|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76068 parse_ini_string fails to parse "[foo]\nbar=1|>baz" with segfault
Submitted: 2018-03-08 14:26 UTC Modified: 2018-03-08 16:07 UTC
From: madboyka at yahoo dot com Assigned:
Status: Closed Package: Filesystem function related
PHP Version: 7.2.3 OS: Windows 10
Private report: No CVE-ID: None
 [2018-03-08 14:26 UTC] madboyka at yahoo dot com
Trying to parse the value "[foo]\nbar=1|>baz" with process_sections = true and scanner_mode = INI_SCANNER_TYPED causes a segmentation fault in the php process.
Looks like PHP sees the | as a logical operator and tries to do something with it.

Doesn't matter whether parse_ini_string or parse_ini_file is used.

I tried this on:
 Windows 10 with PHP 7.2.3 
 Ubuntu 16.04 with PHP
 CentOS 7.4.1708 with PHP 7.1.14

Test script:
parse_ini_string("[foo]\nbar=1|>baz",true, \INI_SCANNER_TYPED);

Expected result:
the code should run without errors and return ['foo'=> ['bar' => '1|>baz']]

Actual result:
produces segmentation fault


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2018-03-08 16:07 UTC]
-Status: Open +Status: Analyzed
 [2018-03-08 16:07 UTC]
> the code should run without errors and return
> ['foo'=> ['bar' => '1|>baz']]

Assuming this return value would be incorrect, since the
documentation[1] states:

| If a value in the ini file contains any non-alphanumeric
| characters it needs to be enclosed in double-quotes (").

However, a segfault must indeed not occur here.

The problem is that `zend_ini_do_op()` assumes that the operands
are strings[2], which is wrong, since in case of the given
reproduce script, op1 `IS_LONG`.

[1] <>
[2] <>
 [2018-03-10 10:21 UTC]
Automatic comment on behalf of ab
Log: Fixed bug #76068 parse_ini_string fails to parse &quot;[foo]\nbar=1|&gt;baz&quot; with segfault
 [2018-03-10 10:21 UTC]
-Status: Analyzed +Status: Closed
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Jul 14 19:01:28 2024 UTC