php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66060 Heap buffer over-read in DateInterval
Submitted: 2013-11-08 10:29 UTC Modified: 2014-01-07 15:37 UTC
From: jutaky at polarptr dot com Assigned: remi (profile)
Status: Closed Package: Reproducible crash
PHP Version: master-Git-2013-11-08 (Git) OS: Linux
Private report: No CVE-ID: None
 [2013-11-08 10:29 UTC] jutaky at polarptr dot com
Description:
------------
Heap buffer over-read in DateInterval.

Versions affected, at least: 5.5.3 and 5.6.0-dev (master-git)

Built with AddressSanitizer, prefix and debug.




Test script:
---------------
<?php new DateInterval('P170141183460469231731687303715884105729D'); ?>


Actual result:
--------------
==6428== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x600800019eba at pc 0x4bb89c bp 0x7fff79056660 sp 0x7fff79056658
READ of size 1 at 0x600800019eba thread T0
    #0 0x4bb89b in scan /php-src/ext/date/lib/parse_iso_intervals.re:351
    #1 0x4bf896 in timelib_strtointerval /php-src/ext/date/lib/parse_iso_intervals.re:485 (discriminator 1)
    #2 0x44461e in date_interval_initialize /php-src/ext/date/php_date.c:3984
    #3 0x4467ff in zim_DateInterval___construct /php-src/ext/date/php_date.c:4147
    #4 0xdfa974 in zend_do_fcall_common_helper_SPEC /php-src/Zend/zend_vm_execute.h:554
    #5 0xdfd205 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER /php-src/Zend/zend_vm_execute.h:689
    #6 0xdf61f6 in execute_ex /php-src/Zend/zend_vm_execute.h:363
    #7 0xdf7b3f in zend_execute /php-src/Zend/zend_vm_execute.h:388
    #8 0xd374d9 in zend_execute_scripts /php-src/Zend/zend.c:1334
    #9 0xbb4c3e in php_execute_script /php-src/main/main.c:2490
    #10 0x10829ae in do_cli /php-src/sapi/cli/php_cli.c:994
    #11 0x1085285 in main /php-src/sapi/cli/php_cli.c:1378
    #12 0x7fbb22be5bc4 in __libc_start_main ??:?
    #13 0x421498 in _start ??:?
0x600800019eba is located 0 bytes to the right of 42-byte region [0x600800019e90,0x600800019eba)
allocated by thread T0 here:
    #0 0x7fbb24276625 in ?? ??:0
    #1 0x4b9da2 in timelib_string /php-src/ext/date/lib/parse_iso_intervals.re:125
    #2 0x4bb442 in scan /php-src/ext/date/lib/parse_iso_intervals.re:320
    #3 0x4bf896 in timelib_strtointerval /php-src/ext/date/lib/parse_iso_intervals.re:485 (discriminator 1)
    #4 0x44461e in date_interval_initialize /php-src/ext/date/php_date.c:3984
    #5 0x4467ff in zim_DateInterval___construct /php-src/ext/date/php_date.c:4147
    #6 0xdfa974 in zend_do_fcall_common_helper_SPEC /php-src/Zend/zend_vm_execute.h:554
    #7 0xdfd205 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER /php-src/Zend/zend_vm_execute.h:689
    #8 0xdf61f6 in execute_ex /php-src/Zend/zend_vm_execute.h:363
    #9 0xdf7b3f in zend_execute /php-src/Zend/zend_vm_execute.h:388
    #10 0xd374d9 in zend_execute_scripts /php-src/Zend/zend.c:1334
    #11 0xbb4c3e in php_execute_script /php-src/main/main.c:2490
    #12 0x10829ae in do_cli /php-src/sapi/cli/php_cli.c:994
    #13 0x1085285 in main /php-src/sapi/cli/php_cli.c:1378
    #14 0x7fbb22be5bc4 in __libc_start_main ??:?

Patches

proposal.patch (last revision 2013-11-08 17:12 UTC by remi@php.net)
proposal.path (last revision 2013-11-08 17:11 UTC by remi@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-11-08 15:00 UTC] jutaky at polarptr dot com
CVE-2013-6712 has been assigned to this issue.

--
Juha Kylmänen
Research Assistant, OUSPG
 [2013-11-08 17:11 UTC] remi@php.net
The following patch has been added/updated:

Patch Name: proposal.path
Revision:   1383930709
URL:        https://bugs.php.net/patch-display.php?bug=66060&patch=proposal.path&revision=1383930709
 [2013-11-08 17:12 UTC] remi@php.net
The following patch has been added/updated:

Patch Name: proposal.patch
Revision:   1383930745
URL:        https://bugs.php.net/patch-display.php?bug=66060&patch=proposal.patch&revision=1383930745
 [2013-11-27 10:19 UTC] remi@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: remi
 [2013-11-27 10:19 UTC] remi@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

Fix applied
 [2014-01-07 15:37 UTC] remi@php.net
-Type: Security +Type: Bug
 [2014-07-29 21:57 UTC] johannes@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a0bb3fd6793fe16dbf4d3b5eb3413093088a6b37
Log: Fixed bug #66060 (Heap buffer over-read in DateInterval)
 [2014-08-14 15:34 UTC] johannes@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a0bb3fd6793fe16dbf4d3b5eb3413093088a6b37
Log: Fixed bug #66060 (Heap buffer over-read in DateInterval)
 [2014-08-14 19:32 UTC] dmitry@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a0bb3fd6793fe16dbf4d3b5eb3413093088a6b37
Log: Fixed bug #66060 (Heap buffer over-read in DateInterval)
 [2014-10-07 23:14 UTC] stas@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=a0bb3fd6793fe16dbf4d3b5eb3413093088a6b37
Log: Fixed bug #66060 (Heap buffer over-read in DateInterval)
 [2014-10-07 23:16 UTC] stas@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=12fe4e90be7bfa2a763197079f68f5568a14e071
Log: Fixed bug #66060 (Heap buffer over-read in DateInterval)
 [2014-10-07 23:25 UTC] stas@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=a0bb3fd6793fe16dbf4d3b5eb3413093088a6b37
Log: Fixed bug #66060 (Heap buffer over-read in DateInterval)
 [2014-10-07 23:27 UTC] stas@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=12fe4e90be7bfa2a763197079f68f5568a14e071
Log: Fixed bug #66060 (Heap buffer over-read in DateInterval)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Nov 23 08:01:28 2024 UTC