php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #39791 PHP crashes when sending a specific string to strtotime
Submitted: 2006-12-11 02:14 UTC Modified: 2006-12-11 14:07 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: closer9 at gmail dot com Assigned:
Status: Closed Package: Date/time related
PHP Version: 5.2.0 OS: Linux version 2.6.15-23-server
Private report: No CVE-ID:
 [2006-12-11 02:14 UTC] closer9 at gmail dot com
Description:
------------
Sending the following string to strtotime results in PHP crashing.

PHPinfo: http://www.neg9.com/info.php


Reproduce code:
---------------
$str = "999999999999999999999999999999999999999999 days ago";

// Taken from the PHP manual
if (($timestamp = strtotime($str)) === false) {
  echo "The string ($str) is bogus";
  } else {
  echo "$str == " . date('l dS of F Y h:i:s A', $timestamp);
  }

Expected result:
----------------
The string (999999999999999999999999999999999999999999 days ago) is bogus

Actual result:
--------------
PHP crash.

Error from apache log:
[notice] child pid 10088 exit signal Segmentation fault (11)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-12-11 04:03 UTC] judas dot iscariote at novell dot com
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 47277335538544 (LWP 9489)]
0x000000000046fa28 in timelib_set_relative (ptr=0x7fff0ec80dc8, amount=9223372036854775807, behavior=0, s=0x7fff0ec80e80)
    at ext/date/lib/parse_date.re:594
594             switch (relunit->unit) {
(gdb) bt full
#0  0x000000000046fa28 in timelib_set_relative (ptr=0x7fff0ec80dc8, amount=9223372036854775807, behavior=0, s=0x7fff0ec80e80)
    at ext/date/lib/parse_date.re:594
        relunit = (const timelib_relunit *) 0x0
#1  0x0000000000471fb8 in scan (s=0x7fff0ec80e80) at ext/date/lib/parse_date.re:1485
        i = 9223372036854775807
        yych = 32 ' '
        yyaccept = 15
        cursor = (uchar *) 0xb9e31f " ago"
        str = 0xb9dcf0 '9' <repeats 42 times>, " days"
        ptr = 0xb9dd1a " days"
        yybm = "\000\000\000\000\000\000\000\000\000&#65533;, '\0' <repeats 22 times>, "&#65533;, '\0' <repeats 11 times>, "\200@&#65533;000\b\b\b\b\b\b\b\b\b\b", '\0' <repeats 39 times>, "                    ", '\0' <repeats 132 times>
#2  0x0000000000490536 in timelib_strtotime (s=0x2aff9bf04db0 '9' <repeats 42 times>, " days ago", len=51, errors=0x7fff0ec80f68,
    tzdb=0x7fdf40) at ext/date/lib/parse_date.re:1568
        in = {fd = 0, lim = 0xb9e340 "", str = 0xb9e2f0 '9' <repeats 42 times>, " days ago",
  ptr = 0xb9e2f4 '9' <repeats 38 times>, " days ago", cur = 0xb9e31f " ago", tok = 0xb9e2f0 '9' <repeats 42 times>, " days ago", pos = 0x0,
  line = 0, len = 0, errors = 0xb9e2a0, time = 0xb9e350, tzdb = 0x7fdf40}
        t = 0
        e = 0x2aff9bf04de3 ""
#3  0x0000000000468ca0 in zif_strtotime (ht=1, return_value=0x2aff9bf01e00, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1,
    tsrm_ls=0x9f3030) at /home/cristian/php5/ext/date/php_date.c:1101
        times = 0x2aff9bf04db0 '9' <repeats 42 times>, " days ago"
        initial_ts = 0x19bf02f50 <Address 0x19bf02f50 out of bounds>
        time_len = 51
        error1 = 32767
        error2 = 0
        error = (struct timelib_error_container *) 0x9f3030
        preset_ts = 4542959536
        ts = 11975616
        t = (timelib_time *) 0xb69bf02f10
        now = (timelib_time *) 0xb9e1c0
        tzi = (timelib_tzinfo *) 0xb9dd30
#4  0x0000000000743ae2 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff0ec81260, tsrm_ls=0x9f3030)
    at /home/cristian/php5/Zend/zend_vm_execute.h:200
        return_reference = 0 '\0'
        opline = (zend_op *) 0x2aff9bf02ff8
        original_return_value = (zval **) 0xb6bba0
        current_scope = (zend_class_entry *) 0x0
        current_this = (zval *) 0x0
        return_value_used = 1
        should_change_scope = 0 '\0'
        ctor_opline = (zend_op *) 0xa0ec81260
#5  0x000000000074b16b in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7fff0ec81260, tsrm_ls=0x9f3030)
    at /home/cristian/php5/Zend/zend_vm_execute.h:1681
        opline = (zend_op *) 0x2aff9bf02ff8
        fname = (zval *) 0x2aff9bf03028
#6  0x0000000000743475 in execute (op_array=0x2aff9bf02b90, tsrm_ls=0x9f3030) at /home/cristian/php5/Zend/zend_vm_execute.h:92
        execute_data = {opline = 0x2aff9bf02ff8, function_state = {function_symbol_table = 0x0, function = 0xb6bbc0, reserved = {
      0x2aff9bf02cc8, 0x7fff0ec83920, 0x9f3030, 0x7fff0ec812d0}}, fbc = 0x0, op_array = 0x2aff9bf02b90, object = 0x0, Ts = 0x7fff0ec810f0,
