php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76068 parse_ini_string fails to parse "[foo]\nbar=1|>baz" with segfault
Submitted: 2018-03-08 14:26 UTC Modified: 2018-03-08 16:07 UTC
From: madboyka at yahoo dot com Assigned:
Status: Closed Package: Filesystem function related
PHP Version: 7.2.3 OS: Windows 10
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: madboyka at yahoo dot com
New email:
PHP Version: OS:

 

 [2018-03-08 14:26 UTC] madboyka at yahoo dot com
Description:
------------
Trying to parse the value "[foo]\nbar=1|>baz" with process_sections = true and scanner_mode = INI_SCANNER_TYPED causes a segmentation fault in the php process.
Looks like PHP sees the | as a logical operator and tries to do something with it.

Doesn't matter whether parse_ini_string or parse_ini_file is used.

I tried this on:
 Windows 10 with PHP 7.2.3 
 Ubuntu 16.04 with PHP 7.1.14-1+ubuntu16.04.1+deb.sury.org+1
 CentOS 7.4.1708 with PHP 7.1.14

Test script:
---------------
parse_ini_string("[foo]\nbar=1|>baz",true, \INI_SCANNER_TYPED);

Expected result:
----------------
the code should run without errors and return ['foo'=> ['bar' => '1|>baz']]

Actual result:
--------------
produces segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-03-08 16:07 UTC] cmb@php.net
-Status: Open +Status: Analyzed
 [2018-03-08 16:07 UTC] cmb@php.net
> the code should run without errors and return
> ['foo'=> ['bar' => '1|>baz']]

Assuming this return value would be incorrect, since the
documentation[1] states:

| If a value in the ini file contains any non-alphanumeric
| characters it needs to be enclosed in double-quotes (").

However, a segfault must indeed not occur here.

The problem is that `zend_ini_do_op()` assumes that the operands
are strings[2], which is wrong, since in case of the given
reproduce script, op1 `IS_LONG`.

[1] <http://www.php.net/manual/en/function.parse-ini-file.php#refsect1-function.parse-ini-file-notes>
[2] <https://github.com/php/php-src/blob/php-7.2.3/Zend/zend_ini_parser.y#L60-L63>
 [2018-03-10 10:21 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8417a239731158b7a8585f323e2c9216cac13c85
Log: Fixed bug #76068 parse_ini_string fails to parse &quot;[foo]\nbar=1|&gt;baz&quot; with segfault
 [2018-03-10 10:21 UTC] ab@php.net
-Status: Analyzed +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 06 22:01:27 2024 UTC