php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #69551 parse_ini_file() and parse_ini_string() segmentation fault
Submitted: 2015-04-30 13:29 UTC Modified: 2015-06-10 20:23 UTC
Votes:3
Avg. Score:5.0 ± 0.0
Reproduced:3 of 3 (100.0%)
Same Version:2 (66.7%)
Same OS:3 (100.0%)
From: nystrom dot lars dot egon at gmail dot com Assigned: cmb (profile)
Status: Closed Package: Filesystem function related
PHP Version: 5.6.9 OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: nystrom dot lars dot egon at gmail dot com
New email:
PHP Version: OS:

 

 [2015-04-30 13:29 UTC] nystrom dot lars dot egon at gmail dot com 
Description:
------------
This bug affects both parse_ini_file() and parse_ini_string().

If you try to parse a string which contains a line feed followed by an escape character PHP will crash with a segmentation fault. This only happens when using the INI_SCANNER_RAW mode.

With "line feed followed by escape character" I mean two bytes with the following values: 0x0A 0x1B.

This affects all version of PHP I've tried: PHP 5.6.8, PHP 5.5.24 and PHP 5.3.29.

Test script:
---------------
<?php

$a = '[Network.eth0]
SubnetMask = "
"';

parse_ini_string($a, false, \INI_SCANNER_RAW);

Patches

raw-ini-scanner-segfault (last revision 2015-04-30 16:40 UTC by cmb@php.net)

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-04-30 13:35 UTC] nystrom dot lars dot egon at gmail dot com 
Here's a better test script:

<?php

$a = '[Network.eth0]
SubnetMask = "' . "\x0A\x1B" . '"';

parse_ini_string($a, false, \INI_SCANNER_RAW);
 [2015-04-30 16:40 UTC] cmb@php.net 
The following patch has been added/updated:

Patch Name: raw-ini-scanner-segfault
Revision:   1430412052
URL:        https://bugs.php.net/patch-display.php?bug=69551&patch=raw-ini-scanner-segfault&revision=1430412052
 [2015-04-30 16:42 UTC] cmb@php.net
-Status: Open +Status: Analyzed
 [2015-04-30 16:42 UTC] cmb@php.net 
The escape character is actually irrelevant. The problem is a
linebreak immediately following a double-quote for a value. In
this case the ini scanner goes to end_raw_value_chars:[1] and
yyleng is set to 1. That causes

  (yytext[0] == '"' && yytext[yyleng - 1] == '"')
  
to be true, and yyleng is decreased by 2. Thus a token with length
-1 is returned.

The solution is to avoid the above condition being true, when
there is only a single quote (the quote on the next line is
irrelevant, as the raw scanner does not allow linebreaks in
values). See the attached patch "raw-ini-scanner-segfault".

[1] <http://lxr.php.net/xref/PHP_TRUNK/Zend/zend_ini_scanner.l#518>
 [2015-06-03 07:28 UTC] nystrom dot lars dot egon at gmail dot com 
This is still a pretty big issue for me, since there's no way to catch this error in PHP. When can I expect this bug to be fixed?
 [2015-06-04 00:54 UTC] cmb@php.net
-Operating System: Linux +Operating System: * -PHP Version: 5.6.8 +PHP Version: 5.6.9
 [2015-06-04 00:54 UTC] cmb@php.net 
I have submitted a respective PR, what might accelerate the fix to
be merged. However, there are a lot of open PRs and the resources
to review them are limited, so please be patient.

If you really need the fix now, consider to compile PHP yourself,
applying the attached patch.
 [2015-06-10 20:23 UTC] cmb@php.net
-Status: Analyzed +Status: Closed -Assigned To: +Assigned To: cmb
 [2015-06-10 20:23 UTC] cmb@php.net 
The fix for this bug has been committed.

Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Nov 22 16:01:30 2024 UTC