|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2018-04-01 05:31 UTC] requinix@php.net
-Status: Open
+Status: Duplicate
[2018-04-01 05:31 UTC] requinix@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 16:01:29 2024 UTC |
Description: ------------ passing 2147483647 as timestamp causes crash on highlighted line PHP_FUNCTION(variant_date_from_timestamp) { .... memset(&systime, 0, sizeof(systime)); systime.wDay = tmv->tm_mday; <-------------------- systime.wHour = tmv->tm_hour; systime.wMinute = tmv->tm_min; This was tested on a Windows 10 x64 using the package php-7.2.4-nts-Win32-VC15-x86.zip This was supposed to be fixed according to https://bugs.php.net/bug.php?id=72498 Test script: --------------- <?php $var1 = 2147483647; variant_date_from_timestamp($var1); Expected result: ---------------- No crash Actual result: -------------- (3200.1168): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. php_com_dotnet!zif_variant_date_from_timestamp+0x9b: 577fafbb 0fb74a0c movzx ecx,word ptr [edx+0Ch] ds:002b:0000000c=???? Processing initial command 'r;!exploitable -v' 0:000:x86> r;!exploitable -v eax=00000000 ebx=1bc1a080 ecx=b7ddb89d edx=00000000 esi=06dfc85c edi=1bc7d070 eip=577fafbb esp=06dfc7f0 ebp=06dfc838 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216 php_com_dotnet!zif_variant_date_from_timestamp+0x9b: 577fafbb 0fb74a0c movzx ecx,word ptr [edx+0Ch] ds:002b:0000000c=???? !exploitable 1.6.0.0 HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0xc First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Read Access Violation Faulting Instruction:577fafbb movzx ecx,word ptr [edx+0ch] Basic Block: 577fafbb movzx ecx,word ptr [edx+0ch] Tainted Input operands: 'edx' 577fafbf mov word ptr [esp+26h],cx Tainted Input operands: 'cx' 577fafc4 movzx ecx,word ptr [edx+8] Tainted Input operands: 'edx' 577fafc8 mov word ptr [esp+28h],cx Tainted Input operands: 'cx' 577fafcd movzx ecx,word ptr [edx+4] Tainted Input operands: 'edx' 577fafd1 mov word ptr [esp+2ah],cx Tainted Input operands: 'cx' 577fafd6 movzx eax,word ptr [edx+10h] Tainted Input operands: 'edx' 577fafda inc ax Tainted Input operands: 'ax' 577fafdc mov word ptr [esp+22h],ax Tainted Input operands: 'ax' 577fafe1 movzx eax,word ptr [edx] Tainted Input operands: 'edx' 577fafe4 mov word ptr [esp+2ch],ax Tainted Input operands: 'ax' 577fafe9 mov eax,76ch 577fafee add ax,word ptr [edx+14h] Tainted Input operands: 'edx' 577faff2 mov word ptr [esp+20h],ax Tainted Input operands: 'ax' 577faff7 mov eax,7 577faffc mov word ptr [esp+10h],ax 577fb001 lea eax,[esp+18h] 577fb005 push eax 577fb006 lea eax,[esp+24h] 577fb00a push eax 577fb00b call dword ptr [php_com_dotnet!_imp__systemtimetovarianttime (577fe0a0)] Tainted Input operands: 'ecx','edx' Exception Hash (Major/Minor): 0xb00c46e1.0x85d22159 Hash Usage : Stack Trace: Major+Minor : php_com_dotnet!zif_variant_date_from_timestamp+0x9b Major+Minor : php7!ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER+0x4b Major+Minor : php7!execute_ex+0x57 Major+Minor : php7!zend_execute+0xf9 Major+Minor : php7!zend_execute_scripts+0x94 Minor : php7!php_execute_script+0x283 Minor : php!do_cli+0x8f4 Minor : php!main+0x502 Minor : php!__scrt_common_main_seh+0xf9 Minor : KERNEL32!BaseThreadInitThunk+0x24 Minor : ntdll_76f20000!__RtlUserThreadStart+0x2f Minor : ntdll_76f20000!_RtlUserThreadStart+0x1b Instruction Address: 0x00000000577fafbb Source File: c:\php-snap-build\php72\vc15\x86\php-7.2.4\ext\com_dotnet\com_variant.c Source Line: 1024