php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #50987 unaligned memory access in phar.c
Submitted: 2010-02-10 07:27 UTC Modified: 2010-11-20 20:27 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: geissert at debian dot org Assigned: iliaa (profile)
Status: Closed Package: PHAR related
PHP Version: 5.3.1 OS: linux ia64
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: geissert at debian dot org
New email:
PHP Version: OS:

 

 [2010-02-10 07:27 UTC] geissert at debian dot org 
Description:
------------
There's an unaligned memory access in ext/phar/phar.c's phar_set_32 function.

The following patch fixes it:

--- php.orig/ext/phar/phar.c
+++ php/ext/phar/phar.c
@@ -2491,7 +2491,7 @@ static inline void phar_set_32(char *buf
        *((buffer) + 1) = (unsigned char) (((var) >> 8) & 0xFF);
        *((buffer) + 0) = (unsigned char) ((var) & 0xFF);
 #else
-       *(php_uint32 *)(buffer) = (php_uint32)(var);
+       memcpy(buffer, &var, sizeof(var));
 #endif
 } /* }}} */

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-02-10 20:05 UTC] pajoye@php.net 
hi,

Can you provide test cases for these crashes please? As well as your settings (CFLAGS&co) as I can't see crashes on IA64 here (or other 64bit platforms). Same applies for your other reports :)

Thanks for your feedback!
 [2010-02-10 20:32 UTC] geissert at debian dot org 
The phar one was found while building the extension itself (the call to php in ext/phar/Makefile.frag to generate phar.php.)

There are probably more, but still have to process them. In the meanwhile, here's another (found while unpacking pear):

@@ -512,7 +512,7 @@ void phar_entry_remove(phar_entry_data *
        (buffer) += 2
 #else
 # define PHAR_GET_32(buffer, var) \
-       var = *(php_uint32*)(buffer); \
+       memcpy(&var, buffer, sizeof(var)); \
        buffer += 4
 # define PHAR_GET_16(buffer, var) \
        var = *(php_uint16*)(buffer); \

As for CFLAGS: -O2 -Wall -fsigned-char -fno-strict-aliasing -g -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security

Should be easy for you to find them by running the test suite under prctl --unaligned=signal (all the phar tests will fail.) That's how I found them all (I can provide the name of the tests that failed in a moment, I'm rebuilding with the patches I already provided.)
 [2010-03-06 02:20 UTC] geissert@php.net 
Any reason for not applying the patch? cheers
 [2010-03-06 15:09 UTC] felipe@php.net
-Status: Open +Status: Assigned
 [2010-11-19 14:20 UTC] iliaa@php.net
-Assigned To: cellog +Assigned To: iliaa
 [2010-11-20 20:27 UTC] iliaa@php.net 
Automatic comment from SVN on behalf of iliaa
Revision: http://svn.php.net/viewvc/?view=revision&revision=305582
Log: Fixed bug #50987 (unaligned memory access in phar.c)
 [2010-11-20 20:27 UTC] iliaa@php.net
-Status: Assigned +Status: Closed
 [2010-11-20 20:27 UTC] iliaa@php.net 
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 [2010-11-20 21:59 UTC] kalle@php.net 
Automatic comment from SVN on behalf of kalle
Revision: http://svn.php.net/viewvc/?view=revision&revision=305584
Log: Added second fix from #50987 that wasn't apart of Ilia's commit
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Apr 02 03:01:28 2025 UTC