php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66060 Heap buffer over-read in DateInterval
Submitted: 2013-11-08 10:29 UTC Modified: 2014-01-07 15:37 UTC
From: jutaky at polarptr dot com Assigned: remi
Status: Closed Package: Reproducible crash
PHP Version: master-Git-2013-11-08 (Git) OS: Linux
Private report: No CVE-ID:
 [2013-11-08 10:29 UTC] jutaky at polarptr dot com
Description:
------------
Heap buffer over-read in DateInterval.

Versions affected, at least: 5.5.3 and 5.6.0-dev (master-git)

Built with AddressSanitizer, prefix and debug.




Test script:
---------------
<?php new DateInterval('P170141183460469231731687303715884105729D'); ?>


Actual result:
--------------
==6428== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x600800019eba at pc 0x4bb89c bp 0x7fff79056660 sp 0x7fff79056658
READ of size 1 at 0x600800019eba thread T0
    #0 0x4bb89b in scan /php-src/ext/date/lib/parse_iso_intervals.re:351
    #1 0x4bf896 in timelib_strtointerval /php-src/ext/date/lib/parse_iso_intervals.re:485 (discriminator 1)
    #2 0x44461e in date_interval_initialize /php-src/ext/date/php_date.c:3984
    #3 0x4467ff in zim_DateInterval___construct /php-src/ext/date/php_date.c:4147
    #4 0xdfa974 in zend_do_fcall_common_helper_SPEC /php-src/Zend/zend_vm_execute.h:554
    #5 0xdfd205 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER /php-src/Zend/zend_vm_execute.h:689
    #6 0xdf61f6 in execute_ex /php-src/Zend/zend_vm_execute.h:363
    #7 0xdf7b3f in zend_execute /php-src/Zend/zend_vm_execute.h:388
    #8 0xd374d9 in zend_execute_scripts /php-src/Zend/zend.c:1334
    #9 0xbb4c3e in php_execute_script /php-src/main/main.c:2490
    #10 0x10829ae in do_cli /php-src/sapi/cli/php_cli.c:994
    #11 0x1085285 in main /php-src/sapi/cli/php_cli.c:1378
    #12 0x7fbb22be5bc4 in __libc_start_main ??:?
    #13 0x421498 in _start ??:?
0x600800019eba is located 0 bytes to the right of 42-byte region [0x600800019e90,0x600800019eba)
allocated by thread T0 here:
    #0 0x7fbb24276625 in ?? ??:0
    #1 0x4b9da2 in timelib_string /php-src/ext/date/lib/parse_iso_intervals.re:125
    #2 0x4bb442 in scan /php-src/ext/date/lib/parse_iso_intervals.re:320
    #3 0x4bf896 in timelib_strtointerval /php-src/ext/date/lib/parse_iso_intervals.re:485 (discriminator 1)
    #4 0x44461e in date_interval_initialize /php-src/ext/date/php_date.c:3984
    #5 0x4467ff in zim_DateInterval___construct /php-src/ext/date/php_date.c:4147
    #6 0xdfa974 in zend_do_fcall_common_helper_SPEC /php-src/Zend/zend_vm_execute.h:554
    #7 0xdfd205 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER /php-src/Zend/zend_vm_execute.h:689
    #8 0xdf61f6 in execute_ex /php-src/Zend/zend_vm_execute.h:363
    #9 0xdf7b3f in zend_execute /php-src/Zend/zend_vm_execute.h:388
    #10 0xd374d9 in zend_execute_scripts /php-src/Zend/zend.c:1334
    #11 0xbb4c3e in php_execute_script /php-src/main/main.c:2490
    #12 0x10829ae in do_cli /php-src/sapi/cli/php_cli.c:994
    #13 0x1085285 in main /php-src/sapi/cli/php_cli.c:1378
    #14 0x7fbb22be5bc4 in __libc_start_main ??:?

Patches

proposal.patch (last revision 2013-11-08 17:12 UTC) by remi@php.net)
proposal.path (last revision 2013-11-08 17:11 UTC) by remi@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-11-08 15:00 UTC] jutaky at polarptr dot com
CVE-2013-6712 has been assigned to this issue.

--
Juha Kylmänen
Research Assistant, OUSPG
 [2013-11-08 17:11 UTC] remi@php.net
The following patch has been added/updated:

Patch Name: proposal.path
Revision:   1383930709
URL:        https://bugs.php.net/patch-display.php?bug=66060&patch=proposal.path&revision=1383930709
 [2013-11-08 17:12 UTC] remi@php.net
The following patch has been added/updated:

Patch Name: proposal.patch
Revision:   1383930745
URL:        https://bugs.php.net/patch-display.php?bug=66060&patch=proposal.patch&revision=1383930745
 [2013-11-27 10:19 UTC] remi@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: remi
 [2013-11-27 10:19 UTC] remi@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

Fix applied
 [2014-01-07 15:37 UTC] remi@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 00:01:21 2014 UTC