php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #36243 Weak type checking on stream_select() allows stack corruption (php5)
Submitted: 2006-02-01 10:54 UTC Modified: 2006-02-01 11:28 UTC
From: cyberleo at cyberleo dot net Assigned:
Status: Not a bug Package: Streams related
PHP Version: 5CVS-2006-02-01 (snap) OS: FreeBSD 4.10-REL
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: cyberleo at cyberleo dot net
New email:
PHP Version: OS:

 

 [2006-02-01 10:54 UTC] cyberleo at cyberleo dot net
Description:
------------
This bug is similar to http://bugs.php.net/36242 however, the symptoms are different.

Weak type checking on stream_select() allows stack corruption.
Passing a value that is not an integer to stream_select()'s fourth parameter, tv_sec, appears to overwrite stack data.
This results in strange, but consistent, modification of parameters passed to later functions. The corruption does not appear to be cumulative. This can occur if a script uses math functions to compute a delay that evaluates to a float, and typecasting is not done, or if someone uses a string representation of an integer instead (e.g. "86400" instead of 86400)

Build options: --disable-cgi
Run from build directory: sapi/cli/php
No php.ini

Reproduce code:
---------------
$fp = fopen("/dev/zero","r"); // Random stream
while(TRUE){
    echo "Start of loop here.\n";
    $reads = Array($fp);
    $delay = 3.7; // <- Anything but an integer.
    $null = NULL;
    printf("Waiting for data or %d seconds...\n",$delay);
    $result = stream_select($reads, $null, $null, $delay);
    if($result){
        foreach($reads as $stream){
            $data = fread($stream, 1);
            printf("Read %d byte(s).\n", strlen($data));
        }
    }
} 

Expected result:
----------------
An endless loop reading single ASCII 0 bytes from /dev/zero until
interrupted.
----
Start of loop here.
Waiting for data or 3 seconds...
Read 1 byte(s).
Start of loop here.
Waiting for data or 3 seconds...
Read 1 byte(s).
...etc...
---- 

Actual result:
--------------
Endless loop of reading 17 bytes. (My test run)
----
Start of loop here.
Waiting for data or 3 seconds...
Read 17 byte(s).
Start of loop here.
Waiting for data or 3 seconds...
Read 17 byte(s).
----


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-02-01 11:17 UTC] tony2001@php.net
No need to report it twice.
Dup of bug #36242.
 [2006-02-01 11:28 UTC] cyberleo at cyberleo dot net
I wasn't sure, because the two versions behave so differently, and the PHP version selector only allows for one.
Thanks.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC