PHP :: Bug #77736 :: Heap corruption in timelib_get_time_zone

Bug #77736	Heap corruption in timelib_get_time_zone_info
Submitted:	2019-03-13 15:14 UTC	Modified:	2019-03-13 15:21 UTC
From:	bugs-syssec at rub dot de	Assigned:
Status:	Not a bug	Package:	*General Issues
PHP Version:	7.3.3	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	bugs-syssec at rub dot de
New email:
PHP Version:		OS:

New Comment:

[2019-03-13 15:14 UTC] bugs-syssec at rub dot de

Description:
------------
$ ./php --version
PHP 7.3.0 (cli) (built: Jan 17 2019 14:04:29) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.0-dev, Copyright (c) 1998-2018 Zend Technologies

Test script:
---------------
<?php

$a = strtotime(A);
spl_autoload($a);
gc_mem_caches();

Expected result:
----------------
No crash.

Actual result:
--------------
==12279== Memcheck, a memory error detector
==12279== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==12279== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==12279== Command: ./php-plain heap_corrption-1-timelib_get_time_zone_info.php
==12279== 
==12279== Invalid read of size 8
==12279==    at 0x37266D: zend_mm_alloc_small (zend_alloc.c:1287)
==12279==    by 0x37266D: zend_mm_alloc_heap (zend_alloc.c:1358)
==12279==    by 0x37266D: _emalloc (zend_alloc.c:2498)
==12279==    by 0x37358A: _ecalloc (zend_alloc.c:2579)
==12279==    by 0x210D52: timelib_get_time_zone_info (parse_tz.c:633)
==12279==    by 0x2124A7: do_adjust_timezone (tm2unixtime.c:463)
==12279==    by 0x2124A7: timelib_update_ts (tm2unixtime.c:511)
==12279==    by 0x1ED8B3: zif_strtotime (php_date.c:1529)
==12279==    by 0x41F3C7: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:645)
==12279==    by 0x41F3C7: execute_ex (zend_vm_execute.h:55414)
==12279==    by 0x42352F: zend_execute (zend_vm_execute.h:60834)
==12279==    by 0x3972F6: zend_execute_scripts (zend.c:1568)
==12279==    by 0x336457: php_execute_script (main.c:2630)
==12279==    by 0x42597D: do_cli (php_cli.c:997)
==12279==    by 0x1E49B1: main (php_cli.c:1389)
==12279==  Address 0x64014200000 is not stack'd, malloc'd or (recently) free'd
==12279== 
==12279== 
==12279== Process terminating with default action of signal 11 (SIGSEGV)
==12279==  Access not within mapped region at address 0x64014200000
==12279==    at 0x37266D: zend_mm_alloc_small (zend_alloc.c:1287)
==12279==    by 0x37266D: zend_mm_alloc_heap (zend_alloc.c:1358)
==12279==    by 0x37266D: _emalloc (zend_alloc.c:2498)
==12279==    by 0x37358A: _ecalloc (zend_alloc.c:2579)
==12279==    by 0x210D52: timelib_get_time_zone_info (parse_tz.c:633)
==12279==    by 0x2124A7: do_adjust_timezone (tm2unixtime.c:463)
==12279==    by 0x2124A7: timelib_update_ts (tm2unixtime.c:511)
==12279==    by 0x1ED8B3: zif_strtotime (php_date.c:1529)
==12279==    by 0x41F3C7: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:645)
==12279==    by 0x41F3C7: execute_ex (zend_vm_execute.h:55414)
==12279==    by 0x42352F: zend_execute (zend_vm_execute.h:60834)
==12279==    by 0x3972F6: zend_execute_scripts (zend.c:1568)
==12279==    by 0x336457: php_execute_script (main.c:2630)
==12279==    by 0x42597D: do_cli (php_cli.c:997)
==12279==    by 0x1E49B1: main (php_cli.c:1389)
==12279==  If you believe this happened as a result of a stack
==12279==  overflow in your program's main thread (unlikely but
==12279==  possible), you can try to increase the size of the
==12279==  main thread stack using the --main-stacksize= flag.
==12279==  The main thread stack size used in this run was 8388608.
==12279== 
==12279== HEAP SUMMARY:
==12279==     in use at exit: 922,587 bytes in 6,198 blocks
==12279==   total heap usage: 6,622 allocs, 424 frees, 1,125,885 bytes allocated
==12279== 
==12279== LEAK SUMMARY:
==12279==    definitely lost: 0 bytes in 0 blocks
==12279==    indirectly lost: 0 bytes in 0 blocks
==12279==      possibly lost: 692,520 bytes in 5,249 blocks
==12279==    still reachable: 230,067 bytes in 949 blocks
==12279==         suppressed: 0 bytes in 0 blocks
==12279== Rerun with --leak-check=full to see details of leaked memory
==12279== 
==12279== For counts of detected and suppressed errors, rerun with: -v
==12279== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-03-13 15:17 UTC] bugs-syssec at rub dot de

Test Script:

<?php

spl_autoload_call(True . a);
strtotime(NULL);

[2019-03-13 15:21 UTC] nikic@php.net

-Status: Open +Status: Not a bug

[2019-03-13 15:21 UTC] nikic@php.net

> PHP 7.3.0 (cli) (built: Jan 17 2019 14:04:29) ( NTS )

Please try a more recent release. The current one is PHP 7.3.3. This issue has already been fixed.

[2019-03-13 16:14 UTC] nikic@php.net

Related To: Bug #77737

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Dec 22 02:01:28 2024 UTC