php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70157 parse_ini_string() segmentation fault with INI_SCANNER_TYPED
Submitted: 2015-07-28 12:31 UTC Modified: 2015-08-07 03:30 UTC
From: publikusmail at postafiok dot hu Assigned: datibbaw
Status: Closed Package: Filesystem function related
PHP Version: php-5.6 OS: *
Private report: No CVE-ID:
 [2015-07-28 12:31 UTC] publikusmail at postafiok dot hu
Description:
------------
This bug affects both parse_ini_file() and parse_ini_string() functions.

A string value starting with a number and without quotes causes segmentation fault, whenever mode is set to INI_SCANNER_TYPED.

PHP versions tested: 5.6.9, 7.0.0b2
OS tested: Debian 8.1, Windows 8.1

Test script:
---------------
<?php

$ini = "

[agatha.christie]
title = 10 little indians

";

var_dump(parse_ini_string($ini, true, INI_SCANNER_TYPED));

?>

Expected result:
----------------
array(1) {
  ["agatha.christie"]=>
  array(1) {
    ["title"]=>
    string(17) "10 little indians"
  }
}

Actual result:
--------------
segmentation fault

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-07-28 19:32 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2015-07-28 19:32 UTC] cmb@php.net
Confirmed:

Program received signal SIGSEGV, Segmentation fault.
0x00000000005e78e2 in zend_ini_add_string (result=0x7fffffff9cd0,
    op1=0x7fffffff9d20, op2=0x7fffffff9d30)
    at /home/cmb/php-src/Zend/zend_ini_parser.y:105
105             int op1_len = (int)Z_STRLEN_P(op1);
(gdb) bt
#0  0x00000000005e78e2 in zend_ini_add_string (result=0x7fffffff9cd0,
    op1=0x7fffffff9d20, op2=0x7fffffff9d30)
    at /home/cmb/php-src/Zend/zend_ini_parser.y:105
#1  0x00000000005e8a40 in ini_parse ()
    at /home/cmb/php-src/Zend/zend_ini_parser.y:348
#2  0x00000000005e7e51 in zend_parse_ini_string (
    str=0x7ffff687f070 "\n\n[agatha.christie]\ntitle = 10 little indians\n\n", u
nbuffered_errors=0 '\000', scanner_mode=2,
    ini_parser_cb=0x526878 <php_ini_parser_cb_with_sections>,
    arg=0x7ffff68130b0) at /home/cmb/php-src/Zend/zend_ini_parser.y:238
#3  0x0000000000526bf8 in zif_parse_ini_string (execute_data=0x7ffff6813140,
    return_value=0x7ffff68130b0)
    at /home/cmb/php-src/ext/standard/basic_functions.c:5957
    
The problem is obvious. op1 in zend_ini_add_string is IS_LONG,
but is treated as IS_STRING. The solution, however, is not so
obvious to me.
 [2015-07-29 03:12 UTC] laruence@php.net
-Assigned To: +Assigned To: datibbaw
 [2015-07-29 03:12 UTC] laruence@php.net
actually, this is introduced in 5.6, not a php7 specific issue. 

@datibbaw, could you please have a look ?
 [2015-07-29 03:13 UTC] laruence@php.net
-PHP Version: 7.0.0beta2 +PHP Version: php-5.6
 [2015-08-07 03:30 UTC] pierrick@php.net
An other segfault due to the same problem:

$ini = "foo[1] = bar";
var_dump(parse_ini_string($ini, true, INI_SCANNER_TYPED));
 [2015-08-07 04:02 UTC] datibbaw@php.net
Sorry for the delay, I'll have a look!
 [2015-08-15 09:03 UTC] datibbaw@php.net
Automatic comment on behalf of datibbaw
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0d7159d26d277e34b4b2df4c1e49ec51ffb229cf
Log: Fixed #70157 parse_ini_string() segmentation fault with INI_SCANNER_TYPED
 [2015-08-15 09:03 UTC] datibbaw@php.net
-Status: Verified +Status: Closed
 [2015-08-18 16:24 UTC] ab@php.net
Automatic comment on behalf of datibbaw
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0d7159d26d277e34b4b2df4c1e49ec51ffb229cf
Log: Fixed #70157 parse_ini_string() segmentation fault with INI_SCANNER_TYPED
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Apr 25 10:01:41 2017 UTC