php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67253 timelib_meridian_with_check out-of-bounds read
Submitted: 2014-05-12 03:58 UTC Modified: 2014-05-14 00:16 UTC
From: stas@php.net Assigned: stas
Status: Closed Package: *General Issues
PHP Version: 5.4.28 OS: *
Private report: No CVE-ID:
 [2014-05-12 03:58 UTC] stas@php.net
Description:
------------
timelib_meridian_with_check does not check for string end and thus can read past the end of the string.

Test script:
---------------
date_parse_from_format("aHa0", "0=G{$z}9UCNnF");

Expected result:
----------------
no memory errors

Actual result:
--------------
==8881== Invalid read of size 1
==8881==    at 0x44FEEB: timelib_meridian_with_check (parse_date.re:413)
==8881==    by 0x47DC2D: timelib_parse_from_format (parse_date.re:1984)
==8881==    by 0x4489AC: zif_date_parse_from_format (php_date.c:3014)
==8881==    by 0x90C3A2: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:550)
==8881==    by 0x8FDC3F: execute_ex (zend_vm_execute.h:363)
==8881==    by 0x87BE49: zend_eval_stringl (zend_execute_API.c:1187)
==8881==    by 0x87BF28: zend_eval_stringl_ex (zend_execute_API.c:1234)
==8881==    by 0x93A232: do_cli (php_cli.c:1034)
==8881==    by 0x93AC77: main (php_cli.c:1378)
==8881==  Address 0x15ffb06a is 0 bytes after a block of size 10 alloc'd
==8881==    at 0x4C2710F: realloc (vg_replace_malloc.c:525)
==8881==    by 0x8820A4: add_string_to_string (zend_operators.c:1280)
==8881==    by 0x8E61BA: ZEND_ADD_STRING_SPEC_TMP_CONST_HANDLER (zend_vm_execute.h:8921)
==8881==    by 0x8FDC3F: execute_ex (zend_vm_execute.h:363)
==8881==    by 0x87BE49: zend_eval_stringl (zend_execute_API.c:1187)
==8881==    by 0x87BF28: zend_eval_stringl_ex (zend_execute_API.c:1234)
==8881==    by 0x93A232: do_cli (php_cli.c:1034)
==8881==    by 0x93AC77: main (php_cli.c:1378)

==8881== Invalid read of size 1
==8881==    at 0x44FD2E: add_pbf_error (parse_date.re:371)
==8881==    by 0x47E38A: timelib_parse_from_format (parse_date.re:2154)
==8881==    by 0x4489AC: zif_date_parse_from_format (php_date.c:3014)
==8881==    by 0x90C3A2: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:550)
==8881==    by 0x8FDC3F: execute_ex (zend_vm_execute.h:363)
==8881==    by 0x87BE49: zend_eval_stringl (zend_execute_API.c:1187)
==8881==    by 0x87BF28: zend_eval_stringl_ex (zend_execute_API.c:1234)
==8881==    by 0x93A232: do_cli (php_cli.c:1034)
==8881==    by 0x93AC77: main (php_cli.c:1378)
==8881==  Address 0x15ffb06a is 0 bytes after a block of size 10 alloc'd
==8881==    at 0x4C2710F: realloc (vg_replace_malloc.c:525)
==8881==    by 0x8820A4: add_string_to_string (zend_operators.c:1280)
==8881==    by 0x8E61BA: ZEND_ADD_STRING_SPEC_TMP_CONST_HANDLER (zend_vm_execute.h:8921)
==8881==    by 0x8FDC3F: execute_ex (zend_vm_execute.h:363)
==8881==    by 0x87BE49: zend_eval_stringl (zend_execute_API.c:1187)
==8881==    by 0x87BF28: zend_eval_stringl_ex (zend_execute_API.c:1234)
==8881==    by 0x93A232: do_cli (php_cli.c:1034)
==8881==    by 0x93AC77: main (php_cli.c:1378)



Patches

fix-timelib (last revision 2014-05-12 04:09 UTC) by stas@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-05-12 04:09 UTC] stas@php.net
The following patch has been added/updated:

Patch Name: fix-timelib
Revision:   1399867783
URL:        https://bugs.php.net/patch-display.php?bug=67253&patch=fix-timelib&revision=1399867783
 [2014-05-14 00:16 UTC] stas@php.net
-Status: Open +Status: Closed -Type: Security +Type: Bug -Assigned To: +Assigned To: stas
 [2014-05-14 00:16 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2014-05-14 07:57 UTC] tyrael@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=466b8aa444523b9b53811487f0f6ca4421bfb5e1
Log: fix bug #67253: timelib_meridian_with_check out-of-bounds read
 [2014-05-18 17:18 UTC] dmitry@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=466b8aa444523b9b53811487f0f6ca4421bfb5e1
Log: fix bug #67253: timelib_meridian_with_check out-of-bounds read
 [2014-05-26 06:32 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=466b8aa444523b9b53811487f0f6ca4421bfb5e1
Log: fix bug #67253: timelib_meridian_with_check out-of-bounds read
 [2014-05-26 06:50 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=466b8aa444523b9b53811487f0f6ca4421bfb5e1
Log: fix bug #67253: timelib_meridian_with_check out-of-bounds read
 [2014-07-29 21:56 UTC] johannes@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2326401fc197cb88141561d3d51eccd7ac59fede
Log: fix bug #67253: timelib_meridian_with_check out-of-bounds read
 [2014-08-14 15:34 UTC] johannes@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2326401fc197cb88141561d3d51eccd7ac59fede
Log: fix bug #67253: timelib_meridian_with_check out-of-bounds read
 [2014-08-14 19:32 UTC] dmitry@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2326401fc197cb88141561d3d51eccd7ac59fede
Log: fix bug #67253: timelib_meridian_with_check out-of-bounds read
 [2014-10-07 23:14 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=2326401fc197cb88141561d3d51eccd7ac59fede
Log: fix bug #67253: timelib_meridian_with_check out-of-bounds read
 [2014-10-07 23:15 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=466b8aa444523b9b53811487f0f6ca4421bfb5e1
Log: fix bug #67253: timelib_meridian_with_check out-of-bounds read
 [2014-10-07 23:25 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=2326401fc197cb88141561d3d51eccd7ac59fede
Log: fix bug #67253: timelib_meridian_with_check out-of-bounds read
 [2014-10-07 23:26 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=466b8aa444523b9b53811487f0f6ca4421bfb5e1
Log: fix bug #67253: timelib_meridian_with_check out-of-bounds read
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Jun 25 02:01:48 2017 UTC