php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81368 Possible divide by zero bug in zend_inference.c
Submitted: 2021-08-17 11:48 UTC Modified: 2021-08-17 13:15 UTC
From: yguoaz at gmail dot com Assigned:
Status: Not a bug Package: *General Issues
PHP Version: master-Git-2021-08-17 (Git) OS: Linux
Private report: No CVE-ID: None
 [2021-08-17 11:48 UTC] yguoaz at gmail dot com
Description:
------------
In the file Zend/Optimizer/zend_inference.c, the function zend_inference_calc_binary_op_range has the following code:

case ZEND_DIV:
  if (OP1_HAS_RANGE() && OP2_HAS_RANGE()) {
    op1_min = OP1_MIN_RANGE();
    op2_min = OP2_MIN_RANGE();
    op1_max = OP1_MAX_RANGE();
    op2_max = OP2_MAX_RANGE();
    if (op2_min <= 0 && op2_max >= 0) {
      break;
    }
    
    float_div(op1_min, op2_min, &t1, &t1_);
    float_div(op1_min, op2_max, &t2, &t2_);
    float_div(op1_max, op2_min, &t3, &t3_);
    float_div(op1_max, op2_max, &t4, &t4_); 

The function float_div uses its second argument as a divisor. If only one of
the variables from op2_min and op2_max is zero, the checking can be bypassed
and will lead to a divide by zero problem.

Here is the link to the related code in github:
https://github.com/php/php-src/blob/be2df43b08cf13b9a5791ff5eb827a125115ef52/Zend/Optimizer/zend_inference.c#L674


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-08-17 12:36 UTC] nikic@php.net
-Type: Security +Type: Bug
 [2021-08-17 12:39 UTC] nikic@php.net
-Status: Open +Status: Feedback
 [2021-08-17 12:39 UTC] nikic@php.net
Doesn't the op2_min/op2_max check before that exclude the possibility of a division by zero?

Can you share an example that would trigger a division by zero in this code?
 [2021-08-17 13:00 UTC] yguoaz at gmail dot com
-Status: Feedback +Status: Open
 [2021-08-17 13:00 UTC] yguoaz at gmail dot com
I think the op2_min/op2_max check before is not sufficient.
For example, op2_min==0 && op2_max < 0 can bypass it.

Can this happen? This issue is found by inspection. Thus I do not have a test case here.
 [2021-08-17 13:06 UTC] nikic@php.net
-Status: Open +Status: Feedback
 [2021-08-17 13:06 UTC] nikic@php.net
op2_min <= op2_max is a general precondition. In additional, the check enforces !(op2_min <= 0 && op2_max >= 0), or equivalently op2_min > 0 || op2_max < 0.

If op2_min > 0 then also op2_max >= op2_min > 0. If op2_max < 0 then also op2_min <= op2_max < 0.

As such, neither op2_min or op2_max can be zero. Does that sound right?
 [2021-08-17 13:09 UTC] yguoaz at gmail dot com
-Status: Feedback +Status: Open
 [2021-08-17 13:09 UTC] yguoaz at gmail dot com
Thanks for the clarification. It is OK then.
 [2021-08-17 13:15 UTC] nikic@php.net
-Status: Open +Status: Not a bug
 [2021-08-17 13:15 UTC] nikic@php.net
Closing per above comments.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Tue May 17 08:05:45 2022 UTC