php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77484 Zend engine crashes when calling realpath in invalid working dir
Submitted: 2019-01-18 00:28 UTC Modified: 2019-01-18 20:03 UTC
From: marcospassos dot com at gmail dot com Assigned: ab (profile)
Status: Closed Package: *Directory/Filesystem functions
PHP Version: 7.3.1 OS: Mac OS 10.12.6
Private report: No CVE-ID: None
 [2019-01-18 00:28 UTC] marcospassos dot com at gmail dot com
Description:
------------
Calling realpath in an invalid working directory causes the engine to crash.

Test script:
---------------
https://3v4l.org/jWhgB

Expected result:
----------------
false

Actual result:
--------------
Crash

Patches

add-undeflow-check (last revision 2019-01-18 16:56 UTC by cmb@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-01-18 00:31 UTC] spam2 at rhsoft dot net
outside the PHP world this would classify as vulnerability when simple 2-liner crashs a shared server process
 [2019-01-18 11:31 UTC] cmb@php.net
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2019-01-18 11:31 UTC] cmb@php.net
Tentatively marking as sec bug.
 [2019-01-18 16:56 UTC] cmb@php.net
The following patch has been added/updated:

Patch Name: add-undeflow-check
Revision:   1547830590
URL:        https://bugs.php.net/patch-display.php?bug=77484&patch=add-undeflow-check&revision=1547830590
 [2019-01-18 16:56 UTC] cmb@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: ab
 [2019-01-18 16:56 UTC] cmb@php.net
There occurs an unsigned underflow in tsrm_realpath_r()[1]; the
attached patch add-undeflow-check would solve this. Anatol, since
you've refactored tsrm_realpath_r() to size_t, could you please
review the patch?

[1] <https://github.com/php/php-src/blob/php-7.3.1/Zend/zend_virtual_cwd.c#L767>
 [2019-01-18 20:03 UTC] stas@php.net
-Type: Security +Type: Bug
 [2019-01-18 20:03 UTC] stas@php.net
Not a security issue - requires special condition and explicit user action to trigger.
 [2019-01-18 23:32 UTC] spam2 at rhsoft dot net
as said: outside the autistic php world it is considered as security bug as EVERY crash bug
 [2019-01-19 01:40 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8b20e7b68bd81ab74423c9f7937699f79401cec4
Log: Fixed bug #77484 Zend engine crashes when calling realpath in invalid working dir
 [2019-01-19 01:40 UTC] ab@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Fri Feb 22 10:01:25 2019 UTC