PHP :: Bug #48768 :: parse_ini_*() crash with INI_SCANNER

Bug #48768	parse_ini_*() crash with INI_SCANNER_RAW
Submitted:	2009-07-02 07:04 UTC	Modified:	2009-08-04 02:57 UTC
From:	aharvey@php.net	Assigned:
Status:	Closed	Package:	PHP options/info functions
PHP Version:	5.3CVS-2009-07-02 (CVS)	OS:	Linux x86
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	aharvey@php.net
New email:
PHP Version:		OS:

New Comment:

[2009-07-02 07:04 UTC] aharvey@php.net

Description:
------------
parse_ini_file() crashes in INI_SCANNER_RAW mode if a configuration item consists solely of an equals sign.

Reproduce code:
---------------
INI file contents:

equal = "="


PHP script:

$ini = parse_ini_file('equals.ini', false, INI_SCANNER_NORMAL);
var_dump($ini);

$ini = parse_ini_file('equals.ini', false, INI_SCANNER_RAW);
var_dump($ini);


Expected result:
----------------
array(1) {
  ["equal"]=>
  string(1) "="
}
array(1) {
  ["equal"]=>
  string(1) "="
}

Actual result:
--------------
array(1) {
  ["equal"]=>
  string(1) "="
}
Segmentation fault (core dumped)


gdb backtrace:

#0  0xb75f58b1 in memcpy () from /lib/tls/i686/cmov/libc.so.6
#1  0x083d5e5b in zend_strndup (s=0xb7f14009 <Address 0xb7f14009 out of bounds>, length=3086171320) at /usr/include/bits/string3.h:52
#2  0x083d1b21 in ini_lex (ini_lval=0xbf9321d8) at Zend/zend_ini_scanner.l:343
#3  0x083cf9fe in ini_parse () at /h/aharvey/trees/php5/Zend/zend_ini_parser.c:1557
#4  0x083cfe91 in zend_parse_ini_file (fh=0xbf9322d0, unbuffered_errors=0 '\0', scanner_mode=1, ini_parser_cb=0x8320f20 <php_simple_ini_parser_cb>, arg=0xa29d148) at /h/aharvey/trees/php5/Zend/zend_ini_parser.y:206
#5  0x0831f829 in zif_parse_ini_file (ht=3, return_value=0xa29d148, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at /h/aharvey/trees/php5/ext/standard/basic_functions.c:5937
#6  0x08412a12 in execute_internal (execute_data_ptr=0xa2cddd8, return_value_used=1) at /h/aharvey/trees/php5/Zend/zend_execute.c:1256
#7  0xb728dab0 in xdebug_execute_internal (current_execute_data=0xa2cddd8, return_value_used=1) at /tmp/pear/temp/xdebug/xdebug.c:1630
#8  0x0843c9af in zend_do_fcall_common_helper_SPEC (execute_data=0xa2cddd8) at /h/aharvey/trees/php5/Zend/zend_vm_execute.h:315
#9  0x0841a08e in execute (op_array=0xa29c554) at /h/aharvey/trees/php5/Zend/zend_vm_execute.h:104
#10 0xb728d734 in xdebug_execute (op_array=0xa29c554) at /tmp/pear/temp/xdebug/xdebug.c:1561
#11 0x083f12f6 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /h/aharvey/trees/php5/Zend/zend.c:1188
#12 0x0839f610 in php_execute_script (primary_file=0xbf9348f4) at /h/aharvey/trees/php5/main/main.c:2196
#13 0x08476002 in main (argc=2, argv=0xbf934a54) at /h/aharvey/trees/php5/sapi/cli/php_cli.c:1188

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-07-03 00:49 UTC] scottmac@php.net

I can reproduce this though I'm curious why re2c isn't picking this up.

We have
<ST_RAW>{RAW_VALUE_CHARS}+ {

And RAW_VALUE_CHARS is
RAW_VALUE_CHARS [^=\n\r;]

So that code shouldn't even be executing, i'll need to look at it some more.

[2009-07-07 17:10 UTC] jani@php.net

Simply removing the '=' from RAW_VALUE_CHARS fixes both this and bug #48769.

[2009-08-04 02:56 UTC] svn@php.net

Automatic comment from SVN on behalf of jani
Revision: http://svn.php.net/viewvc/?view=revision&revision=286783
Log: - Fixed bug #48768 (parse_ini_*() crash with INI_SCANNER_RAW)

[2009-08-04 02:57 UTC] jani@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Dec 03 17:01:29 2024 UTC