PHP :: Bug #39791 :: PHP crashes when sending a specific string to strtotime

Bug #39791

PHP crashes when sending a specific string to strtotime

Submitted:

2006-12-11 02:14 UTC

Modified:

2006-12-11 14:07 UTC

Votes:	1
Avg. Score:	4.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

closer9 at gmail dot com

Assigned:

Status:

Closed

Package:

Date/time related

PHP Version:

5.2.0

OS:

Linux version 2.6.15-23-server

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	closer9 at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2006-12-11 02:14 UTC] closer9 at gmail dot com

Description:
------------
Sending the following string to strtotime results in PHP crashing.

PHPinfo: http://www.neg9.com/info.php


Reproduce code:
---------------
$str = "999999999999999999999999999999999999999999 days ago";

// Taken from the PHP manual
if (($timestamp = strtotime($str)) === false) {
  echo "The string ($str) is bogus";
  } else {
  echo "$str == " . date('l dS of F Y h:i:s A', $timestamp);
  }

Expected result:
----------------
The string (999999999999999999999999999999999999999999 days ago) is bogus

Actual result:
--------------
PHP crash.

Error from apache log:
[notice] child pid 10088 exit signal Segmentation fault (11)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-12-11 04:03 UTC] judas dot iscariote at novell dot com

