|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2014-09-16 09:42 UTC] s dot paraschoudis at gmail dot com
Description:
------------
Please note that I cannot reproduce it without AddressSanitizer enabled
Test script:
---------------
POC1:
===============================
<?php
$d = '6-01-01 20:00:00';
xmlrpc_set_type($d, 'datetime');
?>
Result
===============================
=================================================================
==19848== ERROR: AddressSanitizer: global-buffer-overflow on address 0x000001e91064 at pc 0x11342a7 bp 0x7fffa3772e20 sp 0x7fffa3772e18
READ of size 4 at 0x000001e91064 thread T0
#0 0x11342a6 in mkgmtime xmlrpc.c:180
#1 0x11351b7 in date_from_ISO8601 xmlrpc.c:262
#2 0x1138059 in XMLRPC_SetValueDateTime_ISO8601 xmlrpc.c:1725
#3 0x1138111 in XMLRPC_CreateValueDateTime_ISO8601 xmlrpc.c:1759
#4 0x112753b in set_zval_xmlrpc_type xmlrpc-epi-php.c:1367
#5 0x1127ed4 in zif_xmlrpc_set_type xmlrpc-epi-php.c:1483
#6 0x147d4a7 in zend_do_fcall_common_helper_SPEC zend_vm_execute.h:558
#7 0x1492de4 in ZEND_DO_FCALL_SPEC_CONST_HANDLER zend_vm_execute.h:2595
#8 0x147aca1 in execute_ex zend_vm_execute.h:363
#9 0x147aedc in zend_execute zend_vm_execute.h:388
#10 0x13a606f in zend_execute_scripts zend.c:1330
#11 0x119e3f7 in php_execute_script main.c:2584
#12 0x15ebe12 in do_cli php_cli.c:994
#13 0x15eef4d in main php_cli.c:1378
#14 0x7f59079fcec4 in __libc_start_main libc-start.c:287
#15 0x4427f8 in _start ??:?
0x000001e91064 is located 17 bytes to the right of global variable '*.LC38 (/home/symeon/Desktop/php-5.6.0/ext/xmlrpc/libxmlrpc/xmlrpc.c)' (0x1e91040) of size 19
'*.LC38 (/home/symeon/Desktop/php-5.6.0/ext/xmlrpc/libxmlrpc/xmlrpc.c)' is ascii string 'xmlrpc-epi v. 0.51'
0x000001e91064 is located 28 bytes to the left of global variable 'mdays (/home/symeon/Desktop/php-5.6.0/ext/xmlrpc/libxmlrpc/xmlrpc.c)' (0x1e91080) of size 48
==19848== ABORTING
POC2:
===============================
<?php
$datetime = "2001-0-08T21:46:40-0400";
$obj = xmlrpc_decode("<?xml version=\"1.0\"?><methodResponse><params><param><value><dateTime.iso8601>$datetime</dateTime.iso8601></value></param></params></methodResponse>");
print_r($obj);
?>
=================================================================
==19909== ERROR: AddressSanitizer: global-buffer-overflow on address 0x000001e9107c at pc 0x11342a7 bp 0x7fffa4b10d20 sp 0x7fffa4b10d18
READ of size 4 at 0x000001e9107c thread T0
#0 0x11342a6 in mkgmtime xmlrpc.c:180
#1 0x11351b7 in date_from_ISO8601 xmlrpc.c:262
#2 0x1138059 in XMLRPC_SetValueDateTime_ISO8601 xmlrpc.c:1725
#3 0x112e56c in xml_element_to_XMLRPC_REQUEST_worker xml_to_xmlrpc.c:138
#4 0x112e866 in xml_element_to_XMLRPC_REQUEST_worker xml_to_xmlrpc.c:167
#5 0x112e866 in xml_element_to_XMLRPC_REQUEST_worker xml_to_xmlrpc.c:167
#6 0x112e866 in xml_element_to_XMLRPC_REQUEST_worker xml_to_xmlrpc.c:167
#7 0x112e866 in xml_element_to_XMLRPC_REQUEST_worker xml_to_xmlrpc.c:167
#8 0x112e905 in xml_element_to_XMLRPC_REQUEST xml_to_xmlrpc.c:184
#9 0x1135f4e in XMLRPC_REQUEST_FromXML xmlrpc.c:819
#10 0x1123322 in decode_request_worker xmlrpc-epi-php.c:786 (discriminator 3)
#11 0x112397a in zif_xmlrpc_decode xmlrpc-epi-php.c:848 (discriminator 3)
#12 0x147d4a7 in zend_do_fcall_common_helper_SPEC zend_vm_execute.h:558
#13 0x1492de4 in ZEND_DO_FCALL_SPEC_CONST_HANDLER zend_vm_execute.h:2595
#14 0x147aca1 in execute_ex zend_vm_execute.h:363
#15 0x147aedc in zend_execute zend_vm_execute.h:388
#16 0x13a606f in zend_execute_scripts zend.c:1330
#17 0x119e3f7 in php_execute_script main.c:2584
#18 0x15ebe12 in do_cli php_cli.c:994
#19 0x15eef4d in main php_cli.c:1378
#20 0x7f5b53ea9ec4 in __libc_start_main libc-start.c:287
#21 0x4427f8 in _start ??:?
0x000001e9107c is located 41 bytes to the right of global variable '*.LC38 (/home/symeon/Desktop/php-5.6.0/ext/xmlrpc/libxmlrpc/xmlrpc.c)' (0x1e91040) of size 19
'*.LC38 (/home/symeon/Desktop/php-5.6.0/ext/xmlrpc/libxmlrpc/xmlrpc.c)' is ascii string 'xmlrpc-epi v. 0.51'
0x000001e9107c is located 4 bytes to the left of global variable 'mdays (/home/symeon/Desktop/php-5.6.0/ext/xmlrpc/libxmlrpc/xmlrpc.c)' (0x1e91080) of size 48
==19909== ABORTING
Patchesfix-date-parsing (last revision 2014-09-29 23:52 UTC by stas@php.net)Pull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sun Feb 02 20:01:29 2025 UTC |
Both issues seem to be a product of the same problem. Code in mkgmtime looks like this: return ((((((tm->tm_year - 70) * 365) + mdays[tm->tm_mon] + tm->tm_mday-1 + (tm->tm_year-68-1+(tm->tm_mon>=2))/4) * 24) + tm->tm_hour) * 60 + tm->tm_min) * 60 + tm->tm_sec; if tm_mon is outside of mdays array, problems happen. However, in date_from_ISO8601 mon calculated as: tm.tm_mon = 0; for(i = 0; i < 2; i++) { XMLRPC_IS_NUMBER(text[i]) tm.tm_mon += (text[i+4]-'0')*n; n /= 10; } as you can see, the check is for text[i] but the value used is test[i+4]. This leads to tm_mon having values which may be negative or may be more than mdays array's size. I will attach a patch shortly.