php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #65091 Scanner Bug
Submitted: 2013-06-21 21:30 UTC Modified: 2021-07-18 04:22 UTC
Votes:5
Avg. Score:3.8 ± 0.7
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: keithk at powderkeginteractive dot com Assigned: cmb (profile)
Status: No Feedback Package: Scripting Engine problem
PHP Version: 5.5.0 OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: keithk at powderkeginteractive dot com
New email:
PHP Version: OS:

 

 [2013-06-21 21:30 UTC] keithk at powderkeginteractive dot com
Description:
------------
Environment:
-Debian Linux Etch, Lenny, Squeeze and Wheezy (standard LAMP stacks)
-Oracle Cluster File System (OCFS2)
-PHP 5.3, 5.4 and 5.5 (across any of the above systems)

PHP 5.3 and above seems to have an issue where the scanner scans past the end of a PHP script, allowing unexpected/junk characters to be tokenized and causing the parser to emit "unexpected ... at end of file" and related failures.

This has happened across many different valid PHP scripts, so there isn't any "test script" I can reasonably provide. A common theme among the scripts, however, is that they end with } or some other single-token character.

Note that this issue does *not* happen when using PHP 5.2 within the same environment and scripts.

I suspect that memory mapping with a look-ahead buffer, as PHP/Zend does, isn't always returning the ideal case of null-padded data. This may be related to the specific use of OCFS2... perhaps one bug revealing another.

At any rate, I've investigated the scanner and it does seem to make an assumption that supports the above edge case. The lex_scan function does not check if the buffer pointer is right at the limit, only before or after, allowing the scanner to read past the end of the buffer.

Proposed solution: replace all instances of "(YYCURSOR > YYLIMIT)" with "(YYCURSOR >= YYLIMIT)" in Zend/zend_language_scanner.l


Patches

fix_scanner_overread (last revision 2013-06-24 15:45 UTC by keithk at powderkeginteractive dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-06-24 00:27 UTC] felipe@php.net
-Status: Open +Status: Feedback
 [2013-06-24 00:27 UTC] felipe@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.


 [2013-06-24 13:10 UTC] keithk at powderkeginteractive dot com
-Status: Feedback +Status: Open
 [2013-06-24 13:10 UTC] keithk at powderkeginteractive dot com
Example script:

<?php echo 'testing'; ?>
 [2021-07-07 13:39 UTC] cmb@php.net
-Status: Open +Status: Feedback -Package: *General Issues +Package: Scripting Engine problem -Assigned To: +Assigned To: cmb
 [2021-07-07 13:39 UTC] cmb@php.net
Is this still an issue with any of the actively supported PHP
versions[1]?

[1] <https://www.php.net/supported-versions.php>
 [2021-07-18 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 20:01:29 2024 UTC