|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
Patchesproposal.patch (last revision 2013-11-08 17:12 UTC by remi@php.net)proposal.path (last revision 2013-11-08 17:11 UTC by remi@php.net) Pull RequestsHistoryAllCommentsChangesGit/SVN commits
[2013-11-08 15:00 UTC] jutaky at polarptr dot com
[2013-11-08 17:11 UTC] remi@php.net
[2013-11-08 17:12 UTC] remi@php.net
[2013-11-27 10:19 UTC] remi@php.net
-Status: Open
+Status: Closed
-Assigned To:
+Assigned To: remi
[2013-11-27 10:19 UTC] remi@php.net
[2014-01-07 15:37 UTC] remi@php.net
-Type: Security
+Type: Bug
[2014-07-29 21:57 UTC] johannes@php.net
[2014-08-14 15:34 UTC] johannes@php.net
[2014-08-14 19:32 UTC] dmitry@php.net
[2014-10-07 23:14 UTC] stas@php.net
[2014-10-07 23:16 UTC] stas@php.net
[2014-10-07 23:25 UTC] stas@php.net
[2014-10-07 23:27 UTC] stas@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sat Nov 23 09:01:28 2024 UTC |
Description: ------------ Heap buffer over-read in DateInterval. Versions affected, at least: 5.5.3 and 5.6.0-dev (master-git) Built with AddressSanitizer, prefix and debug. Test script: --------------- <?php new DateInterval('P170141183460469231731687303715884105729D'); ?> Actual result: -------------- ==6428== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x600800019eba at pc 0x4bb89c bp 0x7fff79056660 sp 0x7fff79056658 READ of size 1 at 0x600800019eba thread T0 #0 0x4bb89b in scan /php-src/ext/date/lib/parse_iso_intervals.re:351 #1 0x4bf896 in timelib_strtointerval /php-src/ext/date/lib/parse_iso_intervals.re:485 (discriminator 1) #2 0x44461e in date_interval_initialize /php-src/ext/date/php_date.c:3984 #3 0x4467ff in zim_DateInterval___construct /php-src/ext/date/php_date.c:4147 #4 0xdfa974 in zend_do_fcall_common_helper_SPEC /php-src/Zend/zend_vm_execute.h:554 #5 0xdfd205 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER /php-src/Zend/zend_vm_execute.h:689 #6 0xdf61f6 in execute_ex /php-src/Zend/zend_vm_execute.h:363 #7 0xdf7b3f in zend_execute /php-src/Zend/zend_vm_execute.h:388 #8 0xd374d9 in zend_execute_scripts /php-src/Zend/zend.c:1334 #9 0xbb4c3e in php_execute_script /php-src/main/main.c:2490 #10 0x10829ae in do_cli /php-src/sapi/cli/php_cli.c:994 #11 0x1085285 in main /php-src/sapi/cli/php_cli.c:1378 #12 0x7fbb22be5bc4 in __libc_start_main ??:? #13 0x421498 in _start ??:? 0x600800019eba is located 0 bytes to the right of 42-byte region [0x600800019e90,0x600800019eba) allocated by thread T0 here: #0 0x7fbb24276625 in ?? ??:0 #1 0x4b9da2 in timelib_string /php-src/ext/date/lib/parse_iso_intervals.re:125 #2 0x4bb442 in scan /php-src/ext/date/lib/parse_iso_intervals.re:320 #3 0x4bf896 in timelib_strtointerval /php-src/ext/date/lib/parse_iso_intervals.re:485 (discriminator 1) #4 0x44461e in date_interval_initialize /php-src/ext/date/php_date.c:3984 #5 0x4467ff in zim_DateInterval___construct /php-src/ext/date/php_date.c:4147 #6 0xdfa974 in zend_do_fcall_common_helper_SPEC /php-src/Zend/zend_vm_execute.h:554 #7 0xdfd205 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER /php-src/Zend/zend_vm_execute.h:689 #8 0xdf61f6 in execute_ex /php-src/Zend/zend_vm_execute.h:363 #9 0xdf7b3f in zend_execute /php-src/Zend/zend_vm_execute.h:388 #10 0xd374d9 in zend_execute_scripts /php-src/Zend/zend.c:1334 #11 0xbb4c3e in php_execute_script /php-src/main/main.c:2490 #12 0x10829ae in do_cli /php-src/sapi/cli/php_cli.c:994 #13 0x1085285 in main /php-src/sapi/cli/php_cli.c:1378 #14 0x7fbb22be5bc4 in __libc_start_main ??:?