php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #72498 variant_date_from_timestamp null dereference
Submitted: 2016-06-26 23:06 UTC Modified: 2018-04-03 15:27 UTC
From: fernando at null-life dot com Assigned: ab (profile)
Status: Closed Package: COM related
PHP Version: 7.1 OS: Windows
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: fernando at null-life dot com
New email:
PHP Version: OS:

 

 [2016-06-26 23:06 UTC] fernando at null-life dot com 
Description:
------------
variant_date_from_timestamp fails when the value passed is PHP_INT_MAX. Only a check for negative values was implemented, see bug #36644


Code:
	VariantInit(&res);
	tzset();
	ttstamp = timestamp;
	tmv = localtime(&ttstamp);
	memset(&systime, 0, sizeof(systime));

---->	systime.wDay = tmv->tm_mday;
	systime.wHour = tmv->tm_hour;
	systime.wMinute = tmv->tm_min;
...

tmv->tm_mday fails and PHP interpreter crashes.

Test script:
---------------
<?php

$v1=PHP_INT_MAX;
variant_date_from_timestamp($v1);

Expected result:
----------------
No crash

Actual result:
--------------
(239c.2420): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
php_com_dotnet!zif_variant_date_from_timestamp+0x9b:
6229ac1b 0fb74a0c        movzx   ecx,word ptr [edx+0Ch]   ds:002b:0000000c=????
Processing initial command 'r;!exploitable -v'
0:000:x86> r;!exploitable -v
eax=00000000 ebx=16613020 ecx=46a6c679 edx=00000000 esi=16613070 edi=16676070
eip=6229ac1b esp=0915e3e0 ebp=0915e424 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010212
php_com_dotnet!zif_variant_date_from_timestamp+0x9b:
6229ac1b 0fb74a0c        movzx   ecx,word ptr [edx+0Ch]   ds:002b:0000000c=????

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\SysWOW64\KERNEL32.DLL - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll - 
Exception Faulting Address: 0xc
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:6229ac1b movzx ecx,word ptr [edx+0ch]

Basic Block:
    6229ac1b movzx ecx,word ptr [edx+0ch]
       Tainted Input operands: 'edx'
    6229ac1f mov word ptr [esp+26h],cx
       Tainted Input operands: 'cx'
    6229ac24 movzx ecx,word ptr [edx+8]
       Tainted Input operands: 'edx'
    6229ac28 mov word ptr [esp+28h],cx
       Tainted Input operands: 'cx'
    6229ac2d movzx ecx,word ptr [edx+4]
       Tainted Input operands: 'edx'
    6229ac31 mov word ptr [esp+2ah],cx
       Tainted Input operands: 'cx'
    6229ac36 movzx eax,word ptr [edx+10h]
       Tainted Input operands: 'edx'
    6229ac3a inc ax
       Tainted Input operands: 'ax'
    6229ac3c mov word ptr [esp+22h],ax
       Tainted Input operands: 'ax'
    6229ac41 movzx eax,word ptr [edx]
       Tainted Input operands: 'edx'
    6229ac44 mov word ptr [esp+2ch],ax
       Tainted Input operands: 'ax'
    6229ac49 mov eax,76ch
    6229ac4e add ax,word ptr [edx+14h]
       Tainted Input operands: 'edx'
    6229ac52 mov word ptr [esp+20h],ax
       Tainted Input operands: 'ax'
    6229ac57 mov eax,7
    6229ac5c mov word ptr [esp+10h],ax
    6229ac61 lea eax,[esp+18h]
    6229ac65 push eax
    6229ac66 lea eax,[esp+24h]
    6229ac6a push eax
    6229ac6b call dword ptr [php_com_dotnet!_imp__systemtimetovarianttime (6229e09c)]
       Tainted Input operands: 'ecx','edx'

Exception Hash (Major/Minor): 0x2576e1cb.0x90cf1b1e

 Hash Usage : Stack Trace:
Major+Minor : php_com_dotnet!zif_variant_date_from_timestamp+0x9b
Major+Minor : php7!execute_ex+0xfb
Major+Minor : php7!zend_execute+0x124
Major+Minor : php7!zend_execute_scripts+0xe7
Major+Minor : php7!php_execute_script+0x369
Minor       : php!do_cli+0x3d3
Minor       : php!main+0x2cb
Minor       : php!__scrt_common_main_seh+0xff
Minor       : KERNEL32!BaseThreadInitThunk+0x24
Minor       : ntdll_77d90000!RtlUnicodeStringToInteger+0x253
Minor       : ntdll_77d90000!RtlUnicodeStringToInteger+0x21e
Instruction Address: 0x000000006229ac1b
Source File: c:\php-sdk\php70dev\vc14\x86\php-7.0.8\ext\com_dotnet\com_variant.c
Source Line: 1012

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-07-01 16:45 UTC] ab@php.net 
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3455848dfe246fed61ca715cc79254c153f0f3eb
Log: Fixed bug #72498 variant_date_from_timestamp null dereference
 [2016-07-01 16:45 UTC] ab@php.net
-Status: Open +Status: Closed
 [2016-07-06 05:47 UTC] davey@php.net 
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3455848dfe246fed61ca715cc79254c153f0f3eb
Log: Fixed bug #72498 variant_date_from_timestamp null dereference
 [2016-07-20 11:30 UTC] davey@php.net 
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3455848dfe246fed61ca715cc79254c153f0f3eb
Log: Fixed bug #72498 variant_date_from_timestamp null dereference
 [2018-04-01 05:31 UTC] requinix@php.net
-Status: Closed +Status: Re-Opened -PHP Version: 7.0.8 +PHP Version: 7.1 -Assigned To: +Assigned To: ab
 [2018-04-01 05:31 UTC] requinix@php.net 
As noted in bug #76173, this is fixed for x64 but not x86. Any reason for that?
 [2018-04-03 15:27 UTC] ab@php.net
-Status: Re-Opened +Status: Closed
 [2018-04-03 15:27 UTC] ab@php.net 
Thanks for the catch. Synced for 32-bit in 821f13fd7958caac1e7a605d0df8ad8718fdb699.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 11:01:29 2024 UTC