php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79015 undefined-behavior in php_date.c
Submitted: 2019-12-22 00:35 UTC Modified: 2020-01-03 13:35 UTC
From: reza at iseclab dot org Assigned: cmb (profile)
Status: Closed Package: Date/time related
PHP Version: 7.3.13 OS: Ubuntu 16.04
Private report: No CVE-ID: None
 [2019-12-22 00:35 UTC] reza at iseclab dot org
Description:
------------
While I was fuzzing with LibFuzzer, I got this UB. The source code is instrumented with UBSanitizer.

This is the version of PHP:
---

php --version
PHP 8.0.0-dev (cli) (built: Dec 19 2019 13:24:08) ( NTS )
Copyright (c) The PHP Group
Zend Engine v4.0.0-dev, Copyright (c) Zend Technologies
---

Here is the Poc file that triggers the UB.

O:12:"DateInterval":1:1s:1:"f";i:9999999999990;



Test script:
---------------
php -r 'unserialize(file_get_contents("php://stdin"));' < PoC

Actual result:
--------------
Notice: unserialize(): Error at offset 47 of 48 bytes in Command line code on line 1
php-src-master/ext/date/php_date.c:4026:26: runtime error: 1e+19 is outside the range of representable values of type 'long long'
    #0 0x5be918 in php_date_interval_initialize_from_hash (php-src-master/sapi/cli/php+0x5be918)
    #1 0x5c54ef in zim_DateInterval___wakeup (php-src-master/sapi/cli/php+0x5c54ef)
    #2 0x2848646 in zend_call_function (php-src-master/sapi/cli/php+0x2848646)
    #3 0x283d21e in _call_user_function_ex (php-src-master/sapi/cli/php+0x283d21e)
    #4 0x216ccc3 in var_destroy (php-src-master/sapi/cli/php+0x216ccc3)
    #5 0x216b270 in php_var_unserialize_destroy (php-src-master/sapi/cli/php+0x216b270)
    #6 0x207ec9e in zif_unserialize (php-src-master/sapi/cli/php+0x207ec9e)
    #7 0x37ca76a in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (php-src-master/sapi/cli/php+0x37ca76a)
    #8 0x2ee704a in execute_ex (php-src-master/sapi/cli/php+0x2ee704a)
    #9 0x2eea2d3 in zend_execute (php-src-master/sapi/cli/php+0x2eea2d3)
    #10 0x285545b in zend_eval_stringl (php-src-master/sapi/cli/php+0x285545b)
    #11 0x2856ce0 in zend_eval_stringl_ex (php-src-master/sapi/cli/php+0x2856ce0)
    #12 0x2856ec3 in zend_eval_string_ex (php-src-master/sapi/cli/php+0x2856ec3)
    #13 0x3aee302 in do_cli (php-src-master/sapi/cli/php+0x3aee302)
    #14 0x3ae9270 in main (php-src-master/sapi/cli/php+0x3ae9270)
    #15 0x7ffff640082f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #16 0x43f608 in _start (php-src-master/sapi/cli/php+0x43f608)


SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior php-src-master/ext/date/php_date.c:4026:26 in 

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-12-23 10:40 UTC] cmb@php.net
-Status: Open +Status: Verified -Package: *General Issues +Package: Date/time related -PHP Version: 7.4Git-2019-12-22 (Git) +PHP Version: 7.3.13
 [2019-12-23 10:40 UTC] cmb@php.net
Indeed, a check for the valid range should be done before
assigning the double to a signed integer[1].

[1] <https://github.com/php/php-src/blob/php-7.3.13/ext/date/php_date.c#L4395>
 [2019-12-23 13:06 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #79015: undefined-behavior in php_date.c
On GitHub:  https://github.com/php/php-src/pull/5031
Patch:      https://github.com/php/php-src/pull/5031.patch
 [2020-01-03 13:34 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b48f2625b57f70eea858033e623e6bf13b595e3b
Log: Fix #79015: undefined-behavior in php_date.c
 [2020-01-03 13:34 UTC] cmb@php.net
-Status: Verified +Status: Closed
 [2020-01-03 13:35 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Mon Oct 26 02:01:23 2020 UTC