php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76173 variant_date_from_timestamp crash
Submitted: 2018-04-01 00:45 UTC Modified: 2018-04-01 05:31 UTC
From: fernando at null-life dot com Assigned:
Status: Duplicate Package: COM related
PHP Version: 7.2.4 OS: Windows
Private report: No CVE-ID: None
 [2018-04-01 00:45 UTC] fernando at null-life dot com
Description:
------------
passing 2147483647 as timestamp causes crash on highlighted line


PHP_FUNCTION(variant_date_from_timestamp)
{
....
	memset(&systime, 0, sizeof(systime));

	systime.wDay = tmv->tm_mday; <--------------------
	systime.wHour = tmv->tm_hour;
	systime.wMinute = tmv->tm_min;

This was tested on a Windows 10 x64 using the package php-7.2.4-nts-Win32-VC15-x86.zip

This was supposed to be fixed according to https://bugs.php.net/bug.php?id=72498 


Test script:
---------------
<?php

$var1 = 2147483647;
variant_date_from_timestamp($var1);


Expected result:
----------------
No crash

Actual result:
--------------
(3200.1168): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
php_com_dotnet!zif_variant_date_from_timestamp+0x9b:
577fafbb 0fb74a0c        movzx   ecx,word ptr [edx+0Ch]   ds:002b:0000000c=????
Processing initial command 'r;!exploitable -v'
0:000:x86> r;!exploitable -v
eax=00000000 ebx=1bc1a080 ecx=b7ddb89d edx=00000000 esi=06dfc85c edi=1bc7d070
eip=577fafbb esp=06dfc7f0 ebp=06dfc838 iopl=0         nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010216
php_com_dotnet!zif_variant_date_from_timestamp+0x9b:
577fafbb 0fb74a0c        movzx   ecx,word ptr [edx+0Ch]   ds:002b:0000000c=????

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xc
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:577fafbb movzx ecx,word ptr [edx+0ch]

Basic Block:
    577fafbb movzx ecx,word ptr [edx+0ch]
       Tainted Input operands: 'edx'
    577fafbf mov word ptr [esp+26h],cx
       Tainted Input operands: 'cx'
    577fafc4 movzx ecx,word ptr [edx+8]
       Tainted Input operands: 'edx'
    577fafc8 mov word ptr [esp+28h],cx
       Tainted Input operands: 'cx'
    577fafcd movzx ecx,word ptr [edx+4]
       Tainted Input operands: 'edx'
    577fafd1 mov word ptr [esp+2ah],cx
       Tainted Input operands: 'cx'
    577fafd6 movzx eax,word ptr [edx+10h]
       Tainted Input operands: 'edx'
    577fafda inc ax
       Tainted Input operands: 'ax'
    577fafdc mov word ptr [esp+22h],ax
       Tainted Input operands: 'ax'
    577fafe1 movzx eax,word ptr [edx]
       Tainted Input operands: 'edx'
    577fafe4 mov word ptr [esp+2ch],ax
       Tainted Input operands: 'ax'
    577fafe9 mov eax,76ch
    577fafee add ax,word ptr [edx+14h]
       Tainted Input operands: 'edx'
    577faff2 mov word ptr [esp+20h],ax
       Tainted Input operands: 'ax'
    577faff7 mov eax,7
    577faffc mov word ptr [esp+10h],ax
    577fb001 lea eax,[esp+18h]
    577fb005 push eax
    577fb006 lea eax,[esp+24h]
    577fb00a push eax
    577fb00b call dword ptr [php_com_dotnet!_imp__systemtimetovarianttime (577fe0a0)]
       Tainted Input operands: 'ecx','edx'

Exception Hash (Major/Minor): 0xb00c46e1.0x85d22159

 Hash Usage : Stack Trace:
Major+Minor : php_com_dotnet!zif_variant_date_from_timestamp+0x9b
Major+Minor : php7!ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER+0x4b
Major+Minor : php7!execute_ex+0x57
Major+Minor : php7!zend_execute+0xf9
Major+Minor : php7!zend_execute_scripts+0x94
Minor       : php7!php_execute_script+0x283
Minor       : php!do_cli+0x8f4
Minor       : php!main+0x502
Minor       : php!__scrt_common_main_seh+0xf9
Minor       : KERNEL32!BaseThreadInitThunk+0x24
Minor       : ntdll_76f20000!__RtlUserThreadStart+0x2f
Minor       : ntdll_76f20000!_RtlUserThreadStart+0x1b
Instruction Address: 0x00000000577fafbb
Source File: c:\php-snap-build\php72\vc15\x86\php-7.2.4\ext\com_dotnet\com_variant.c
Source Line: 1024



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-04-01 05:31 UTC] requinix@php.net
-Status: Open +Status: Duplicate
 [2018-04-01 05:31 UTC] requinix@php.net
As you can see from the commit, the fix was only for x64. I don't know why.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Wed Oct 23 03:01:29 2019 UTC