php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #36242 Weak type checking on stream_select() allows stack corruption
Submitted: 2006-02-01 10:41 UTC Modified: 2006-02-01 14:03 UTC
From: cyberleo at cyberleo dot net Assigned:
Status: Closed Package: Streams related
PHP Version: 4CVS-2006-02-01 (snap) OS: FreeBSD 4.10-REL
Private report: No CVE-ID: None
View Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
8 - 7 = ?
Subscribe to this entry?

 
 [2006-02-01 10:41 UTC] cyberleo at cyberleo dot net 
Description:
------------
Weak type checking on stream_select() allows stack corruption.
Passing a value that is not an integer to stream_select()'s fourth parameter, tv_sec, appears to overwrite stack data, eventually resulting in a program crash, corruption of function parameters or corruption of function frame and return pointer. This can occur if a script uses math functions to compute a delay that evaluates to a float, and typecasting is not done, or if someone uses a string representation of an integer instead (e.g. "86400" instead of 86400)
This bug was originally found on PHP-4.3.10, verified on 4.4.2 and the latest php4 snapshot. It took a while to track down what was causing the weird crashes.

Build options: --disable-cgi
Run from build directory: sapi/cli/php
No php.ini

Reproduce code:
---------------
$fp = fopen("/dev/zero","r"); // Random stream
while(TRUE){
    echo "Start of loop here.\n";
    $reads = Array($fp);
    $delay = 3.7; // <- Anything but an integer.
    $null = NULL;
    printf("Waiting for data or %d seconds...\n",$delay);
    $result = stream_select($reads, $null, $null, $delay);
    if($result){
        foreach($reads as $stream){
            $data = fread($stream, 1);
            printf("Read %d byte(s).\n", strlen($data));
        }
    }
} 

Expected result:
----------------
An endless loop reading single ASCII 0 bytes from /dev/zero until interrupted.
----
Start of loop here.
Waiting for data or 3 seconds...
Read 1 byte(s).
Start of loop here.
Waiting for data or 3 seconds...
Read 1 byte(s).
...etc...
---- 

Actual result:
--------------
The code seems to run fine for a few iterations, but eventually starts showing various errors or passing incorrect parameters to functions:
----
Start of loop here.
Waiting for data or 3 seconds...
Read 1 byte(s).
Start of loop here.
Waiting for data or 3 seconds...

Warning: fread(): supplied argument is not a valid stream resource in /usr/home/cyberleo/logs/working/crashtest.php on line 12
Read 0 byte(s).
Start of loop here.
Waiting for data or 3 seconds...
Read 1 byte(s).
Start of loop here.
Waiting for data or 3 seconds...

Warning: fread(): supplied argument is not a valid stream resource in /usr/home/cyberleo/logs/working/crashtest.php on line 12
Read 0 byte(s).
Start of loop here.

Warning: stream_select(): 4 is not a valid stream resource in /usr/home/cyberleo/logs/working/crashtest.php on line 9

Warning: stream_select(): 4 is not a valid stream resource in /usr/home/cyberleo/logs/working/crashtest.php on line 9

(Program hangs at this point, no looping)
----

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-02-01 11:32 UTC] tony2001@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 [2006-02-01 14:03 UTC] cyberleo at cyberleo dot net 
Verified fixed in php4 and php5 CVS.
Thanks!
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Oct 24 08:00:01 2025 UTC