php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79015 undefined-behavior in php_date.c
Submitted: 2019-12-22 00:35 UTC Modified: 2020-01-03 13:35 UTC
From: reza at iseclab dot org Assigned: cmb (profile)
Status: Closed Package: Date/time related
PHP Version: 7.3.13 OS: Ubuntu 16.04
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: reza at iseclab dot org
New email:
PHP Version: OS:

 

 [2019-12-22 00:35 UTC] reza at iseclab dot org
Description:
------------
While I was fuzzing with LibFuzzer, I got this UB. The source code is instrumented with UBSanitizer.

This is the version of PHP:
---

php --version
PHP 8.0.0-dev (cli) (built: Dec 19 2019 13:24:08) ( NTS )
Copyright (c) The PHP Group
Zend Engine v4.0.0-dev, Copyright (c) Zend Technologies
---

Here is the Poc file that triggers the UB.

O:12:"DateInterval":1:1s:1:"f";i:9999999999990;



Test script:
---------------
php -r 'unserialize(file_get_contents("php://stdin"));' < PoC

Actual result:
--------------
Notice: unserialize(): Error at offset 47 of 48 bytes in Command line code on line 1
php-src-master/ext/date/php_date.c:4026:26: runtime error: 1e+19 is outside the range of representable values of type 'long long'
    #0 0x5be918 in php_date_interval_initialize_from_hash (php-src-master/sapi/cli/php+0x5be918)
    #1 0x5c54ef in zim_DateInterval___wakeup (php-src-master/sapi/cli/php+0x5c54ef)
    #2 0x2848646 in zend_call_function (php-src-master/sapi/cli/php+0x2848646)
    #3 0x283d21e in _call_user_function_ex (php-src-master/sapi/cli/php+0x283d21e)
    #4 0x216ccc3 in var_destroy (php-src-master/sapi/cli/php+0x216ccc3)
    #5 0x216b270 in php_var_unserialize_destroy (php-src-master/sapi/cli/php+0x216b270)
    #6 0x207ec9e in zif_unserialize (php-src-master/sapi/cli/php+0x207ec9e)
    #7 0x37ca76a in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (php-src-master/sapi/cli/php+0x37ca76a)
    #8 0x2ee704a in execute_ex (php-src-master/sapi/cli/php+0x2ee704a)
    #9 0x2eea2d3 in zend_execute (php-src-master/sapi/cli/php+0x2eea2d3)
    #10 0x285545b in zend_eval_stringl (php-src-master/sapi/cli/php+0x285545b)
    #11 0x2856ce0 in zend_eval_stringl_ex (php-src-master/sapi/cli/php+0x2856ce0)
    #12 0x2856ec3 in zend_eval_string_ex (php-src-master/sapi/cli/php+0x2856ec3)
    #13 0x3aee302 in do_cli (php-src-master/sapi/cli/php+0x3aee302)
    #14 0x3ae9270 in main (php-src-master/sapi/cli/php+0x3ae9270)
    #15 0x7ffff640082f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #16 0x43f608 in _start (php-src-master/sapi/cli/php+0x43f608)


SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior php-src-master/ext/date/php_date.c:4026:26 in 

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-12-23 10:40 UTC] cmb@php.net
-Status: Open +Status: Verified -Package: *General Issues +Package: Date/time related -PHP Version: 7.4Git-2019-12-22 (Git) +PHP Version: 7.3.13
 [2019-12-23 10:40 UTC] cmb@php.net
Indeed, a check for the valid range should be done before
assigning the double to a signed integer[1].

[1] <https://github.com/php/php-src/blob/php-7.3.13/ext/date/php_date.c#L4395>
 [2019-12-23 13:06 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #79015: undefined-behavior in php_date.c
On GitHub:  https://github.com/php/php-src/pull/5031
Patch:      https://github.com/php/php-src/pull/5031.patch
 [2020-01-03 13:34 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b48f2625b57f70eea858033e623e6bf13b595e3b
Log: Fix #79015: undefined-behavior in php_date.c
 [2020-01-03 13:34 UTC] cmb@php.net
-Status: Verified +Status: Closed
 [2020-01-03 13:35 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Dec 22 02:01:28 2024 UTC