PHP :: Bug #65564 :: stack-buffer-overflow in DateTimeZone stuff caught by AddressSanitizer

Bug #65564

stack-buffer-overflow in DateTimeZone stuff caught by AddressSanitizer

Submitted:

2013-08-27 04:34 UTC

Modified:

2013-08-30 07:49 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

dhiru dot kholia at gmail dot com

Assigned:

remi (profile)

Status:

Closed

Package:

Date/time related

PHP Version:

5.5.3

OS:

Fedora 19

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	dhiru dot kholia at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2013-08-27 04:34 UTC] dhiru dot kholia at gmail dot com

Description:
------------
Summary : stack-buffer-overflow exists in DateTimeZone stuff which was caught by AddressSanitizer.

I am using Fedora 19's GCC which supports AddressSanitizer.

1. Download and extract php-5.5.3.tar.xz

2. Configure build flags,

   export CFLAGS="-fsanitize=address -O2 -ggdb"

   export LDFLAGS="-fsanitize=address"

3. Build PHP as usual using "make".

4. Running ./sapi/cli/php ext/date/tests/DateTimeZone_clone_basic1.php crashes with,

    *** Testing clone on DateTime objects ***
    =================================================================
    ==4551== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff0209a9d7 ...
    READ of size 1 at 0x7fff0209a9d7 thread T0
        #0 0xba7a1d in _zend_hash_add_or_update /scratch/php-5.5.3/Zend/zend_hash.c:261
        #1 0x43bcb8 in date_object_get_properties_timezone /scratch/php-5.5.3/ext/date/php_date.c:2308
        #2 0x9d8594 in php_var_dump /scratch/php-5.5.3/ext/standard/var.c:129 (discriminator 1)
        #3 0x9d8f1b in zif_var_dump /scratch/php-5.5.3/ext/standard/var.c:183 (discriminator 2)
        #4 0xdf048c in zend_do_fcall_common_helper_SPEC /scratch/php-5.5.3/Zend/zend_vm_execute.h:543
        #5 0xc01a9f in execute_ex /scratch/php-5.5.3/Zend/zend_vm_execute.h:356
        #6 0xb8394e in zend_execute_scripts /scratch/php-5.5.3/Zend/zend.c:1316
        #7 0xa5b2d4 in php_execute_script /scratch/php-5.5.3/main/main.c:2484
        #8 0xdf4ff1 in do_cli /scratch/php-5.5.3/sapi/cli/php_cli.c:994
        #9 0x434deb in main /scratch/php-5.5.3/sapi/cli/php_cli.c:1378
        #10 0x386b021b74 in ?? ??:0
        #11 0x435388 in _start ??:?



Test script:
---------------
$ ./sapi/cli/php ext/date/tests/DateTimeZone_clone_basic1.php

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-08-30 05:59 UTC] remi@php.net

Reproduced php5.5-201308300430 snapshot.

This issue make 62 failed tests, all in date extension.

