PHP :: Bug #50987 :: unaligned memory access in phar.c

Bug #50987

unaligned memory access in phar.c

Submitted:

2010-02-10 07:27 UTC

Modified:

2010-11-20 20:27 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	0 (0.0%)

From:

geissert at debian dot org

Assigned:

iliaa (profile)

Status:

Closed

Package:

PHAR related

PHP Version:

5.3.1

OS:

linux ia64

Private report:

CVE-ID:

None

View Developer Edit

[2010-02-10 07:27 UTC] geissert at debian dot org

Description:
------------
There's an unaligned memory access in ext/phar/phar.c's phar_set_32 function.

The following patch fixes it:

--- php.orig/ext/phar/phar.c
+++ php/ext/phar/phar.c
@@ -2491,7 +2491,7 @@ static inline void phar_set_32(char *buf
        *((buffer) + 1) = (unsigned char) (((var) >> 8) & 0xFF);
        *((buffer) + 0) = (unsigned char) ((var) & 0xFF);
 #else
-       *(php_uint32 *)(buffer) = (php_uint32)(var);
+       memcpy(buffer, &var, sizeof(var));
 #endif
 } /* }}} */

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2010-02-10 20:05 UTC] pajoye@php.net

hi,

Can you provide test cases for these crashes please? As well as your settings (CFLAGS&co) as I can't see crashes on IA64 here (or other 64bit platforms). Same applies for your other reports :)

Thanks for your feedback!

[2010-02-10 20:32 UTC] geissert at debian dot org

The phar one was found while building the extension itself (the call to php in ext/phar/Makefile.frag to generate phar.php.)

There are probably more, but still have to process them. In the meanwhile, here's another (found while unpacking pear):

@@ -512,7 +512,7 @@ void phar_entry_remove(phar_entry_data *
        (buffer) += 2
 #else
 # define PHAR_GET_32(buffer, var) \
-       var = *(php_uint32*)(buffer); \
+       memcpy(&var, buffer, sizeof(var)); \
        buffer += 4
 # define PHAR_GET_16(buffer, var) \
        var = *(php_uint16*)(buffer); \

As for CFLAGS: -O2 -Wall -fsigned-char -fno-strict-aliasing -g -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security

Should be easy for you to find them by running the test suite under prctl --unaligned=signal (all the phar tests will fail.) That's how I found them all (I can provide the name of the tests that failed in a moment, I'm rebuilding with the patches I already provided.)

[2010-03-06 02:20 UTC] geissert@php.net

Any reason for not applying the patch? cheers

[2010-03-06 15:09 UTC] felipe@php.net

-Status: Open +Status: Assigned

[2010-11-19 14:20 UTC] iliaa@php.net

-Assigned To: cellog +Assigned To: iliaa

[2010-11-20 20:27 UTC] iliaa@php.net

Automatic comment from SVN on behalf of iliaa
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=305582
Log: Fixed bug #50987 (unaligned memory access in phar.c)

[2010-11-20 20:27 UTC] iliaa@php.net

-Status: Assigned +Status: Closed

[2010-11-20 20:27 UTC] iliaa@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

[2010-11-20 21:59 UTC] kalle@php.net

Automatic comment from SVN on behalf of kalle
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=305584
Log: Added second fix from #50987 that wasn't apart of Ilia's commit

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 15:01:29 2024 UTC