PHP :: Bug #70157 :: parse_ini_string() segmentation fault with INI_SCANNER

Bug #70157	parse_ini_string() segmentation fault with INI_SCANNER_TYPED
Submitted:	2015-07-28 12:31 UTC	Modified:	2015-08-07 03:30 UTC
From:	publikusmail at postafiok dot hu	Assigned:	datibbaw (profile)
Status:	Closed	Package:	Filesystem function related
PHP Version:	php-5.6	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	publikusmail at postafiok dot hu
New email:
PHP Version:		OS:

New Comment:

[2015-07-28 12:31 UTC] publikusmail at postafiok dot hu

Description:
------------
This bug affects both parse_ini_file() and parse_ini_string() functions.

A string value starting with a number and without quotes causes segmentation fault, whenever mode is set to INI_SCANNER_TYPED.

PHP versions tested: 5.6.9, 7.0.0b2
OS tested: Debian 8.1, Windows 8.1

Test script:
---------------
<?php

$ini = "

[agatha.christie]
title = 10 little indians

";

var_dump(parse_ini_string($ini, true, INI_SCANNER_TYPED));

?>

Expected result:
----------------
array(1) {
  ["agatha.christie"]=>
  array(1) {
    ["title"]=>
    string(17) "10 little indians"
  }
}

Actual result:
--------------
segmentation fault

Patches

Pull Requests

Pull requests:

Fixed #70157 - parse_ini_string() segfault with INI_SCANNER_TYPED (php-src/1463)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-07-28 19:32 UTC] cmb@php.net

-Status: Open +Status: Verified

[2015-07-28 19:32 UTC] cmb@php.net

Confirmed:

Program received signal SIGSEGV, Segmentation fault.
0x00000000005e78e2 in zend_ini_add_string (result=0x7fffffff9cd0,
    op1=0x7fffffff9d20, op2=0x7fffffff9d30)
    at /home/cmb/php-src/Zend/zend_ini_parser.y:105
105             int op1_len = (int)Z_STRLEN_P(op1);
(gdb) bt
#0  0x00000000005e78e2 in zend_ini_add_string (result=0x7fffffff9cd0,
    op1=0x7fffffff9d20, op2=0x7fffffff9d30)
    at /home/cmb/php-src/Zend/zend_ini_parser.y:105
#1  0x00000000005e8a40 in ini_parse ()
    at /home/cmb/php-src/Zend/zend_ini_parser.y:348
#2  0x00000000005e7e51 in zend_parse_ini_string (
    str=0x7ffff687f070 "\n\n[agatha.christie]\ntitle = 10 little indians\n\n", u
nbuffered_errors=0 '\000', scanner_mode=2,
    ini_parser_cb=0x526878 <php_ini_parser_cb_with_sections>,
    arg=0x7ffff68130b0) at /home/cmb/php-src/Zend/zend_ini_parser.y:238
#3  0x0000000000526bf8 in zif_parse_ini_string (execute_data=0x7ffff6813140,
    return_value=0x7ffff68130b0)
    at /home/cmb/php-src/ext/standard/basic_functions.c:5957
    
The problem is obvious. op1 in zend_ini_add_string is IS_LONG,
but is treated as IS_STRING. The solution, however, is not so
obvious to me.

[2015-07-29 03:12 UTC] laruence@php.net

-Assigned To: +Assigned To: datibbaw

[2015-07-29 03:12 UTC] laruence@php.net

actually, this is introduced in 5.6, not a php7 specific issue. 

@datibbaw, could you please have a look ?

[2015-07-29 03:13 UTC] laruence@php.net

-PHP Version: 7.0.0beta2 +PHP Version: php-5.6

[2015-08-07 03:30 UTC] pierrick@php.net

An other segfault due to the same problem:

$ini = "foo[1] = bar";
var_dump(parse_ini_string($ini, true, INI_SCANNER_TYPED));

[2015-08-07 04:02 UTC] datibbaw@php.net

Sorry for the delay, I'll have a look!

[2015-08-15 09:03 UTC] datibbaw@php.net

Automatic comment on behalf of datibbaw
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0d7159d26d277e34b4b2df4c1e49ec51ffb229cf
Log: Fixed #70157 parse_ini_string() segmentation fault with INI_SCANNER_TYPED

[2015-08-15 09:03 UTC] datibbaw@php.net

-Status: Verified +Status: Closed

[2015-08-18 16:24 UTC] ab@php.net

Automatic comment on behalf of datibbaw
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0d7159d26d277e34b4b2df4c1e49ec51ffb229cf
Log: Fixed #70157 parse_ini_string() segmentation fault with INI_SCANNER_TYPED

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Oct 25 14:00:01 2025 UTC