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
date_isodate_set() tests [ext/date/tests/012.phpt]
date_date_set() tests [ext/date/tests/013.phpt]
timezone_offset_get() tests [ext/date/tests/014.phpt]
Test clone on DateTimeZone objects [ext/date/tests/DateTimeZone_clone_basic1.phpt]
Testing clone on objects whoose class derived from DateTimeZone class [ext/date/tests/DateTimeZone_clone_basic2.phpt]
Test clone of DateTimeZOne objects [ext/date/tests/DateTimeZone_clone_basic3.phpt]
Test new DateTimeZone() : basic functionality [ext/date/tests/DateTimeZone_construct_basic.phpt]
Test serialization of DateTimeZone objects [ext/date/tests/DateTimeZone_serialize_type_1.phpt]
Test serialization of DateTimeZone objects [ext/date/tests/DateTimeZone_serialize_type_2.phpt]
Test serialization of DateTimeZone objects [ext/date/tests/DateTimeZone_serialize_type_3.phpt]
Test clone of objects whoose class derived from DateTime class [ext/date/tests/DateTime_clone_basic2.phpt]
Test clone of DateTime objects [ext/date/tests/DateTime_clone_basic3.phpt]
Test new DateTime() : basic functionality [ext/date/tests/DateTime_construct_basic1.phpt]
Test new DateTime() function : usage variation - Passing unexpected values to first argument $time. [ext/date/tests/DateTime_construct_variation1.phpt]
Test new DateTime() function : usage variation - Passing unexpected values to second argument $timezone. [ext/date/tests/DateTime_construct_variation2.phpt]
Test DateTime::modify() function : usage variation - Passing unexpected values to first argument $modify. [ext/date/tests/DateTime_modify_variation1.phpt]
Test serialization of DateTime objects [ext/date/tests/DateTime_serialize.phpt]
Test DateTime::setDate() function : usage variation - Passing unexpected values to first argument $year. [ext/date/tests/DateTime_setDate_variation1.phpt]
Test DateTime::setDate() function : usage variation - Passing unexpected values to second argument $month. [ext/date/tests/DateTime_setDate_variation2.phpt]
Test DateTime::setDate() function : usage variation - Passing unexpected values to third argument $day. [ext/date/tests/DateTime_setDate_variation3.phpt]
Test DateTime::setISODate() function : usage variation - Passing unexpected values to first argument $year. [ext/date/tests/DateTime_setISODate_variation1.phpt]
Test DateTime::setISODate() function : usage variation - Passing unexpected values to second argument $week. [ext/date/tests/DateTime_setISODate_variation2.phpt]
Test DateTime::setISODate() function : usage variation - Passing unexpected values to third argument $day. [ext/date/tests/DateTime_setISODate_variation3.phpt]
Test DateTime::setTime() function : usage variation - Passing unexpected values to first argument $hour. [ext/date/tests/DateTime_setTime_variation1.phpt]
Test DateTime::setTime() function : usage variation - Passing unexpected values to second argument $minute. [ext/date/tests/DateTime_setTime_variation2.phpt]
Test DateTime::setTime() function : usage variation - Passing unexpected values to third argument $second. [ext/date/tests/DateTime_setTime_variation3.phpt]
Bug #41523 (strtotime('0000-00-00 00:00:00') is parsed as 1999-11-30) (64 bit) [ext/date/tests/bug41523-64bit.phpt]
Bug #45682 (Unable to var_dump(DateInterval)) [ext/date/tests/bug45682.phpt]
Bug #46108 (DateTime - Memory leak when unserializing) [ext/date/tests/bug46108.phpt]
Bug #48097 (date_timezone_set function produces wrong datetime result) [ext/date/tests/bug48097.phpt]
Bug #48678 (DateInterval segfaults when unserialising) [ext/date/tests/bug48678.phpt]
Bug #49081 (DateTime::diff() mistake if start in January and interval > 28 days) [ext/date/tests/bug49081.phpt]
Bug #49778 (DateInterval::format("%a") is always zero when an interval is created from an ISO string) [ext/date/tests/bug49778.phpt]
Bug #51866 (Lenient parsing with parseFromFormat) [ext/date/tests/bug51866.phpt]
Bug #52113 (Seg fault while creating (by unserialization) DatePeriod) [ext/date/tests/bug52113.phpt]
Bug #52738 (Can't use new properties in class extended from DateInterval) [ext/date/tests/bug52738.phpt]
Bug #52808 (Segfault when specifying interval as two dates) [ext/date/tests/bug52808.phpt]
Bug #53437 (Crash when using unserialized DatePeriod instance), variation 1 [ext/date/tests/bug53437.phpt]
Bug #53437 DateInterval basic serialization [ext/date/tests/bug53437_var2.phpt]
Bug #53437 (Check that var_dump out is the same using the whole object or it's single properties), variation 4 [ext/date/tests/bug53437_var4.phpt]
Bug #53437 DateInterval unserialize bad data, 64 bit [ext/date/tests/bug53437_var5.phpt]
Bug #54316 (DateTime::createFromFormat does not handle trailing '|' correctly) [ext/date/tests/bug54316.phpt]
Bug #54340 (DateTime::add() method bug) [ext/date/tests/bug54340.phpt]
Bug #60236 (TLA timezone dates are not converted properly from timestamp) [ext/date/tests/bug60236.phpt]
Bug #60774 (DateInterval::format("%a") is always zero when an interval is created using the createFromDateString method) [ext/date/tests/bug60774.phpt]
Test for + character in date format [ext/date/tests/date-lenient-create.phpt]
Test date_create() function : basic functionality [ext/date/tests/date_create_basic.phpt]
Test date_create() function : usage variation - Passing unexpected values to first argument $time. [ext/date/tests/date_create_variation1.phpt]
Test date_create() function : usage variation - Passing unexpected values to second argument $timezone. [ext/date/tests/date_create_variation2.phpt]
Test date_date_set() function : usage variation - Passing unexpected values to second argument $year. [ext/date/tests/date_date_set_variation2.phpt]
Test date_date_set() function : usage variation - Passing unexpected values to third argument $month. [ext/date/tests/date_date_set_variation3.phpt]
Test date_date_set() function : usage variation - Passing unexpected values to forth argument $day. [ext/date/tests/date_date_set_variation4.phpt]
Test for date_diff with timezone abbreviations. [ext/date/tests/date_diff1.phpt]
Test date_isodate_set() function : usage variation - Passing unexpected values to second argument $year. [ext/date/tests/date_isodate_set_variation2.phpt]
Test date_isodate_set() function : usage variation - Passing unexpected values to third argument $week. [ext/date/tests/date_isodate_set_variation3.phpt]
Test date_isodate_set() function : usage variation - Passing unexpected values to forth argument $day. [ext/date/tests/date_isodate_set_variation4.phpt]
Test date_modify() function : usage variation - Passing unexpected values to second argument $format. [ext/date/tests/date_modify_variation2.phpt]
Test date_time_set() function : usage variation - Passing unexpected values to second argument $hour. [ext/date/tests/date_time_set_variation2.phpt]
Test date_time_set() function : usage variation - Passing unexpected values to third argument $minute. [ext/date/tests/date_time_set_variation3.phpt]
Test date_time_set() function : usage variation - Passing unexpected values to forth argument $sec. [ext/date/tests/date_time_set_variation4.phpt]
date_create_from_format() and date_parse_from_format(). [ext/date/tests/test-parse-from-format.phpt]
Test timezone_open() function : basic functionality [ext/date/tests/timezone_open_basic1.phpt]
=====================================================================

