PHP :: Bug #70748 :: Segfault in ini_lex () at Zend/zend_ini

Bug #70748	Segfault in ini_lex () at Zend/zend_ini_scanner.l:459
Submitted:	2015-10-20 00:28 UTC	Modified:	-
From:	brian dot carpenter at gmail dot com	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	5.4.45	OS:	Debian 7 x64
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	brian dot carpenter at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2015-10-20 00:28 UTC] brian dot carpenter at gmail dot com

Description:
------------
This crash was found with American Fuzzy Lop and affects the following versions of PHP:

PHP 5.4.45-0+deb7u1 (cli) (built: Sep 10 2015 08:34:47)
PHP 7.1.0-dev (cli) (built: Oct 17 2015 14:52:25) ( NTS )

A malformed ini file triggers a segfault in ini_lex () at Zend/zend_ini_scanner.l:459.


Test script:
---------------
<?php
define ('BIRD','Dodo bird');
$ini_array = parse_ini_file("test.ini");
print_r($ini_array);
?>

https://dl.dropboxusercontent.com/u/6088006/test.ini

Expected result:
----------------
No crash.

Actual result:
--------------
==51924== Invalid read of size 1
==51924==    at 0x131CFB4: ini_lex (zend_ini_scanner.l:459)
==51924==    by 0x130C155: ini_parse (zend_ini_parser.c:1637)
==51924==    by 0x130DCAF: zend_parse_ini_file (zend_ini_parser.y:217)
==51924==    by 0xFB5685: zif_parse_ini_file (basic_functions.c:5926)
==51924==    by 0x163D4D4: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==51924==    by 0x15F7B32: execute_ex (zend_vm_execute.h:414)
==51924==    by 0x18154C4: zend_execute (zend_vm_execute.h:458)
==51924==    by 0x143B857: zend_execute_scripts (zend.c:1428)
==51924==    by 0x11F3B2F: php_execute_script (main.c:2471)
==51924==    by 0x181E478: do_cli (php_cli.c:974)
==51924==    by 0x4526D0: main (php_cli.c:1345)
==51924==  Address 0x104022018 is not stack'd, malloc'd or (recently) free'd
==51924== 
==51924== 
==51924== Process terminating with default action of signal 11 (SIGSEGV)
==51924==  Access not within mapped region at address 0x104022018
==51924==    at 0x131CFB4: ini_lex (zend_ini_scanner.l:459)
==51924==    by 0x130C155: ini_parse (zend_ini_parser.c:1637)
==51924==    by 0x130DCAF: zend_parse_ini_file (zend_ini_parser.y:217)
==51924==    by 0xFB5685: zif_parse_ini_file (basic_functions.c:5926)
==51924==    by 0x163D4D4: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==51924==    by 0x15F7B32: execute_ex (zend_vm_execute.h:414)
==51924==    by 0x18154C4: zend_execute (zend_vm_execute.h:458)
==51924==    by 0x143B857: zend_execute_scripts (zend.c:1428)
==51924==    by 0x11F3B2F: php_execute_script (main.c:2471)
==51924==    by 0x181E478: do_cli (php_cli.c:974)
==51924==    by 0x4526D0: main (php_cli.c:1345)
==51924==  If you believe this happened as a result of a stack
==51924==  overflow in your program's main thread (unlikely but
==51924==  possible), you can try to increase the size of the
==51924==  main thread stack using the --main-stacksize= flag.
==51924==  The main thread stack size used in this run was 8388608.
Segmentation fault

%%%

Program received signal SIGSEGV, Segmentation fault.
0x000000000131cfb4 in ini_lex () at Zend/zend_ini_scanner.l:459
459		EAT_TRAILING_WHITESPACE();
(gdb) bt
#0  0x000000000131cfb4 in ini_lex () at Zend/zend_ini_scanner.l:459
#1  0x000000000130c156 in ini_parse ()
    at /home/geeknik/php-src/Zend/zend_ini_parser.c:1637
#2  0x000000000130dcb0 in zend_parse_ini_file ()
    at /home/geeknik/php-src/Zend/zend_ini_parser.y:217
#3  0x0000000000fb5686 in zif_parse_ini_file ()
#4  0x000000000163d4d5 in ZEND_DO_ICALL_SPEC_HANDLER ()
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:586
#5  0x00000000015f7b33 in execute_ex ()
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:414
#6  0x00000000018154c5 in zend_execute ()
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:458
#7  0x000000000143b858 in zend_execute_scripts ()
    at /home/geeknik/php-src/Zend/zend.c:1428
#8  0x00000000011f3b30 in php_execute_script ()
    at /home/geeknik/php-src/main/main.c:2471
#9  0x000000000181e479 in do_cli ()
    at /home/geeknik/php-src/sapi/cli/php_cli.c:974
#10 0x00000000004526d1 in main ()
    at /home/geeknik/php-src/sapi/cli/php_cli.c:1345
(gdb) i r
rax            0x7ffff7ff801b	140737354104859
rbx            0x1fee700	33482496
rcx            0xffffffff	4294967295
rdx            0x9	9
rsi            0x1c5ec40	29748288
rdi            0x20	32
rbp            0x7ffff7ff8018	0x7ffff7ff8018
rsp            0x7fffffff9820	0x7fffffff9820
r8             0x7fffffff9910	140737488328976
r9             0x7ffff7ff8003	140737354104835
r10            0xfffffffe	4294967294
r11            0xff	255
r12            0x1	1
r13            0x7ffff7ff801a	140737354104858
r14            0x7ffff7ff8000	140737354104832
r15            0x7ffff7ff802f	140737354104879
rip            0x131cfb4	0x131cfb4 <ini_lex+58820>
eflags         0x10286	[ PF SF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-10-20 08:42 UTC] laruence@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d5f76caf6cf334d1bb4ca69662065b3bb34d76c5
Log: Fixed bug #70748 (Segfault in ini_lex () at Zend/zend_ini_scanner.l)

[2015-10-20 08:42 UTC] laruence@php.net

-Status: Open +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Dec 03 17:01:29 2024 UTC