php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72172 zend_hex_strtod should not use strlen
Submitted: 2016-05-06 19:02 UTC Modified: -
From: bwitz at hotmail dot com Assigned:
Status: Closed Package: *Compile Issues
PHP Version: 5.6.21 OS: Linux
Private report: No CVE-ID:
 [2016-05-06 19:02 UTC] bwitz at hotmail dot com
Description:
------------
Purify reports an Invalid pointer read from zend_hex_strtod as a result of performing a strlen on the compile buffer.



 	
IPR: Invalid pointer read (3 times):
  * This is occurring while in thread 8137:
	strlen         [rtlib.o]
	zend_hex_strtod [zend_strtod.c:2593]
	lex_scan       [zend_language_scanner.l:1561]
	zendlex        [zend_compile.c:6911]
	zendparse      [zend_language_parser.c:3767]
	compile_file   [zend_language_scanner.l:586]
	rnt_compile_file [rnt_opcode_cache.c:1118]
	ZEND_INCLUDE_OR_EVAL_SPEC_TMP_HANDLER [zend_vm_execute.h:8337]
	execute_ex     [zend_vm_execute.h:363]
	zend_execute   [zend_vm_execute.h:388]
	zend_execute_scripts [zend.c:1341]
	php_execute_script [main.c:2610]
	main           [cgi_main.c:2720]
	__libc_start_main [libc.so.6]
	_start         [crt1.o]
  * Reading 189460 bytes from 0xec44b66b between the heap and the stack (1 byte at 0xec479a7e illegal)

Expected result:
----------------
Purify would not identify compilation of a php script as hitting an Invalid pointer read (IPR).  In addition the strlen is quite inefficient since the compile buffer can be quite large.  In this specific case, 189,460 bytes were read to determine that

if (strlen(str) < 2)

is false.


Patches

zend_strtod.patch (last revision 2016-05-06 19:02 UTC) by bwitz at hotmail dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-07 06:55 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1c7f608071110a8e90e4ae04d3b4d970a70f8c7d
Log: Fixed bug #72172 (zend_hex_strtod should not use strlen)
 [2016-05-07 06:55 UTC] laruence@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue May 23 14:01:44 2017 UTC