php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70947 INI parser segfault with INI_SCANNER_TYPED
Submitted: 2015-11-20 10:48 UTC Modified: -
From: samuli dot kauranne at naturalsciences dot be Assigned:
Status: Closed Package: Filesystem function related
PHP Version: 7.0.0RC7 OS: *
Private report: No CVE-ID:
 [2015-11-20 10:48 UTC] samuli dot kauranne at naturalsciences dot be
Description:
------------
This report should be viewed as continuation of Bug #70157, which seems to be solved only in a specific case.

Observed with: PHP 7.0.0RC7 and PHP 5.6.16RC1

Operating systems: Any (tests run in Ubuntu 15.10, Ubuntu 15.04)

parse_ini_string() and parse_ini_file() segfault when the new INI_SCANNER_TYPED scanner encounters an unquoted value of format 'STRING INT' or 'STRING FLOAT' in the ini. Inputs in formats 'STRING INT STRING', 'STRING STRING INT' also trigger the bug.

I was first surprised to see that input in form 'INT STRING' does NOT trigger the bug, but this seems to be because the solution to Bug #70157 addresses this specific case only.

Which integer or floating point number is used does not seem to affect the result (can be small or large). However, floating point numbers in format '1e-2' or '2.3E4' DO NOT trigger the bug, nor do hexadecimal values given in format '0x1234'.

Whether the 'process_sections' argument is TRUE or FALSE does not seem to affect the bug. The bug does not manifest itself with INI_SCANNER_RAW or INI_SCANNER_NORMAL

Test script:
---------------
$o = parse_ini_string('foo = bar 123', FALSE, INI_SCANNER_TYPED);

Expected result:
----------------
$o array(1) {
  ["foo"]=>
  string(7) "bar 123"
}

Actual result:
--------------
#0  zend_ini_add_string (result=result@entry=0x7ffd59704310, op1=op1@entry=0x7ffd59704500, op2=0x7ffd59704510) at /root/php-7.0.0RC7/Zend/zend_ini_parser.c:185
#1  0x0000000000799bcc in ini_parse () at /root/php-7.0.0RC7/Zend/zend_ini_parser.c:1739
#2  0x000000000079a2e7 in zend_parse_ini_string (str=str@entry=0x7f1e5aa6b180 "foo=bar 24", unbuffered_errors=unbuffered_errors@entry=0 '\000', scanner_mode=<optimized out>, 
    ini_parser_cb=ini_parser_cb@entry=0x6e70e0 <php_simple_ini_parser_cb>, arg=arg@entry=0x7f1e5aa120a0) at /root/php-7.0.0RC7/Zend/zend_ini_parser.c:317
#3  0x00000000006e749b in zif_parse_ini_string (execute_data=<optimized out>, return_value=0x7f1e5aa120a0) at /root/php-7.0.0RC7/ext/standard/basic_functions.c:5956
#4  0x000000000081310d in ZEND_DO_ICALL_SPEC_HANDLER () at /root/php-7.0.0RC7/Zend/zend_vm_execute.h:586
#5  0x000000000080456b in execute_ex (ex=<optimized out>) at /root/php-7.0.0RC7/Zend/zend_vm_execute.h:414
#6  0x0000000000857e67 in zend_execute (op_array=0x7f1e5aa7b000, op_array@entry=0x7f1e5aa7b160, return_value=return_value@entry=0x7f1e5aa12030) at /root/php-7.0.0RC7/Zend/zend_vm_execute.h:458
#7  0x00000000007c5993 in zend_execute_scripts (type=type@entry=8, retval=0x7f1e5aa12030, retval@entry=0x0, file_count=file_count@entry=3) at /root/php-7.0.0RC7/Zend/zend.c:1428
#8  0x0000000000766bd0 in php_execute_script (primary_file=0x7ffd597078c0) at /root/php-7.0.0RC7/main/main.c:2471
#9  0x0000000000859b3b in do_cli (argc=1500529424, argv=0x7ffd59704500) at /root/php-7.0.0RC7/sapi/cli/php_cli.c:974
#10 0x000000000043dc50 in main (argc=1500529424, argv=0x7ffd59704500) at /root/php-7.0.0RC7/sapi/cli/php_cli.c:1345


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-11-20 14:38 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=519f9bc67520f2dfd43e4d829143721d1334ff59
Log: Fixed bug #70947 (INI parser segfault with INI_SCANNER_TYPED)
 [2015-11-20 14:38 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2015-11-21 19:01 UTC] ab@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=597ed66ade112b4bde671f1e2ee0f1a000d16427
Log: Fixed bug #70947 (INI parser segfault with INI_SCANNER_TYPED)
 [2016-07-20 11:35 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=519f9bc67520f2dfd43e4d829143721d1334ff59
Log: Fixed bug #70947 (INI parser segfault with INI_SCANNER_TYPED)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC