|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
Patchesfix-timelib (last revision 2014-05-12 04:09 UTC by stas@php.net)Pull RequestsHistoryAllCommentsChangesGit/SVN commits
[2014-05-12 04:09 UTC] stas@php.net
[2014-05-14 00:16 UTC] stas@php.net
-Status: Open
+Status: Closed
-Type: Security
+Type: Bug
-Assigned To:
+Assigned To: stas
[2014-05-14 00:16 UTC] stas@php.net
[2014-05-14 07:57 UTC] tyrael@php.net
[2014-05-18 17:18 UTC] dmitry@php.net
[2014-05-26 06:32 UTC] ab@php.net
[2014-05-26 06:50 UTC] ab@php.net
[2014-07-29 21:56 UTC] johannes@php.net
[2014-08-14 15:34 UTC] johannes@php.net
[2014-08-14 19:32 UTC] dmitry@php.net
[2014-10-07 23:14 UTC] stas@php.net
[2014-10-07 23:15 UTC] stas@php.net
[2014-10-07 23:25 UTC] stas@php.net
[2014-10-07 23:26 UTC] stas@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Tue Nov 04 09:00:01 2025 UTC |
Description: ------------ timelib_meridian_with_check does not check for string end and thus can read past the end of the string. Test script: --------------- date_parse_from_format("aHa0", "0=G{$z}9UCNnF"); Expected result: ---------------- no memory errors Actual result: -------------- ==8881== Invalid read of size 1 ==8881== at 0x44FEEB: timelib_meridian_with_check (parse_date.re:413) ==8881== by 0x47DC2D: timelib_parse_from_format (parse_date.re:1984) ==8881== by 0x4489AC: zif_date_parse_from_format (php_date.c:3014) ==8881== by 0x90C3A2: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:550) ==8881== by 0x8FDC3F: execute_ex (zend_vm_execute.h:363) ==8881== by 0x87BE49: zend_eval_stringl (zend_execute_API.c:1187) ==8881== by 0x87BF28: zend_eval_stringl_ex (zend_execute_API.c:1234) ==8881== by 0x93A232: do_cli (php_cli.c:1034) ==8881== by 0x93AC77: main (php_cli.c:1378) ==8881== Address 0x15ffb06a is 0 bytes after a block of size 10 alloc'd ==8881== at 0x4C2710F: realloc (vg_replace_malloc.c:525) ==8881== by 0x8820A4: add_string_to_string (zend_operators.c:1280) ==8881== by 0x8E61BA: ZEND_ADD_STRING_SPEC_TMP_CONST_HANDLER (zend_vm_execute.h:8921) ==8881== by 0x8FDC3F: execute_ex (zend_vm_execute.h:363) ==8881== by 0x87BE49: zend_eval_stringl (zend_execute_API.c:1187) ==8881== by 0x87BF28: zend_eval_stringl_ex (zend_execute_API.c:1234) ==8881== by 0x93A232: do_cli (php_cli.c:1034) ==8881== by 0x93AC77: main (php_cli.c:1378) ==8881== Invalid read of size 1 ==8881== at 0x44FD2E: add_pbf_error (parse_date.re:371) ==8881== by 0x47E38A: timelib_parse_from_format (parse_date.re:2154) ==8881== by 0x4489AC: zif_date_parse_from_format (php_date.c:3014) ==8881== by 0x90C3A2: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:550) ==8881== by 0x8FDC3F: execute_ex (zend_vm_execute.h:363) ==8881== by 0x87BE49: zend_eval_stringl (zend_execute_API.c:1187) ==8881== by 0x87BF28: zend_eval_stringl_ex (zend_execute_API.c:1234) ==8881== by 0x93A232: do_cli (php_cli.c:1034) ==8881== by 0x93AC77: main (php_cli.c:1378) ==8881== Address 0x15ffb06a is 0 bytes after a block of size 10 alloc'd ==8881== at 0x4C2710F: realloc (vg_replace_malloc.c:525) ==8881== by 0x8820A4: add_string_to_string (zend_operators.c:1280) ==8881== by 0x8E61BA: ZEND_ADD_STRING_SPEC_TMP_CONST_HANDLER (zend_vm_execute.h:8921) ==8881== by 0x8FDC3F: execute_ex (zend_vm_execute.h:363) ==8881== by 0x87BE49: zend_eval_stringl (zend_execute_API.c:1187) ==8881== by 0x87BF28: zend_eval_stringl_ex (zend_execute_API.c:1234) ==8881== by 0x93A232: do_cli (php_cli.c:1034) ==8881== by 0x93AC77: main (php_cli.c:1378)