Passing a value that is not an integer to stream_select()'s fourth parameter, tv_sec, appears to overwrite stack data.
This results in strange, but consistent, modification of parameters passed to later functions. The corruption does not appear to be cumulative. This can occur if a script uses math functions to compute a delay that evaluates to a float, and typecasting is not done, or if someone uses a string representation of an integer instead (e.g. "86400" instead of 86400)

Build options: --disable-cgi
Run from build directory: sapi/cli/php
No php.ini

Reproduce code:
---------------
$fp = fopen("/dev/zero","r"); // Random stream
while(TRUE){
    echo "Start of loop here.\n";
    $reads = Array($fp);
    $delay = 3.7; // <- Anything but an integer.
    $null = NULL;
    printf("Waiting for data or %d seconds...\n",$delay);
    $result = stream_select($reads, $null, $null, $delay);
    if($result){
        foreach($reads as $stream){
            $data = fread($stream, 1);
            printf("Read %d byte(s).\n", strlen($data));
        }
    }
} 

Expected result:
----------------
An endless loop reading single ASCII 0 bytes from /dev/zero until
interrupted.
----
Start of loop here.
Waiting for data or 3 seconds...
Read 1 byte(s).
Start of loop here.
Waiting for data or 3 seconds...
Read 1 byte(s).
...etc...
---- 

Actual result:
--------------
Endless loop of reading 17 bytes. (My test run)
----
Start of loop here.
Waiting for data or 3 seconds...
Read 17 byte(s).
Start of loop here.
Waiting for data or 3 seconds...
Read 17 byte(s).
----

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-02-01 11:17 UTC] tony2001@php.net

No need to report it twice.
Dup of bug #36242.

[2006-02-01 11:28 UTC] cyberleo at cyberleo dot net

I wasn't sure, because the two versions behave so differently, and the PHP version selector only allows for one.
Thanks.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 15:01:29 2024 UTC