|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #65091 Scanner Bug
Submitted: 2013-06-21 21:30 UTC Modified: 2021-07-18 04:22 UTC
Avg. Score:3.8 ± 0.7
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: keithk at powderkeginteractive dot com Assigned: cmb (profile)
Status: No Feedback Package: Scripting Engine problem
PHP Version: 5.5.0 OS: Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2013-06-21 21:30 UTC] keithk at powderkeginteractive dot com
-Debian Linux Etch, Lenny, Squeeze and Wheezy (standard LAMP stacks)
-Oracle Cluster File System (OCFS2)
-PHP 5.3, 5.4 and 5.5 (across any of the above systems)

PHP 5.3 and above seems to have an issue where the scanner scans past the end of a PHP script, allowing unexpected/junk characters to be tokenized and causing the parser to emit "unexpected ... at end of file" and related failures.

This has happened across many different valid PHP scripts, so there isn't any "test script" I can reasonably provide. A common theme among the scripts, however, is that they end with } or some other single-token character.

Note that this issue does *not* happen when using PHP 5.2 within the same environment and scripts.

I suspect that memory mapping with a look-ahead buffer, as PHP/Zend does, isn't always returning the ideal case of null-padded data. This may be related to the specific use of OCFS2... perhaps one bug revealing another.

At any rate, I've investigated the scanner and it does seem to make an assumption that supports the above edge case. The lex_scan function does not check if the buffer pointer is right at the limit, only before or after, allowing the scanner to read past the end of the buffer.

Proposed solution: replace all instances of "(YYCURSOR > YYLIMIT)" with "(YYCURSOR >= YYLIMIT)" in Zend/zend_language_scanner.l


fix_scanner_overread (last revision 2013-06-24 15:45 UTC by keithk at powderkeginteractive dot com)

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2013-06-24 00:27 UTC]
-Status: Open +Status: Feedback
 [2013-06-24 00:27 UTC]
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

 [2013-06-24 13:10 UTC] keithk at powderkeginteractive dot com
-Status: Feedback +Status: Open
 [2013-06-24 13:10 UTC] keithk at powderkeginteractive dot com
Example script:

<?php echo 'testing'; ?>
 [2021-07-07 13:39 UTC]
-Status: Open +Status: Feedback -Package: *General Issues +Package: Scripting Engine problem -Assigned To: +Assigned To: cmb
 [2021-07-07 13:39 UTC]
Is this still an issue with any of the actively supported PHP

[1] <>
 [2021-07-18 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Wed Feb 01 09:05:53 2023 UTC