php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69551 parse_ini_file() and parse_ini_string() segmentation fault
Submitted: 2015-04-30 13:29 UTC Modified: 2015-06-10 20:23 UTC
Votes:3
Avg. Score:5.0 ± 0.0
Reproduced:3 of 3 (100.0%)
Same Version:2 (66.7%)
Same OS:3 (100.0%)
From: nystrom dot lars dot egon at gmail dot com Assigned: cmb
Status: Closed Package: Filesystem function related
PHP Version: 5.6.9 OS: *
Private report: No CVE-ID:
 [2015-04-30 13:29 UTC] nystrom dot lars dot egon at gmail dot com
Description:
------------
This bug affects both parse_ini_file() and parse_ini_string().

If you try to parse a string which contains a line feed followed by an escape character PHP will crash with a segmentation fault. This only happens when using the INI_SCANNER_RAW mode.

With "line feed followed by escape character" I mean two bytes with the following values: 0x0A 0x1B.

This affects all version of PHP I've tried: PHP 5.6.8, PHP 5.5.24 and PHP 5.3.29.

Test script:
---------------
<?php

$a = '[Network.eth0]
SubnetMask = "
"';

parse_ini_string($a, false, \INI_SCANNER_RAW);


Patches

raw-ini-scanner-segfault (last revision 2015-04-30 16:40 UTC) by cmb@php.net)

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-04-30 13:35 UTC] nystrom dot lars dot egon at gmail dot com
Here's a better test script:

<?php

$a = '[Network.eth0]
SubnetMask = "' . "\x0A\x1B" . '"';

parse_ini_string($a, false, \INI_SCANNER_RAW);
 [2015-04-30 16:40 UTC] cmb@php.net
The following patch has been added/updated:

Patch Name: raw-ini-scanner-segfault
Revision:   1430412052
URL:        https://bugs.php.net/patch-display.php?bug=69551&patch=raw-ini-scanner-segfault&revision=1430412052
 [2015-04-30 16:42 UTC] cmb@php.net
-Status: Open +Status: Analyzed
 [2015-04-30 16:42 UTC] cmb@php.net
The escape character is actually irrelevant. The problem is a
linebreak immediately following a double-quote for a value. In
this case the ini scanner goes to end_raw_value_chars:[1] and
yyleng is set to 1. That causes

  (yytext[0] == '"' && yytext[yyleng - 1] == '"')
  
to be true, and yyleng is decreased by 2. Thus a token with length
-1 is returned.

The solution is to avoid the above condition being true, when
there is only a single quote (the quote on the next line is
irrelevant, as the raw scanner does not allow linebreaks in
values). See the attached patch "raw-ini-scanner-segfault".

[1] <http://lxr.php.net/xref/PHP_TRUNK/Zend/zend_ini_scanner.l#518>
 [2015-06-03 07:28 UTC] nystrom dot lars dot egon at gmail dot com
This is still a pretty big issue for me, since there's no way to catch this error in PHP. When can I expect this bug to be fixed?
 [2015-06-04 00:54 UTC] cmb@php.net
-Operating System: Linux +Operating System: * -PHP Version: 5.6.8 +PHP Version: 5.6.9
 [2015-06-04 00:54 UTC] cmb@php.net
I have submitted a respective PR, what might accelerate the fix to
be merged. However, there are a lot of open PRs and the resources
to review them are limited, so please be patient.

If you really need the fix now, consider to compile PHP yourself,
applying the attached patch.
 [2015-06-10 20:23 UTC] cmb@php.net
-Status: Analyzed +Status: Closed -Assigned To: +Assigned To: cmb
 [2015-06-10 20:23 UTC] cmb@php.net
The fix for this bug has been committed.

Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Jul 25 22:01:35 2017 UTC