php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72172 zend_hex_strtod should not use strlen
Submitted: 2016-05-06 19:02 UTC Modified: -
From: bwitz at hotmail dot com Assigned:
Status: Closed Package: *Compile Issues
PHP Version: 5.6.21 OS: Linux
Private report: No CVE-ID: None
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
24 + 16 = ?
Subscribe to this entry?

 
 [2016-05-06 19:02 UTC] bwitz at hotmail dot com
Description:
------------
Purify reports an Invalid pointer read from zend_hex_strtod as a result of performing a strlen on the compile buffer.



 	
IPR: Invalid pointer read (3 times):
  * This is occurring while in thread 8137:
	strlen         [rtlib.o]
	zend_hex_strtod [zend_strtod.c:2593]
	lex_scan       [zend_language_scanner.l:1561]
	zendlex        [zend_compile.c:6911]
	zendparse      [zend_language_parser.c:3767]
	compile_file   [zend_language_scanner.l:586]
	rnt_compile_file [rnt_opcode_cache.c:1118]
	ZEND_INCLUDE_OR_EVAL_SPEC_TMP_HANDLER [zend_vm_execute.h:8337]
	execute_ex     [zend_vm_execute.h:363]
	zend_execute   [zend_vm_execute.h:388]
	zend_execute_scripts [zend.c:1341]
	php_execute_script [main.c:2610]
	main           [cgi_main.c:2720]
	__libc_start_main [libc.so.6]
	_start         [crt1.o]
  * Reading 189460 bytes from 0xec44b66b between the heap and the stack (1 byte at 0xec479a7e illegal)

Expected result:
----------------
Purify would not identify compilation of a php script as hitting an Invalid pointer read (IPR).  In addition the strlen is quite inefficient since the compile buffer can be quite large.  In this specific case, 189,460 bytes were read to determine that

if (strlen(str) < 2)

is false.


Patches

zend_strtod.patch (last revision 2016-05-06 19:02 UTC by bwitz at hotmail dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-07 06:55 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1c7f608071110a8e90e4ae04d3b4d970a70f8c7d
Log: Fixed bug #72172 (zend_hex_strtod should not use strlen)
 [2016-05-07 06:55 UTC] laruence@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Oct 31 23:01:28 2024 UTC