[2013-08-30 06:01 UTC] remi@php.net

-Package: Reproducible crash +Package: Date/time related

[2013-08-30 06:01 UTC] remi@php.net

Reaffecting as Date/Time related as only this extension is affected.

[2013-08-30 07:49 UTC] remi@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: remi

[2013-08-30 07:49 UTC] remi@php.net

Found:
-zend_hash_update(props, "days", 5, &zv, sizeof(zval), NULL);
+zend_hash_update(props, "days", 5, &zv, sizeof(zv), NULL);

Will run some more tests and will commit the fix.

[2013-08-30 08:46 UTC] remi@php.net

Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d69513afecf3d82c6bfba35ef1634b3b7c377d87
Log: Fixed Bug #65564 stack-buffer-overflow in DateTimeZone stuff caught by AddressSanitizer

[2013-08-30 08:46 UTC] remi@php.net

-Status: Assigned +Status: Closed

[2013-08-30 08:46 UTC] remi@php.net

Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6fab1caa4100cf05fcf485ef0917830ae9f57563
Log: Fixed bug #65564 stack-buffer-overflow in DateTimeZone stuff caught by AddressSanitizer

[2013-11-17 09:30 UTC] laruence@php.net

Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6fab1caa4100cf05fcf485ef0917830ae9f57563
Log: Fixed bug #65564 stack-buffer-overflow in DateTimeZone stuff caught by AddressSanitizer

[2014-08-22 07:07 UTC] ab@php.net

Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a296e3d032b9c24477b558668f59a15dd7887669
Log: Fixed bug #65564 stack-buffer-overflow in DateTimeZone stuff caught by AddressSanitizer

[2014-08-22 07:07 UTC] ab@php.net

Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3df4c3eb7020e48c063cdce18bf1e54a214891ca
Log: Fixed Bug #65564 stack-buffer-overflow in DateTimeZone stuff caught by AddressSanitizer

[2014-10-07 23:17 UTC] stas@php.net

Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=d69513afecf3d82c6bfba35ef1634b3b7c377d87
Log: Fixed Bug #65564 stack-buffer-overflow in DateTimeZone stuff caught by AddressSanitizer

[2014-10-07 23:28 UTC] stas@php.net

Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=d69513afecf3d82c6bfba35ef1634b3b7c377d87
Log: Fixed Bug #65564 stack-buffer-overflow in DateTimeZone stuff caught by AddressSanitizer

[2016-07-20 11:41 UTC] davey@php.net

Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a296e3d032b9c24477b558668f59a15dd7887669
Log: Fixed bug #65564 stack-buffer-overflow in DateTimeZone stuff caught by AddressSanitizer

[2016-07-20 11:41 UTC] davey@php.net

Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3df4c3eb7020e48c063cdce18bf1e54a214891ca
Log: Fixed Bug #65564 stack-buffer-overflow in DateTimeZone stuff caught by AddressSanitizer

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 15:01:30 2024 UTC