php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #50987 unaligned memory access in phar.c
Submitted: 2010-02-10 07:27 UTC Modified: 2010-11-20 20:27 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: geissert at debian dot org Assigned: iliaa
Status: Closed Package: PHAR related
PHP Version: 5.3.1 OS: linux ia64
Private report: No CVE-ID:
 [2010-02-10 07:27 UTC] geissert at debian dot org
Description:
------------
There's an unaligned memory access in ext/phar/phar.c's phar_set_32 function.

The following patch fixes it:

--- php.orig/ext/phar/phar.c
+++ php/ext/phar/phar.c
@@ -2491,7 +2491,7 @@ static inline void phar_set_32(char *buf
        *((buffer) + 1) = (unsigned char) (((var) >> 8) & 0xFF);
        *((buffer) + 0) = (unsigned char) ((var) & 0xFF);
 #else
-       *(php_uint32 *)(buffer) = (php_uint32)(var);
+       memcpy(buffer, &var, sizeof(var));
 #endif
 } /* }}} */



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-02-10 20:05 UTC] pajoye@php.net
hi,

Can you provide test cases for these crashes please? As well as your settings (CFLAGS&co) as I can't see crashes on IA64 here (or other 64bit platforms). Same applies for your other reports :)

Thanks for your feedback!
 [2010-02-10 20:32 UTC] geissert at debian dot org
The phar one was found while building the extension itself (the call to php in ext/phar/Makefile.frag to generate phar.php.)

There are probably more, but still have to process them. In the meanwhile, here's another (found while unpacking pear):

@@ -512,7 +512,7 @@ void phar_entry_remove(phar_entry_data *
        (buffer) += 2
 #else
 # define PHAR_GET_32(buffer, var) \
-       var = *(php_uint32*)(buffer); \
+       memcpy(&var, buffer, sizeof(var)); \
        buffer += 4
 # define PHAR_GET_16(buffer, var) \
        var = *(php_uint16*)(buffer); \

As for CFLAGS: -O2 -Wall -fsigned-char -fno-strict-aliasing -g -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security

Should be easy for you to find them by running the test suite under prctl --unaligned=signal (all the phar tests will fail.) That's how I found them all (I can provide the name of the tests that failed in a moment, I'm rebuilding with the patches I already provided.)
 [2010-03-06 02:20 UTC] geissert@php.net
Any reason for not applying the patch? cheers
 [2010-03-06 15:09 UTC] felipe@php.net
-Status: Open +Status: Assigned
 [2010-11-19 14:20 UTC] iliaa@php.net
-Assigned To: cellog +Assigned To: iliaa
 [2010-11-20 20:27 UTC] iliaa@php.net
Automatic comment from SVN on behalf of iliaa
Revision: http://svn.php.net/viewvc/?view=revision&revision=305582
Log: Fixed bug #50987 (unaligned memory access in phar.c)
 [2010-11-20 20:27 UTC] iliaa@php.net
-Status: Assigned +Status: Closed
 [2010-11-20 20:27 UTC] iliaa@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2010-11-20 21:59 UTC] kalle@php.net
Automatic comment from SVN on behalf of kalle
Revision: http://svn.php.net/viewvc/?view=revision&revision=305584
Log: Added second fix from #50987 that wasn't apart of Ilia's commit
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 09:02:29 2014 UTC