php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #45822 Invalid value passed to strtotime() causes endless loop
Submitted: 2008-08-14 16:04 UTC Modified: 2009-05-03 18:23 UTC
Votes:5
Avg. Score:5.0 ± 0.0
Reproduced:5 of 5 (100.0%)
Same Version:3 (60.0%)
Same OS:0 (0.0%)
From: matt at neimeyer dot org Assigned: derick
Status: Closed Package: Date/time related
PHP Version: 5.2CVS, 5.3CVS, 6CVS (2008-08-14) OS: *
Private report: No CVE-ID:
 [2008-08-14 16:04 UTC] matt at neimeyer dot org
Description:
------------
Using a stock installation of PHP 5.2.6 (or 5.2.5 or 5.2.3) as an ISAPI module on Windows 2003 Standard Edition x32 (fully updated using Windows Update), if you pass a "wacky" value to strtotime the w3wp.exe (IIS Worker Pool) spikes to 99% and crashes the web server.

We accidentally used date("-24 hours") instead of strtotime("-24 hours") and then passed that (via some intermediary function calls) to strtotime.

It does not crash on Win2003 SE x64 (or any other operating system that we run this application on).

I am aware of other w3wp.exe bugs being reported but those do not seem to match this specific cause. Similarly, strtotime bugs don't seem to match.

Reproduce code:
---------------
echo strtotime(date("-24 hours"));

Expected result:
----------------
Return false or -1

(with the caveat that I know it's "bad code" on my part)

Actual result:
--------------
w3wp.exe crashes as soon as the page starts to load.

Watching in task manager on the web server, you can see w3wp.exe spike to 99% then stay there. If you kill the task the web server behaves oddly, generating "Service Unavailable" results to the end browser until the "World Wide Web Publishing Service" is restarted.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-08-14 17:41 UTC] amelek32 at gmail dot com
<?
echo strtotime('-24 0720080000Thu');

This is enought to this bug. It doesn't really crash, it rather goes to endless loop.

Tested on Apache + PHP 5.2.6 on Windows XP x64
 [2008-08-14 17:50 UTC] jani@php.net
It hangs in this loop:

#1  0x00000000004a7f5b in do_normalize (time=0x7bf1ed0) at /home/jani/php-5.3CVS/ext/date/lib/tm2unixtime.c:166
166             do {} while (do_range_limit_days(&time->y, &time->m, &time->d));
 [2008-08-20 19:24 UTC] krimpet at toolserver dot org
I can confirm this bug, and it's not limited to Windows platforms. 'php -r "strtotime('+1000000000000 days');"' crashes my Linux laptop, for example.

This bug is particularly dire where user input is fed to directly to strtotime(), as it poses a DoS risk - for example, we use strtotime() in MediaWiki to format times specified by the user. (See <https://bugzilla.wikimedia.org/show_bug.cgi?id=14898>.)
 [2008-12-22 14:18 UTC] for-bugs at hnw dot jp
As well as other comments, php -r 'strtotime("20080101000000 Sunday");' never ends on PHP 5.2.8 and 5.3.0alpha3.
 [2009-05-03 18:23 UTC] derick@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 07:02:06 2014 UTC