  CVs = 0x7fff0ec810d0, original_in_execution = 0 '\0', symbol_table = 0x9f7448, prev_execute_data = 0x0, old_error_reporting = 0x0}
#7  0x0000000000716e3d in zend_execute_scripts (type=8, tsrm_ls=0x9f3030, retval=0x0, file_count=3) at /home/cristian/php5/Zend/zend.c:1100
        files = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7fff0ec81530, reg_save_area = 0x7fff0ec81460}}
        i = 1
        file_handle = (zend_file_handle *) 0x7fff0ec83920
        orig_op_array = (zend_op_array *) 0x0
        orig_retval_ptr_ptr = (zval **) 0x0
        local_retval = (zval *) 0x0
#8  0x00000000006a19f6 in php_execute_script (primary_file=0x7fff0ec83920, tsrm_ls=0x9f3030) at /home/cristian/php5/main/main.c:1781
        realfile = "/home/cristian/php5/strtotime_mess.php\000_text\000\000\000\000\006\000\000\177\000\000&#65533;q\000\000\000\000\000strip_tags\000\000\000\000\000\000\006\000\000\177\000\000&#65533;q\000\000\000\000\000ltrim\000\000\000hX\206\000\000\000\000\000&#65533;031&#65533;234*\000\000&#65533;031&#65533;234*\000\000\000\000\000\000\000\000\000\000 \003\000\000\000\000\000\020\001\000\000\000\000\000\000\200\031&#65533;234*\000\000&#65533;031&#65533;234*\000\000@\000\000\000\000\000\000\000\020\002\000\000\000\000\000\000m\230i\000\000\000\000\000(&#65533;016\177\000\000"...
        __orig_bailout = (jmp_buf *) 0x7fff0ec837d0
        __bailout = {{__jmpbuf = {47277321481216, -69012199529127418, 0, 140733441391488, 0, 0, -69012199529136010, -69051279480470703},
    __mask_was_saved = 0, __saved_mask = {__val = {8804456, 47277333267400, 47277321481216, 140733441386080, 47277320389954, 8018920, 0,
        11669200, 10471344, 47277335512960, 32768, 47277335512960, 47277333621936, 47277321481216, 8018944, 0}}}}
        prepend_file_p = (zend_file_handle *) 0x0
        append_file_p = (zend_file_handle *) 0x0
---Type <return> to continue, or q <return> to quit---
        prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, reader = 0,
      closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'}
        append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, reader = 0,
      closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'}
        old_cwd = 0x7fff0ec81550 ""
        retval = 0
#9  0x00000000007a75dd in main (argc=2, argv=0x7fff0ec83b88) at /home/cristian/php5/sapi/cli/php_cli.c:1108
        __orig_bailout = (jmp_buf *) 0x0
        __bailout = {{__jmpbuf = {47277321481216, -69012199529123866, 0, 140733441391488, 0, 0, -69012199529127402, -69051279479423016},
    __mask_was_saved = 0, __saved_mask = {__val = {0, 0, 0, 0, 0, 0, 0, 140733441390816, 0, 0, 0, 0, 657315968, 47277321483840,
        47277321485664, 281474976710656}}}}
        exit_status = 0
        c = -1
        file_handle = {type = 2 '\002', filename = 0x7fff0ec852ad "strtotime_mess.php", opened_path = 0x0, handle = {fd = 12179552,
    fp = 0xb9d860, stream = {handle = 0xb9d860, reader = 0x732954 <zend_stream_stdio_reader>, closer = 0x732984 <zend_stream_stdio_closer>,
      fteller = 0x7329af <zend_stream_stdio_fteller>, interactive = 0}}, free_filename = 0 '\0'}
        behavior = 1
        reflection_what = 0x0
        orig_optind = 1
        orig_optarg = 0x0
        arg_free = 0x7fff0ec852ad "strtotime_mess.php"
        arg_excp = (char **) 0x7fff0ec83b90
        script_file = 0x7fff0ec852ad "strtotime_mess.php"
        interactive = 0
        module_started = 1
        request_started = 1
        lineno = 1
        exec_direct = 0x0
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
        param_error = 0x0
        hide_argv = 0
        compiler_globals = (zend_compiler_globals *) 0x9f3030
executor_globals = (zend_executor_globals *) 0x9f3030
        core_globals = (php_core_globals *) 0x9f3030
        sapi_globals = (sapi_globals_struct *) 0x9f31a0
        tsrm_ls = (void ***) 0x9f3030
        ini_entries_len = 110
 [2006-12-11 04:08 UTC] judas dot iscariote at gmail dot com
for some reason, previuos comment got the wrong email address. (I **do not work** for novell ):)

BTW..the backtrace is using current cvs (just compiled) 

PHP 5.2.1-dev (cli) (built: Dec 11 2006 00:58:29) (DEBUG)
 [2006-12-11 12:51 UTC] tony2001@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

Fixed in CVS by Ilia.
 [2006-12-11 13:59 UTC] judas dot iscariote at gmail dot com
Works ok now.
 [2006-12-11 14:07 UTC] tony2001@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 07:02:02 2014 UTC