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 47277335538544 (LWP 9489)]
0x000000000046fa28 in timelib_set_relative (ptr=0x7fff0ec80dc8, amount=9223372036854775807, behavior=0, s=0x7fff0ec80e80)
    at ext/date/lib/parse_date.re:594
594             switch (relunit->unit) {
(gdb) bt full
#0  0x000000000046fa28 in timelib_set_relative (ptr=0x7fff0ec80dc8, amount=9223372036854775807, behavior=0, s=0x7fff0ec80e80)
    at ext/date/lib/parse_date.re:594
        relunit = (const timelib_relunit *) 0x0
#1  0x0000000000471fb8 in scan (s=0x7fff0ec80e80) at ext/date/lib/parse_date.re:1485
        i = 9223372036854775807
        yych = 32 ' '
        yyaccept = 15
        cursor = (uchar *) 0xb9e31f " ago"
        str = 0xb9dcf0 '9' <repeats 42 times>, " days"
        ptr = 0xb9dd1a " days"
        yybm = "\000\000\000\000\000\000\000\000\000&#65533;, '\0' <repeats 22 times>, "&#65533;, '\0' <repeats 11 times>, "\200@&#65533;000\b\b\b\b\b\b\b\b\b\b", '\0' <repeats 39 times>, "                    ", '\0' <repeats 132 times>
#2  0x0000000000490536 in timelib_strtotime (s=0x2aff9bf04db0 '9' <repeats 42 times>, " days ago", len=51, errors=0x7fff0ec80f68,
    tzdb=0x7fdf40) at ext/date/lib/parse_date.re:1568
        in = {fd = 0, lim = 0xb9e340 "", str = 0xb9e2f0 '9' <repeats 42 times>, " days ago",
  ptr = 0xb9e2f4 '9' <repeats 38 times>, " days ago", cur = 0xb9e31f " ago", tok = 0xb9e2f0 '9' <repeats 42 times>, " days ago", pos = 0x0,
  line = 0, len = 0, errors = 0xb9e2a0, time = 0xb9e350, tzdb = 0x7fdf40}
        t = 0
        e = 0x2aff9bf04de3 ""
#3  0x0000000000468ca0 in zif_strtotime (ht=1, return_value=0x2aff9bf01e00, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1,
    tsrm_ls=0x9f3030) at /home/cristian/php5/ext/date/php_date.c:1101
        times = 0x2aff9bf04db0 '9' <repeats 42 times>, " days ago"
        initial_ts = 0x19bf02f50 <Address 0x19bf02f50 out of bounds>
        time_len = 51
        error1 = 32767
        error2 = 0
        error = (struct timelib_error_container *) 0x9f3030
        preset_ts = 4542959536
        ts = 11975616
        t = (timelib_time *) 0xb69bf02f10
        now = (timelib_time *) 0xb9e1c0
        tzi = (timelib_tzinfo *) 0xb9dd30
#4  0x0000000000743ae2 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff0ec81260, tsrm_ls=0x9f3030)
    at /home/cristian/php5/Zend/zend_vm_execute.h:200
        return_reference = 0 '\0'
        opline = (zend_op *) 0x2aff9bf02ff8
        original_return_value = (zval **) 0xb6bba0
        current_scope = (zend_class_entry *) 0x0
        current_this = (zval *) 0x0
        return_value_used = 1
        should_change_scope = 0 '\0'
        ctor_opline = (zend_op *) 0xa0ec81260
#5  0x000000000074b16b in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7fff0ec81260, tsrm_ls=0x9f3030)
    at /home/cristian/php5/Zend/zend_vm_execute.h:1681
        opline = (zend_op *) 0x2aff9bf02ff8
        fname = (zval *) 0x2aff9bf03028
#6  0x0000000000743475 in execute (op_array=0x2aff9bf02b90, tsrm_ls=0x9f3030) at /home/cristian/php5/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0x2aff9bf02ff8, function_state = {function_symbol_table = 0x0, function = 0xb6bbc0, reserved = {
      0x2aff9bf02cc8, 0x7fff0ec83920, 0x9f3030, 0x7fff0ec812d0}}, fbc = 0x0, op_array = 0x2aff9bf02b90, object = 0x0, Ts = 0x7fff0ec810f0,
  CVs = 0x7fff0ec810d0, original_in_execution = 0 '\0', symbol_table = 0x9f7448, prev_execute_data = 0x0, old_error_reporting = 0x0}
#7  0x0000000000716e3d in zend_execute_scripts (type=8, tsrm_ls=0x9f3030, retval=0x0, file_count=3) at /home/cristian/php5/Zend/zend.c:1100
        files = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7fff0ec81530, reg_save_area = 0x7fff0ec81460}}
        i = 1
        file_handle = (zend_file_handle *) 0x7fff0ec83920
        orig_op_array = (zend_op_array *) 0x0
        orig_retval_ptr_ptr = (zval **) 0x0
        local_retval = (zval *) 0x0
#8  0x00000000006a19f6 in php_execute_script (primary_file=0x7fff0ec83920, tsrm_ls=0x9f3030) at /home/cristian/php5/main/main.c:1781
        realfile = "/home/cristian/php5/strtotime_mess.php\000_text\000\000\000\000\006\000\000\177\000\000&#65533;q\000\000\000\000\000strip_tags\000\000\000\000\000\000\006\000\000\177\000\000&#65533;q\000\000\000\000\000ltrim\000\000\000hX\206\000\000\000\000\000&#65533;031&#65533;234*\000\000&#65533;031&#65533;234*\000\000\000\000\000\000\000\000\000\000 \003\000\000\000\000\000\020\001\000\000\000\000\000\000\200\031&#65533;234*\000\000&#65533;031&#65533;234*\000\000@\000\000\000\000\000\000\000\020\002\000\000\000\000\000\000m\230i\000\000\000\000\000(&#65533;016\177\000\000"...
        __orig_bailout = (jmp_buf *) 0x7fff0ec837d0
        __bailout = {{__jmpbuf = {47277321481216, -69012199529127418, 0, 140733441391488, 0, 0, -69012199529136010, -69051279480470703},
    __mask_was_saved = 0, __saved_mask = {__val = {8804456, 47277333267400, 47277321481216, 140733441386080, 47277320389954, 8018920, 0,
        11669200, 10471344, 47277335512960, 32768, 47277335512960, 47277333621936, 47277321481216, 8018944, 0}}}}
        prepend_file_p = (zend_file_handle *) 0x0
        append_file_p = (zend_file_handle *) 0x0
---Type <return> to continue, or q <return> to quit---
        prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, reader = 0,
      closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'}
        append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, reader = 0,
      closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'}
        old_cwd = 0x7fff0ec81550 ""
        retval = 0
#9  0x00000000007a75dd in main (argc=2, argv=0x7fff0ec83b88) at /home/cristian/php5/sapi/cli/php_cli.c:1108
        __orig_bailout = (jmp_buf *) 0x0
        __bailout = {{__jmpbuf = {47277321481216, -69012199529123866, 0, 140733441391488, 0, 0, -69012199529127402, -69051279479423016},
    __mask_was_saved = 0, __saved_mask = {__val = {0, 0, 0, 0, 0, 0, 0, 140733441390816, 0, 0, 0, 0, 657315968, 47277321483840,
        47277321485664, 281474976710656}}}}
        exit_status = 0
        c = -1
        file_handle = {type = 2 '\002', filename = 0x7fff0ec852ad "strtotime_mess.php", opened_path = 0x0, handle = {fd = 12179552,
    fp = 0xb9d860, stream = {handle = 0xb9d860, reader = 0x732954 <zend_stream_stdio_reader>, closer = 0x732984 <zend_stream_stdio_closer>,
      fteller = 0x7329af <zend_stream_stdio_fteller>, interactive = 0}}, free_filename = 0 '\0'}
        behavior = 1
        reflection_what = 0x0
        orig_optind = 1
        orig_optarg = 0x0
        arg_free = 0x7fff0ec852ad "strtotime_mess.php"
        arg_excp = (char **) 0x7fff0ec83b90
        script_file = 0x7fff0ec852ad "strtotime_mess.php"
        interactive = 0
        module_started = 1
        request_started = 1
        lineno = 1
        exec_direct = 0x0
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
        param_error = 0x0
        hide_argv = 0
        compiler_globals = (zend_compiler_globals *) 0x9f3030
executor_globals = (zend_executor_globals *) 0x9f3030
        core_globals = (php_core_globals *) 0x9f3030
        sapi_globals = (sapi_globals_struct *) 0x9f31a0
        tsrm_ls = (void ***) 0x9f3030
        ini_entries_len = 110

[2006-12-11 04:08 UTC] judas dot iscariote at gmail dot com

for some reason, previuos comment got the wrong email address. (I **do not work** for novell ):)

BTW..the backtrace is using current cvs (just compiled) 

PHP 5.2.1-dev (cli) (built: Dec 11 2006 00:58:29) (DEBUG)

[2006-12-11 12:51 UTC] tony2001@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

Fixed in CVS by Ilia.

[2006-12-11 13:59 UTC] judas dot iscariote at gmail dot com

Works ok now.

[2006-12-11 14:07 UTC] tony2001@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 12:01:29 2024 UTC